I think "text relocation" has something to do with the way a dynamic library
is compiled and/or loaded.  This is not something which Protocol Buffers
asks for specifically -- either libtool, your linker, or your binary loader
chose to use this feature without being asked for it.  It seems that SELinux
feels that text relocation is risky because it means that the library image
in memory is both executable and writable, which presumably makes it easier
to exploit buffer overruns -- but first a buffer overrun has to exist,
independently.  So this isn't a security hole in itself, it's just something
that could hypothetically make some other security hole more exploitable.
Possible solutions:
* Compile protobuf with static linking only.  (configure --disable-shared)
* Figure out how to compile protobuf with "text relocation" disabled, and do
that.  (Maybe CFLAGS=-fPIC will do it?  But note that this will make the
code a bit slower.)
* Tell your OS to allow text relocation for protoc because protoc does not
process data from potentially malicious users and therefore is not a
security risk.

On Fri, Jul 31, 2009 at 6:43 PM, hw...@gear6.com <hw...@gear6.com> wrote:

> A question on the right behavior of libprotoc.so.4.0.0.
> On a CentOS 5.1, I downloaded and installed the latest protocol buffer
> 2.1. Make check runs fine. Then when I tried to do make under the ./
> example directory, SELinux reports that "protoc attempted to load /usr/
> local/lib/libprotoc.so.4.0.0 which requires text relocation. This is a
> potential security problem. "
> The command I run is simply:
> protoc --cpp_out=. addressbook.proto
> which reports from CLI that "cannot restore segment proc after reloc:
> Permission Denied"
> While I don't believe the code has malicious intention, just curious
> that is this "text relocation" inside libprotoc.so.4.0.0 a correct
> behavior? I hesitate to allow the this exception in SELinux before I
> get confirmation.
> Thanks,
> Hank
> >

You received this message because you are subscribed to the Google Groups 
"Protocol Buffers" group.
To post to this group, send email to protobuf@googlegroups.com
To unsubscribe from this group, send email to 
For more options, visit this group at 

Reply via email to