Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451877 - unconfined_execmem_exec_t needed for several GHC-built Haskell binaries
Summary: unconfined_execmem_exec_t needed for several GHC-built Haskell binaries
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 452440
TreeView+ depends on / blocked
 
Reported: 2008-06-17 22:30 UTC by Bryan O'Sullivan
Modified: 2009-06-02 03:58 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-13 14:06:17 UTC


Attachments (Terms of Use)

Description Bryan O'Sullivan 2008-06-17 22:30:45 UTC
The following Haskell programs, built by GHC, need unconfined_execmem_exec_t
added to the SELinux policies:

/usr/bin/haddock
/usr/bin/haddock-0.9
/usr/bin/hasktags
/usr/bin/runghc
/usr/bin/runhaskell
/usr/libexec/ghc-*/ghc-6.8.[0-9]
/usr/libexec/ghc-*/ghc-pkg.bin
/usr/libexec/ghc-*/hsc2hs-bin

Comment 1 Bryan O'Sullivan 2008-06-17 22:33:35 UTC
Tibbs suggests that Haddock doesn't need to be blocked on this.

Comment 2 Daniel Walsh 2008-06-22 10:55:05 UTC
Why doesn't haddock fix their code to not need execmem?

Is this java or mono?

What does haddock need both executable and writeable memory at the same time?

Comment 3 Jens Petersen 2008-06-22 22:59:27 UTC
(In reply to comment #2)
> Is this java or mono?

Haskell ;)


Comment 4 Bryan O'Sullivan 2008-06-23 02:07:40 UTC
The runtime system for programs compiled by GHC generates code dynamically and
executes it.

The interaction with SELinux's enforcing mode is a known problem, which was
previously addressed with a hack: the %post scripts for Haskell programs were
using chcon to add unconfined_exec_mem_t.  This obviously didn't work in lots of
circumstances, hence wanting to apply the policy properly.

The underlying problem, namely the way GHC allocates memory that it intends to
execute dynamically, should be fixed within the next six months or so.  See
http://hackage.haskell.org/trac/ghc/ticket/738 for details.

Comment 5 Daniel Walsh 2008-07-02 17:46:12 UTC
Fixed in selinux-policy-3.3.1-74.fc9.noarch

Comment 6 Bill Nottingham 2008-10-24 20:08:23 UTC
Can Haskell users verify this and close the bug if it's fixed?

Comment 7 Jens Petersen 2009-01-21 00:37:35 UTC
I started a comment long ago (which was then lost by a browser crash or restart)...

Basic summary is most (all) haskell programs shipped can run now in enforcing.
However there have been a number of path changes that should probably be updated
in selinux-policy.  I can help to do that.

Currently the changes needed are being done for that at install time.

Comment 8 Daniel Walsh 2009-01-26 16:46:20 UTC
What are the paths?

Comment 9 Jens Petersen 2009-06-02 03:57:39 UTC
I tested in F11 and it seems AFAICT the %post stuff we have is no longer needed for ghc executables so I am removing it for f12.


Note You need to log in before you can comment on or make changes to this bug.