On Tue, 22 Feb 2005 21:43:21 -0500, Ivan Gyurdiev wrote:
The inkscape binary is marked with PT_GNU_STACK RWE. This creates problems for the SELinux strict policy, and requires that special privileges be granted for inkscape as a "legacy domain".
Interesting, I thought SELinux was orthogonal to the execstack stuff.
The question is, does inkscape really require an executable stack?
Almost certainly the answer is no.
I'm not a gcc expert of any kind, but from what I've read I understand that asm code causes gcc to mark the binary as requiring executable stack. I think it can be overridden with ld -z noexecstack.
What version of GCC are you using? AFAIK assembly has not triggered PT_GNU_STACK generation for a while now but you'd have to check with Ingo Molnar. I'm not sure it's wise to override GCCs heuristics though.
It would be a lot easier to write the inkscape security policy if it didn't require executable stack.
Can't you just tell SELinux not to care about executable stacks? You can still restrict read/writes. Though given that Inkscape has to be able to save files pretty much anywhere I'm not sure how much you can really lock it down.
thanks -mike