Hello, I am running SELinux and at boot time I get the following avc: denied {execmem } error messages: May 23 19:55:24 jeeves audit(1148406924.469:0): avc: denied { execmem } for pid=5232 comm=rc scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=process May 23 19:55:24 jeeves audit(1148406924.470:0): avc: denied { execmem } for pid=5232 comm=rc scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process May 23 19:55:24 jeeves audit(1148406924.586:0): avc: denied { execmem } for pid=5238 comm=consoletype scontext=system_u:system_r:consoletype_t tcontext=system_u:system_r:consoletype_t tclass=process May 23 19:57:15 jeeves audit(1148407003.342:0): avc: denied { execmem } for pid=853 comm=10-udev.hotplug scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=process May 23 19:57:15 jeeves audit(1148407004.110:0): avc: denied { execmem } for pid=1 comm=init scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=process May 23 19:57:15 jeeves audit(1148407004.635:0): avc: denied { execmem } for pid=896 comm=rc scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process May 23 19:57:15 jeeves audit(1148407004.918:0): avc: denied { execmem } for pid=898 comm=consoletype scontext=system_u:system_r:consoletype_t tcontext=system_u:system_r:consoletype_t tclass=process May 23 19:57:15 jeeves audit(1148407005.216:0): avc: denied { execmem } for pid=904 comm=mount scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=process May 23 19:57:15 jeeves audit(1148407005.699:0): avc: denied { execmem } for pid=934 comm=swapon scontext=system_u:system_r:fsadm_t tcontext=system_u:system_r:fsadm_t tclass=process May 23 19:57:15 jeeves audit(1148407006.734:0): avc: denied { execmem } for pid=974 comm=modules-update scontext=system_u:system_r:update_modules_t tcontext=system_u:system_r:update_modules_t tclass=process May 23 19:57:15 jeeves audit(1148407019.054:0): avc: denied { execmem } for pid=3900 comm=depmod scontext=system_u:system_r:depmod_t tcontext=system_u:system_r:depmod_t tclass=process May 23 19:57:15 jeeves audit(1148407026.221:0): avc: denied { execmem } for pid=3961 comm=restorecon scontext=system_u:system_r:restorecon_t tcontext=system_u:system_r:restorecon_t tclass=process May 23 19:57:15 jeeves audit(1148407032.585:0): avc: denied { execmem } for pid=4450 comm=ifconfig scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:ifconfig_t tclass=process May 23 19:57:15 jeeves audit(1148407035.120:0): avc: denied { execmem } for pid=4667 comm=hotplug scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=process May 23 19:57:59 jeeves audit(1148407079.575:0): avc: denied { execmem } for pid=5181 comm=bash scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=process I tried to get rid of the problem with doing an emerge -euDN world with the gcc-3.4.5 but this did not help. emerge --info: Portage 2.0.54-r2 (selinux/2005.1/ppc, gcc-3.4.5, glibc-2.3.6-r3, 2.6.11-hardened-r15 ppc) ================================================================= System uname: 2.6.11-hardened-r15 ppc 740/750 Gentoo Base System version 1.6.14 dev-lang/python: 2.3.5, 2.4.2 dev-python/pycrypto: [Not Present] dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r4 ACCEPT_KEYWORDS="ppc" AUTOCLEAN="yes" CBUILD="powerpc-unknown-linux-gnu" CFLAGS="-O2 -mtune=powerpc -pipe" CHOST="powerpc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/bind /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mtune=powerpc -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox selinux sfperms strict" GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ " MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="alsa apache2 audiofile berkdb bzip2 cgi crypt dba esd expat fam force-cgi-redirect gd gif imlib java jpeg libwww memlimit mhash mpm-worker mysql ncurses nls pam pcre perl php png ppc python readline selinux sockets ssl tcpd threads tiff truetype udev unicode xml2 zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS, PORTDIR_OVERLAY
Turns out this user is not using PaX at all. It's just simply a matter of having a PT_LOAD being RWE among other things.
the execmem check is disabled on ppc32 upstream, not sure if the toolchain stuff is fixed, and I can't check since my ppc is out of commission
(In reply to comment #2) > not sure if the toolchain stuff is fixed if you mean -msecure-plt then it works fine, i know of at least one happy user who's been running a fully enabled PaX/ppc32 (i.e., no EMUPLT) for a year now. i see that portage enables it in the toolchain by default now when using >=glibc-2.5 (and obviously gcc-4), so a full system re-emerge should produce a clean userland (CFLAGS might need -msecure-plt, i don't know if it's used by default). then you'll need PaX to actually get non-exec pages and you're mostly set (save for non-exec stack issues as ppc32 wants an executable stack by default, i forget for what reason).
