mysql needs to do elf segment relocations, which can be prevented by PaX on an hardened setup.

gw root # scanelf -t /usr/sbin/mysqld 
 TYPE   TEXTREL  FILE
ET_DYN  TEXTREL /usr/sbin/mysqld
gw root # 

when PaX has NOELFRELOCS enabled, mysql daemon doesn't start.

this can be solved by two ways:
1. disable mprotect() restrictions on some mysql binaries
paxctl -m /usr/sbin/mysqld;paxctl -m /usr/bin/my_print_defaults
2. fix ebuild by removing configure option "--enable-assembler"

mysql binaries no longer need to do elf segment relocations if proposed solution #2 is used.

hardened setup prevent mysql from starting.

Reproducible: Always
Steps to Reproduce:
1.use hardened-sources-2.6.11-r1 or vanilla kernel with grsecurity or pax patchset
2. compile kernel with
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
(using PAGEEXEC or SEGMEXEC is fine as long as one of them is used)
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
(above config flag is critical to reproduce bug)
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_NOVSYSCALL=y
3. build hardened toolchain
USE="hardened pic" emerge gcc glibc
USE="hardened pic" emerge gcc glibc
4. compile mysql
USE="hardened pic" emerge mysql
5. mysql won't start


Actual Results:  
mysql didn't start: complained about attempted segment relocation: permission 
denied 
(exact message unavailable for now) 

Expected Results:  
gw root # /etc/init.d/mysql start 
 * Starting mysqld...                                                     
[ ok ] 
gw root #  

 Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, 
glibc-2.3.4.20041102-r1, 2.6.11.7-grsec i686) 
================================================================= 
System uname: 2.6.11.7-grsec i686 Pentium III (Coppermine) 
Gentoo Base System version 1.4.16 
Python:              dev-lang/python-2.3.5 [2.3.5 (#1, May  6 2005, 17:45:06)] 
ccache version 2.3 [enabled] 
dev-lang/python:     2.3.5 
sys-apps/sandbox:    [Not Present] 
sys-devel/autoconf:  2.59-r6, 2.13 
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.4 
sys-devel/binutils:  2.15.92.0.2-r7 
sys-devel/libtool:   1.5.16 
virtual/os-headers:  2.6.8.1-r2 
ACCEPT_KEYWORDS="x86" 
AUTOCLEAN="yes" 
CFLAGS="-march=pentium3 -fomit-frame-pointer -fforce-addr -fstack-protector 
-O2 -pipe" 
CHOST="i686-pc-linux-gnu" 
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" 
CXXFLAGS="-march=pentium3 -fomit-frame-pointer -fforce-addr -fstack-protector 
-O2 -pipe" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" 
GENTOO_MIRRORS="ftp://ftp.rnl.ist.utl.pt/gentoo http://gentoo.oregonstate.edu 
http://www.ibiblio.org/pub/Linux/distributions/gentoo" 
MAKEOPTS="-j3" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage" 
SYNC="rsync://ftp.rnl.ist.utl.pt/gentoo-portage" 
USE="x86 aalib acl acpi alsa apache2 apm arts avi berkdb bitmap-fonts crypt 
cscope cups curl emboss encode fam foomaticdb fortran gd gdbm ggi gif gmp gpm 
gtk2 hardened imagemagick imap imlib ipv6 java jpeg libg++ libwww mad maildir 
mikmod mmx motif mp3 mpeg mppe-mppc mysql ncurses nls ogg oggvorbis opengl oss 
pam pdflib perl pic pie png ppds python quicktime readline samba sasl sdl 
slang snmp spell sse ssl svga tcpd tiff truetype-fonts type1-fonts unicode usb 
vorbis winbind wmf xml xml2 xmms xv zlib userland_GNU kernel_linux 
elibc_glibc" 
Unset:  ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, 
PORTDIR_OVERLAY