Bug 1367397

DaemonPartialRELRO

Daemon file compiled with only partial RELRO (should be full): /usr/libexec/storaged/storaged

Daemon executable compiled with only partial RELRO (RHEL6 requires full).

When compiled with PIE flags, the Global Offset Table is writable in order to resolve the relocations introduced by ASLR. If the binary is not Full RELRO, the bindings are resolved lazily so that the program starts up as fast as possible. This means for the life of the program it remains writable and that causes an attack point in an otherwise hardened application. With Full RELRO, all relocations are resolved and the GOT is marked read only removing the attack point.

This failure is sometimes triggered by enabling PIE without also enabling BIND_NOW. To enable BIND_NOW, put -Wl,-z,now (with now, not bind_now) among the linker flags (LDFLAGS).

Note that we use heuristics to identify daemons, and these may result in false positives (we identify "foo" as a daemon but it really isn't) and false negatives (we fail to identify "bar" as a daemon, and don't check it for RELRO).

See also http://post-office.corp.redhat.com/archives/os-devel-list/2011-July/msg00149.html.
 	Daemon file compiled with only partial RELRO (should be full): /usr/libexec/storaged/storaged