Bug 451877

Summary: unconfined_execmem_exec_t needed for several GHC-built Haskell binaries
Product: [Fedora] Fedora Reporter: Bryan O'Sullivan <bos>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: drepper, haskell-devel, notting, petersen, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-13 14:06:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 452440    

Description Bryan O'Sullivan 2008-06-17 22:30:45 UTC 
The following Haskell programs, built by GHC, need unconfined_execmem_exec_t
added to the SELinux policies:

/usr/bin/haddock
/usr/bin/haddock-0.9
/usr/bin/hasktags
/usr/bin/runghc
/usr/bin/runhaskell
/usr/libexec/ghc-*/ghc-6.8.[0-9]
/usr/libexec/ghc-*/ghc-pkg.bin
/usr/libexec/ghc-*/hsc2hs-bin
Comment 1 Bryan O'Sullivan 2008-06-17 22:33:35 UTC 
Tibbs suggests that Haddock doesn't need to be blocked on this.
Comment 2 Daniel Walsh 2008-06-22 10:55:05 UTC 
Why doesn't haddock fix their code to not need execmem?

Is this java or mono?

What does haddock need both executable and writeable memory at the same time?
Comment 3 Jens Petersen 2008-06-22 22:59:27 UTC 
(In reply to comment #2)
> Is this java or mono?

Haskell ;)
Comment 4 Bryan O'Sullivan 2008-06-23 02:07:40 UTC 
The runtime system for programs compiled by GHC generates code dynamically and
executes it.

The interaction with SELinux's enforcing mode is a known problem, which was
previously addressed with a hack: the %post scripts for Haskell programs were
using chcon to add unconfined_exec_mem_t.  This obviously didn't work in lots of
circumstances, hence wanting to apply the policy properly.

The underlying problem, namely the way GHC allocates memory that it intends to
execute dynamically, should be fixed within the next six months or so.  See
http://hackage.haskell.org/trac/ghc/ticket/738 for details.
Comment 5 Daniel Walsh 2008-07-02 17:46:12 UTC 
Fixed in selinux-policy-3.3.1-74.fc9.noarch
Comment 6 Bill Nottingham 2008-10-24 20:08:23 UTC 
Can Haskell users verify this and close the bug if it's fixed?
Comment 7 Jens Petersen 2009-01-21 00:37:35 UTC 
I started a comment long ago (which was then lost by a browser crash or restart)...

Basic summary is most (all) haskell programs shipped can run now in enforcing.
However there have been a number of path changes that should probably be updated
in selinux-policy.  I can help to do that.

Currently the changes needed are being done for that at install time.
Comment 8 Daniel Walsh 2009-01-26 16:46:20 UTC 
What are the paths?
Comment 9 Jens Petersen 2009-06-02 03:57:39 UTC 
I tested in F11 and it seems AFAICT the %post stuff we have is no longer needed for ghc executables so I am removing it for f12.