Bug 723998

Summary: Library needs partial RELRO support added
Product: Red Hat Enterprise Linux 6 Reporter: Steve Grubb <sgrubb>
Component: aclAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: mvadkert, omoris, ovasik, sct
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 16:37:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Steve Grubb 2011-07-21 17:20:03 UTC 
Description of problem:
The acl package contains libraries. We would like them to be built with
partial RELRO support as a security enhancement.

Additional info:
Partial RELRO requires these passed at link:
-Wl,-z,relro
Comment 1 Kamil Dudka 2011-07-26 12:28:38 UTC 
This will fix it:

Index: acl.spec
===================================================================
RCS file: /cvs/dist/rpms/acl/RHEL-6/acl.spec,v
retrieving revision 1.43
diff -u -p -r1.43 acl.spec
--- acl.spec    26 Jul 2011 12:16:51 -0000      1.43
+++ acl.spec    26 Jul 2011 12:26:53 -0000
@@ -62,7 +62,7 @@ autoconf
 %build
 touch .census
 # acl abuses libexecdir
-%configure --libdir=/%{_lib} --libexecdir=%{_libdir}
+%configure --libdir=/%{_lib} --libexecdir=%{_libdir} LDFLAGS="$LDFLAGS -Wl,-z,relro"
 make %{?_smp_mflags} LIBTOOL="libtool --tag=CC"
 
 %check
Comment 4 Ondrej Moriš 2011-08-03 22:25:51 UTC 
Using aforementioned tool (rpm-chksec) on acl-2.2.49-6.el6, I've got:

FILE                                                    TYPE      RELRO    PIE 
/usr/bin/chacl                                          exec      partial  no  
/usr/bin/getfacl                                        exec      partial  no  
/usr/bin/setfacl                                        exec      partial  no 

Edo, Steve, I am not sure what is the meaning of this outcome, is this tool documented somewhere?
Comment 5 Steve Grubb 2011-08-03 23:45:14 UTC 
The color coding help you interpret the results. :)
Comment 7 Kamil Dudka 2011-08-04 06:28:16 UTC 
Ondrej, as for this bug, you need to check libacl in the first place.  That is the subpackage that provides the library.
Comment 11 errata-xmlrpc 2011-12-06 16:37:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2011-1657.html