+++ This bug was initially created as a clone of Bug #1722756 +++
Description of problem:
libffi code searches for the tmpdir with exec to write and execute their temporal files from there. On hardened systems with most of the mounts mounted with noexec, it can fell through the explicit list of candidate dirs to the mtab search and then it can take the root directory ('/') which will result in SELinux AVCs. As most of the systems have /run mounted with exec, it could be worth adding it to the explicit list of candidates. Well, it will not solve the problem for everybody, because FHS doesn't say anything about exec/noexec of the /run, so customers could remount it noexec, but it would be definitely improvement.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. check the code
/run is not in the explicit search list
/run could be in the explicit search list
--- Additional comment from Florian Weimer on 2019-06-21 05:28:23 EDT ---
I think the way forward here is to switch to a trampoline which does not need run-time code generation, only mapping of fixed, pre-compiled code. Then all that dual-mapping and cache-flushing code can go away.
--- Additional comment from Carlos O'Donell on 2019-06-25 12:00:03 EDT ---
In RHEL7 we should just add the extra search directory and stop there, but in later releases we may have the opportunity to rework libffi.
Verified against libffi-3.1-22.el8.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (libffi bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.