Description of problem: Uness this program is a java or mono app it should not require execstack. http://people.redhat.com/~drepper/selinux-mem.html SELinux will not let it run with execstack.
wow, why on earth is it trying that?
There's 2 things likely to require execstack: 1. taking the address of a nested function, 2. assembly files without the proper gnu_stack notes. I'll look into this ASAP.
This appears to be qimageblitz's fault. libqimageblitz.so.4.0.0 is marked as having an executable stack. This appears to be due to the included asm_scale.S which doesn't have a GNU_STACK note. There may be other stuff marked as execstack though (hopefully not!), I don't have a Rawhide system handy to do a full search of the ldd of systemsettings for the RWE GNU_STACK notes.
Looks like Debian found this before we did, curse me for not looking at their patches. This should be fixed in Rawhide. If there's other libraries requiring execstack, please open separate bugs for these.
I filed bug 428096 asking for an rpmlint check to catch this sort of issues so that this hopefully doesn't happen again.
qimageblitz-0.0.4-0.3.svn706674.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
qimageblitz-0.0.4-0.3.svn706674.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 431786 has been marked as a duplicate of this bug. ***
Arrrgh, qimageblitz still has execstack set on x86_64. I'll explain why: * CMakeLists.txt tests only if it can compile MMX before enabling asm_scale.S. Of course, x86_64 can compile MMX. * asm_scale.S itself elides almost all of the code if the following is false: #if defined(__i386__) && ( defined(__GNUC__) || defined(__INTEL_COMPILER) ) * Thus, on x86_64, an almost empty asm_scale.S is compiled. * The Debian patch adds the .note within that #ifdef, so it is missed on x86_64. I'll fix this ASAP.
Fixed in Rawhide. (I redid the noexecstack patch properly.) I ran readelf -l on all the libqimageblitz.so.4.0.0 from all 4 architectures built in Koji and they're all RW now (not RWE). I'm pushing updates for the stable versions right now because this is both a major annoyance for SELinux users and a potential security risk.
qimageblitz-0.0.4-0.4.svn706674.fc8 has been submitted as an update for Fedora 8
qimageblitz-0.0.4-0.4.svn706674.fc7 has been submitted as an update for Fedora 7
qimageblitz-0.0.4-0.4.svn706674.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
qimageblitz-0.0.4-0.4.svn706674.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 432762 has been marked as a duplicate of this bug. ***
*** Bug 433142 has been marked as a duplicate of this bug. ***