Description of problem: You gcl policy will not work with confined users. It will not allow me to disable the unconfined policy module. Please change it to optional_policy(` unconfined_domain(gcl_t) ') Is this really required? allow gcl_t self:memprotect mmap_zero; If yes, the policy should be domain_mmap_low_type(gcl_t) tunable_policy(`mmap_low_allowed',` domain_mmap_low(gcl_t) ')
I STRONGLY suggest you figure out what what is requiring mmap_zero mmap(NULL, ..., MAP_FIXED, ... and rework your code. That's a very bad idea to allow for security reasons and something Linux does not allow regular users (even without selinux) do by default.
(unrelated note but dan showed me your policy out of band) execheap? you know that isn't POSIX complaint? (it's actually forbidden by POSIX) You really should be using mmap with PROT_EXEC. http://people.redhat.com/drepper/selinux-mem.html explains most of the memory potections (not mmap_zero) and how they should be handled in a more secure manor....
I made the first change requested in comment #0 and am testing it now. As for the second change in comment #0 and comment #1, no, it appears that gcl does NOT need mmap_zero, so I have removed that from the policy. With respect to comment #2, gcl is generating and compiling code on the fly. The gcl code that does this is VERY complex. I took a stab at changing it to use mmap with PROT_EXEC last winter, when I took over maintainership of the package. I failed. I simply don't have the time I need to study the gcl code enough to understand it deeply enough to edit it in this fashion. That is not likely to change any time soon. Upstream is nearly (but not completely) dead, so I do not hold out any hope of convincing them to do the work. If someone who is able to make it work correctly steps up with a patch, I would be happy to include it in the gcl package.
gcl-2.6.8-0.6.20090701cvs.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/gcl-2.6.8-0.6.20090701cvs.fc12
gcl-2.6.8-0.4.20090701cvs.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/gcl-2.6.8-0.4.20090701cvs.fc11
gcl-2.6.8-0.4.20090701cvs.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping