On Sat, Oct 4, 2008 at 10:25 AM, Damian S <dsteward at internode.on.net> wrote: > To answer my question, I have found the allow_execmem boolean, and set > it. > > So, should I file a bug with someone? > > Also, I'm thinking I might run into more problems with SELinux silently > interfering with ejabberd later on, so maybe I should disable SELinux > and be done with it. > Well look at the problem.. your program is trying to execute code in the memory area of the stack versus the application. That is usually what exploit code does. So the first question I would ask is why is it acting like exploit code? Now certain languages do act like that because their concept of a stack is 'machine independant' (I think thats the correct term).. an example is Lisp which expects that you are running your code on a LISP machine which has a different memory manager than most modern day hardware. On the other hand, some uses a side effect to accomplish something because the programmer was being clever.. which usually bites someone later. There are several paths you can go from here: 1) Run the system in passive mode. You won't be protected, but you can watch what might be causing issues later on. [Worst case, if you have an exploited machine and the logs aren't wiped.. you can figure out why... ] Anytime you have something doing crypto that way would have me wondering if some programmer was trying to be too clever. 2) Write a policy using audit2allow that would allow for ejabberd to execute on the stack but not other programs 3) Turn on the boolean which then allows any program to execute memory. 4) Turn off selinux. > Does anyone here run ejabberd with SELinux enabled? > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"