[oe] xterm: either fix it, or remove it. please.

Robert P. J. Day rpjday at crashcourse.ca
Fri Nov 13 04:38:01 UTC 2009 

On Thu, 12 Nov 2009, Philip Balister wrote:

> On 11/12/2009 04:42 PM, GNUtoo wrote:
> > > Is it practical?  I think the answer is no.  In my experience,
> > > tools like selinux have a tendency to require inordinate amounts
> > > of administrative burden that just isn't practical in a
> > > development environment.  I think requiring that selinux be
> > > disabled on build hosts is a reasonable requirement, and will
> > > avoid wasting a lot of cycles that should be spent on OE, and
> > > not on administration (or sending lots of emails).

> > What about supporting only the unconfined user selinux
> > type(unconfined_u),in targeted mode?
>
> I'm running default Selinux on F11, I don't think we can just say OE
> must have SELinux turned off.

  at the very least, selinux needs to be configured to allow
/proc/sys/vm/mmap_min_addr = 0.  here's the corresponding selinux
diagnostic you get because of that:

Summary:

SELinux is preventing
/home/rpjday/oe/angstrom-dev/staging/x86_64-linux/usr/bin/qemu-arm
"mmap_zero" access on <Unknown>.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by qemu-arm. The current boolean
settings do not allow this access. If you have not setup qemu-arm to
require this access this may signal an intrusion attempt. If you do
intend this access you need to change the booleans on this system to
allow the access.

Allowing Access:

Confined processes can be configured to run requiring different
access, SELinux provides booleans to allow you to turn on/off access
as needed. The boolean mmap_low_allowed is set incorrectly. Boolean
Description: Allow certain domains to map low memory in the kernel

Fix Command:

# setsebool -P mmap_low_allowed 1

rday
--

========================================================================
Robert P. J. Day                               Waterloo, Ontario, CANADA

            Linux Consulting, Training and Kernel Pedantry.

Web page:                                          http://crashcourse.ca
Twitter:                                       http://twitter.com/rpjday
========================================================================

More information about the Openembedded-devel mailing list