Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 337628

Summary: SELinux is preventing /opt/eclipse/eclipse from using the execstack access on a process.
Product: [Eclipse Project] Equinox Reporter: Michael Schechter <mlschechter>
Component: LauncherAssignee: Project Inbox <equinox.launcher-inbox>
Status: CLOSED WONTFIX QA Contact:
Severity: normal    
Priority: P3 CC: aniefer, pwebster, remy.suen
Version: 3.6.1   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Whiteboard: stalebug
Attachments:
Description Flags
SELinux troubleshooting detail from failure none

Description Michael Schechter CLA 2011-02-18 21:24:13 EST 
Build Identifier: 20100917-0705

Running Fedora 14, Oracle JDK 1.6u23, SELinux. When I try to start the executable, I get the following error:

/usr/java/jdk1.6.0_23/bin/../jre/lib/i386/client/libjvm.so: cannot enable executable stack as shared object requires: Permission denied

Note: Workarounds for the error are here: http://www.if-not-true-then-false.com/2010/linux-install-eclipse-on-fedora-centos-red-hat-rhel/

Also, the Eclipse RPM provided by Red Hat for Fedora does not have this problem. Unfortunately, the RPM bloat that comes with that installation makes it completely unsuitable for my purposes.

Reproducible: Always

Steps to Reproduce:
1. Unzip/untar the Linux gzip file to /opt/eclipse
2. Attempt to run the binary
3. SELinux alert occurs
Comment 1 Michael Schechter CLA 2011-02-18 21:28:11 EST 
Created attachment 189336 [details]
SELinux troubleshooting detail from failure
Comment 2 Andrew Niefer CLA 2011-02-22 11:59:34 EST 
Can this:
chcon -t execmem_exec_t '/opt/eclipse/eclipse'
be done by us after we compile the launcher?  That is, does this set something on the executable itself, or is it setting something in the system?

We do something comparable with "sedmgr -c exempt" for AIX (bug 293840)

As an aside I raised bug 337861, this exemption is missing for aix.gtk.
Comment 3 Michael Schechter CLA 2011-02-23 21:59:59 EST 
(In reply to comment #2)
> Can this:
> chcon -t execmem_exec_t '/opt/eclipse/eclipse'
> be done by us after we compile the launcher?  That is, does this set something
> on the executable itself, or is it setting something in the system?
> 
> We do something comparable with "sedmgr -c exempt" for AIX (bug 293840)

Is this what the RPM does when it installs Eclipse? I know it didn't have the security permission problem when I installed it from the Fedora repository.

Also, I believe this is a system-specific setting - something that happens to the file on the end-user's system. The referenced command changes the file's security context.

I think the thing confusing me is why the Eclipse binary is even doing this. All of the SELinux documentation goes on at length about how much of a "bad thing" this is. Is it really that bad (and a programming error), or is it an overly protective restriction?
Comment 4 Andrew Niefer CLA 2011-02-24 14:53:50 EST 
(In reply to comment #3)
> I think the thing confusing me is why the Eclipse binary is even doing this.
> All of the SELinux documentation goes on at length about how much of a "bad
> thing" this is. Is it really that bad (and a programming error), or is it an
> overly protective restriction?

It is not really the eclipse binary that is doing this, it is the jvm which we are starting in the eclipse process by loading libjvm.so and using the JNI Invocation API.  I believe this comes from the vm's jit optimizations.
Comment 5 Andrew Niefer CLA 2011-05-05 15:10:02 EDT 
Removing target milestone
Comment 6 Eclipse Genie CLA 2019-11-09 14:53:34 EST 
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet.

If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.

--
The automated Eclipse Genie.