Community
Participate
Working Groups
Build Identifier: 20100917-0705 Running Fedora 14, Oracle JDK 1.6u23, SELinux. When I try to start the executable, I get the following error: /usr/java/jdk1.6.0_23/bin/../jre/lib/i386/client/libjvm.so: cannot enable executable stack as shared object requires: Permission denied Note: Workarounds for the error are here: http://www.if-not-true-then-false.com/2010/linux-install-eclipse-on-fedora-centos-red-hat-rhel/ Also, the Eclipse RPM provided by Red Hat for Fedora does not have this problem. Unfortunately, the RPM bloat that comes with that installation makes it completely unsuitable for my purposes. Reproducible: Always Steps to Reproduce: 1. Unzip/untar the Linux gzip file to /opt/eclipse 2. Attempt to run the binary 3. SELinux alert occurs
Created attachment 189336 [details] SELinux troubleshooting detail from failure
Can this: chcon -t execmem_exec_t '/opt/eclipse/eclipse' be done by us after we compile the launcher? That is, does this set something on the executable itself, or is it setting something in the system? We do something comparable with "sedmgr -c exempt" for AIX (bug 293840) As an aside I raised bug 337861, this exemption is missing for aix.gtk.
(In reply to comment #2) > Can this: > chcon -t execmem_exec_t '/opt/eclipse/eclipse' > be done by us after we compile the launcher? That is, does this set something > on the executable itself, or is it setting something in the system? > > We do something comparable with "sedmgr -c exempt" for AIX (bug 293840) Is this what the RPM does when it installs Eclipse? I know it didn't have the security permission problem when I installed it from the Fedora repository. Also, I believe this is a system-specific setting - something that happens to the file on the end-user's system. The referenced command changes the file's security context. I think the thing confusing me is why the Eclipse binary is even doing this. All of the SELinux documentation goes on at length about how much of a "bad thing" this is. Is it really that bad (and a programming error), or is it an overly protective restriction?
(In reply to comment #3) > I think the thing confusing me is why the Eclipse binary is even doing this. > All of the SELinux documentation goes on at length about how much of a "bad > thing" this is. Is it really that bad (and a programming error), or is it an > overly protective restriction? It is not really the eclipse binary that is doing this, it is the jvm which we are starting in the eclipse process by loading libjvm.so and using the JNI Invocation API. I believe this comes from the vm's jit optimizations.
Removing target milestone
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. -- The automated Eclipse Genie.
