Re: SELinux [was: WG: There is only one problem in OpenOffice....

Sun, 07 Jun 2026 15:46:07 -0700 

Hi Arrigo, all,

Not every Distro is using SE Linux.

Distro  MAC System      SELinux?
*RHEL/CentOS/AlmaLinux/Rocky*   SELinux         ✅ Default enforcing
*Fedora*        SELinux         ✅ Default enforcing
*Debian*        AppArmor        ❌
*Ubuntu*        AppArmor        ❌
*openSUSE/SLES*         AppArmor        ❌
*Arch Linux*    None default    ❌
*Gentoo*        Optional        ❌ by default
*Alpine*        None    ❌
*Android*       SELinux         ✅


Am 07.06.2026 um 22:43 schrieb Arrigo Marchiori:

Hello Damjan, All,

On Sun, Jun 07, 2026 at 10:00:37PM +0200, Damjan Jovanovic wrote:


Could this be the problem? I think it must be, OpenGrok shows there's
nowhere else in OpenOffice we use PROT_EXEC.

At least on lines 105 and 111 it's granting read, write and execute
permissions together:

File main/bridges/source/cpp_uno/shared/vtablefactory.cxx:

      77 extern "C" void * SAL_CALL allocExec(rtl_arena_type *, sal_Size *
size) {
...
      96     sal_Size n = (*size + (pagesize - 1)) & ~(pagesize - 1);
      97     void * p;
      98 #if defined SAL_UNX
      99     p = mmap(
     100         0, n, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1,
     101         0);
     102     if (p == MAP_FAILED) {
     103         p = 0;
     104     }
     105     else if (mprotect (static_cast<char*>(p), n, PROT_READ |
PROT_WRITE | PROT_EXEC) == -1)
     106     {
     107         munmap (static_cast<char*>(p), n);
     108         p = 0;
     109     }
     110 #elif defined SAL_W32
     111     p = VirtualAlloc(0, n, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
     112 #elif defined(SAL_OS2)
     113     p = 0;
     114     DosAllocMem( &p, n, PAG_COMMIT | PAG_READ | PAG_WRITE |
OBJ_ANY);
     115 #endif
     116     if (p != 0) {
     117         *size = n;
     118     }
     119     return p;
     120 }

There are already some workarounds for SELinux in this directory, but we
probably need more.

I don't know SELinux well, nor those syscalls. So I cannot confirm,
unfortunately.

Do you think we should put a ``workaround for SELinux'' in place,
rather than running execstack as I was suggesting in PR #483?  If so,
could you please point me to some documentation? I have access both to
an ``old'' build VM and a ``new'' Linux-based system, so I can easily
do tests.
We could add policies for SELinux to exclude certain parts from the protection. 

the recommendation is actually to remove execstack.
|# Add to assembler flags in build system -Wa,--noexecstack # Add to linker flags -Wl,-z,noexecstack|
however we might still end up with issues where we need then a policy. We likely hit issues with: 

Component       Risk    Reason
*UNO bridge / libffi*   🔴 High  Trampolines
*Basic macro engine*    🔴 High  Runtime code generation
*Java integration (JNI)*        🟡 Medium        Depends on JVM
*Inline assembly*       🟡 Medium        Old platform-specific code
*Bundled libraries*     🟡 Medium        May have old compile flags


All the best

Peter




Best regards,

Reply via email to