Bug #6427
openProblems with SELinux policy violations.
0%
Description
The .so
produced by native-image
winds up containing many TEXTRELs, which are a potential security problem and are flagged as policy violations by some SELinux policies.
A bit of background on the issue is here: https://flameeyes.blog/2016/01/16/textrels-text-relocations-and-their-impact-on-hardening-techniques/ .
This has been addressed by GraalVM, but the fix has not been released yet, won't be until September 2024 or later, and would also require updating our JDK version to JDK 21.
There is a possibility that switching to the gold
linker ( https://en.wikipedia.org/wiki/Gold_(linker) ) and setting the -H:+ForceNoROSectionRelocation
flag at build time could allow current native-image
to generate .so
files that don't violate, but this isn't certain and gold
is an ELF-specific linker, so it would only address problems on Linux.
More research and testing is needed on the gold
option.
Updated by Matt Patterson 6 months ago
This issue was raised by a customer having problems because their SaxonC-using app is being prevented from running by their required SELinux policy.
Please register to edit this issue