On Thu, Aug 13, 2009 at 12:27:26PM +0100, Gordon, John (STFC,RAL,ESC) wrote: > It is only ATLAS who require allow execheap so sites that are unhappy > with allowing this have the option to leave SL4 resources running for > ATLAS and letting the others use SL5. Writing this prompts the thought - > does ATLAS code work in SL4 with SELinux forbidding execheap? Kostas? > You imply that you already disable this. User code runs under the unconfined domain (in the default installs) so SELinux does very little there, for EL4 an ececutable heap was allowed for user code so ATLAS was not affected (need to check if it was disabled for confined processes or not), for EL5 SELinux disables executable heap globally. "Broken" applications can be labeled with unconfined_execmem_exec_t to bypass the protection (labels don't survive nfs so not much help to us) or you can allow it globally by setting allow_execheap=1. The issue here is that if allow_execheap=1 affects confined processes a security problem that RedHat has classified as not critical and treats it accordingly because it needs an executable heap is now critical for us. Kostas