I’ve been trying to track down an annoying bug with SELinux these days.

The situation is as follows: when I’m running enforcing mode, binds’ “host” command, “named” itself and “dig” won’t work. They fail with an odd error message:

mem.c:653: INSIST(ctx->stats[size].gets > 0U) failed.

or with the latest bind backported to stable:

host: isc_taskmgr_create: no available threads

the SELinux audit error reported is denied { execmem } for pid=28566 comm="host" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process.

As far as I know, “execmem” means the process can do runtime code generation (i.e. make its own memory executable) - that is a privilege you don’t want to give out lightly. But everybody should be able to use the “host” command… so the situation sucks.

Right now I guess that this is caused by pthreads, not bind itself.

Anyone some hints for me? Does this mean I have to build a customized libc to run stable with SELinux (or make huge modifications to the policy, to add a domain for “host” and exec permissions to every other domain that needs to be able to run “host”…)?