pgf77 and selinux issue - solution found (please fix)

We’ve discovered why PGI generated binaries trip selinux (enforcing) into generating the message:
error while loading shared libraries: /somedir/somelib.so: cannot restore segment prot

This happens because the GNU_STACK object in the linked code has the E (Execute) flag set. Test this using:

% readelf -W -e BOOT | grep -i gnu_stack
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x8

The reason this happens is explained at Hardened/GNU stack quickstart - Gentoo wiki :

If an assembler source contains no GNU-stack note, the system by default assumes that an executable stack may be required. However, usually if there’s no GNU-stack note, this is simply because the author didn’t include one, rather than the code actually needing an executable stack.

Basically, the PGI compliers (tested with 7.2-3) aren’t including a “.note.GNU-stack” section header in their object files, so the stack is marked executable by default. As a workaround (as noted in the web reference), adding the link flag

-Wl,-z,noexecstack

We’ve re-linked a fairly large codebase using the noexecstack flag and haven’t had a problem. So the PGI generated code doesn’t seem to need an executable stack.

The real solution would be for PGI to have their compilers emit the “.note.GNU-stack” section in their objects. Could someone check and see if this is still an issue with PGI 8.0 ? (thanks)

I spoke too soon on this subject. The real reason we’re getting this is because on a 32-bit platform, libpgftnrtl.a is only supplied as a static library. Linking this in requires text relocation when ld-linux.so loads the executable for execution. This issue is discussed here:
http://people.redhat.com/drepper/textrelocs.html
http://people.redhat.com/drepper/selinux-mem.html

Using readelf utilities, the static links ended creating objects that required text relocation. In our case we were creating a shared lib that had linked against the libpgftnrtl.a static lib. Example:

113% eu-readelf -d libmystuff.so |grep TEXTREL
  TEXTREL           
114% eu-findtextrel libmystuff.so | sort | uniq 
either the file containing the function '__fio_assign' or the file containing the function '__fio_errinit' is not compiled with -fpic/-fPIC
either the file containing the function '__fio_eoferr' or the file containing the function 'fio_src_info' is not compiled with -fpic/-fPIC
either the file containing the function '__fio_fmt_d' or the file containing the function '__fio_fmt_f' is not compiled with -fpic/-fPIC
either the file containing the function '__fio_fmt_f' or the file containing the function '__fio_chk_f' is not compiled with -fpic/-fPIC
   <... snip ...>

All the functions indicated come from the static library libftnrtl.a

Is there any possiblity of getting a proper shared-library .so version of this library (for 32-bit)?

Hi rda,

Traditionally in 32-bits objects do not need to be compiled with -fpic to be included in shared objects and why we do not ship these version of the libraries. In 64-bits where -fpic is required, we do include -fpic compiled static libraries in the 64-bit “libso” directory.

I have added a feature request (TPR#15422) to have -fpic versions of the PGI 32-bit runtime available in a future release.

  • Mat