On Fri, Apr 23, 2010 at 02:44:26PM -0400, m.roth@xxxxxxxxx wrote:
> > Date: Thu, 22 Apr 2010 22:53:01 +0200
> > From: Dominick Grift <domg472@xxxxxxxxx>
> > On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@xxxxxxxxx wrote:
>
> >> I've got the java wants to write, and execmem errors. audit2allow gives
> >> me
> >> this:
> >> allow httpd_sys_script_t nfs_t:file { execute execute_no_trans };
> >> allow httpd_sys_script_t self:process { execmem getsched };
> >> allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
> >
> > By allowing the second line of policy you allow all generic httpd system
> > scripts to execute anonymous memory and you allow then to set schedule
> > on its own process.
> <snip>
> Looking futher: that second one, I see, is also being caused by matlab,
> which is not an unintelligent package. How serious is it to allow that...
> or is there a policy rule that's been tightened recently that used to
> allow this?
I am not familiar with matlab but are you sure the AVC denial is related to matlab? Why would matlab run in the httpd generic system script domain?(what runs it)
Eitherway httpd_sys_script_t was never allowed execmem. However if you run matlab as in unconfined domain (instead of the confined httpd_sys_script_t domain), then execmem may or may not be allowed depending on the allow_execmem boolean and or the matlab executable file type.
>
> mark
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpjcgJOwYIyx.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
