> On Fri, Apr 23, 2010 at 02:44:26PM -0400, m.roth@xxxxxxxxx wrote:
>> > Date: Thu, 22 Apr 2010 22:53:01 +0200
>> > From: Dominick Grift <domg472@xxxxxxxxx>
>> > On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@xxxxxxxxx wrote:
>>
>> >> I've got the java wants to write, and execmem errors. audit2allow
>> >> gives me this:
>> >> allow httpd_sys_script_t self:process { execmem getsched };
<snip>
>> > By allowing the second line of policy you allow all generic httpd
> >> system scripts to execute anonymous memory and you allow then to set
>> > schedule on its own process.
>> <snip>
>> Looking futher: that second one, I see, is also being caused by matlab,
>> which is not an unintelligent package. How serious is it to allow
>> that...or is there a policy rule that's been tightened recently that
>> used to allow this?
>
> I am not familiar with matlab but are you sure the AVC denial is related
> to matlab? Why would matlab run in the httpd generic system script
> domain?(what runs it)
Matlab is the 900 kg gorilla of serious math software. No idea why it's
running this way, I'm not the scientists running it.
>
> Eitherway httpd_sys_script_t was never allowed execmem. However if you run
> matlab as in unconfined domain (instead of the confined httpd_sys_script_t
> domain), then execmem may or may not be allowed depending on the
> allow_execmem boolean and or the matlab executable file type.
>>
Hmmm...,
ll -Z /usr/local/opt/matlab-2008b/bin/glnxa64/MATLAB
-rwxr-xr-x root root system_u:object_r:bin_t
/usr/local/opt/matlab-2008b/bin/glnxa64/MATLAB
And yes, that's an executable binary.
getsebool -a | grep execmem
allow_execmem --> on
allow_unconfined_execmem_dyntrans --> off
So, given this, I'm not sure how that relates to what you say, above.
mark
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
