On Fri, Apr 23, 2010 at 03:43:50PM -0400, m.roth@xxxxxxxxx wrote:
> > On Fri, Apr 23, 2010 at 02:44:26PM -0400, m.roth@xxxxxxxxx wrote:
> >> > Date: Thu, 22 Apr 2010 22:53:01 +0200
> >> > From: Dominick Grift <domg472@xxxxxxxxx>
> >> > On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@xxxxxxxxx wrote:
> >>
> >> >> I've got the java wants to write, and execmem errors. audit2allow
> >> >> gives me this:
>
> >> >> allow httpd_sys_script_t self:process { execmem getsched };
> <snip>
> >> > By allowing the second line of policy you allow all generic httpd
> > >> system scripts to execute anonymous memory and you allow then to set
> >> > schedule on its own process.
> >> <snip>
> >> Looking futher: that second one, I see, is also being caused by matlab,
> >> which is not an unintelligent package. How serious is it to allow
> >> that...or is there a policy rule that's been tightened recently that
> >> used to allow this?
> >
> > I am not familiar with matlab but are you sure the AVC denial is related
> > to matlab? Why would matlab run in the httpd generic system script
> > domain?(what runs it)
>
> Matlab is the 900 kg gorilla of serious math software. No idea why it's
> running this way, I'm not the scientists running it.
> >
> > Eitherway httpd_sys_script_t was never allowed execmem. However if you run
> > matlab as in unconfined domain (instead of the confined httpd_sys_script_t
> > domain), then execmem may or may not be allowed depending on the
> > allow_execmem boolean and or the matlab executable file type.
> >>
> Hmmm...,
> ll -Z /usr/local/opt/matlab-2008b/bin/glnxa64/MATLAB
> -rwxr-xr-x root root system_u:object_r:bin_t
> /usr/local/opt/matlab-2008b/bin/glnxa64/MATLAB
>
> And yes, that's an executable binary.
Basically if you say the following vector related to matlab:
allow httpd_sys_script_t self:process { execmem setsched };
That would mean that matlab is not run by a user but by a process that was start by httpd_t or a generic httpd system script or by a program that was started by a generic httpd system script.
So question then would be what started matlab in that context and maybe even what started the process that started matlab in that context or what started the process that started the process that started the matlab process. (lol)
The AVC denial has information that can answer these questions.
>
> getsebool -a | grep execmem
> allow_execmem --> on
> allow_unconfined_execmem_dyntrans --> off
>
> So, given this, I'm not sure how that relates to what you say, above.
>
> mark
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpu3J7okcFnn.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
