On Tue, Jun 08, 2010 at 11:13:07AM +0100, Frank Murphy wrote: > On 07/06/10 18:38, Frank Murphy wrote: > --snip-- > > > Then reproduce. To go back to hidding hidden denials: semodule -B > >> > >> Does it work in permissive mode? > >>> > > > > Have now set permissive on clamd & clamscan. > > Will let you know result tomorrow. > > > My bad it's a cron warning, not from logwatch. > > > Still getting below with "Selinux Manager > process domain > clamd > clamscan permissive" Looks like a bug in policy. only clamd_t is allowed to execmem when clamd_use_jit is set. clamscan_t is not included in this boolean. Please consider reporting this bug to fedora bugzilla. Please include that avc denial ( there should be an avc denial if it is really clamscan that needs the execmem like you seem to suggest. if true you can also include the fix: tunable_policy(`clamd_use_jit',` allow clamscan_t self:process execmem; ',` dontaudit clamscan_t self:process execmem; ') > > libclamav JIT: Can't allocate RWX Memory: Permission denied > libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P > clamd_use_jit on' to allow access > libclamav JIT: falling back to interpreter mode > libclamav JIT: Can't allocate RWX Memory: Permission denied > libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P > clamd_use_jit on' to allow access > libclamav JIT: falling back to interpreter mode > > > > -- > Regards, > > Frank Murphy > UTF_8 Encoded > Friend of Fedora > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgp0yaq2L7PSu.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
