Re: Ye olde "avc granted"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/26/2013 03:27 PM, m.roth@xxxxxxxxx wrote:
> Daniel J Walsh wrote:
>> On 03/26/2013 03:12 PM, m.roth@xxxxxxxxx wrote:
>>> Daniel J Walsh wrote:
>>>> On 03/26/2013 03:08 PM, m.roth@xxxxxxxxx wrote:
>>>>> Hi, folks,
>>>>> 
>>>>> Got a server that's throwing a ton of avc granted, all related to 
>>>>> Matlab. I saw something via google from '06, for a java thing - is 
>>>>> there something I can use to shut this up?
>>>>> 
>>>>> CentOS 5.9, current.
> <snip>
>>>> What do the AVC's look like?
>>> 
>>> type=AVC msg=audit(1364322744.335:646078): avc:  granted  { execheap } 
>>> for pid=22581 comm="MATLAB" scontext=user_u:system_r:unconfined_t:s0 
>>> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>> 
>> One hack to fix this would be to turn the boolean off and then write a 
>> custom policy module to allow unconfined_t execheap.
>> 
>> policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; ') 
>> allow unconfined_t self:process execheap;
> 
> Could I tell it to not audit matlab? If so, what would I tell it not to 
> audit, the executable? The libraries?
> 
> mark
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
Well the problem is the boolean turns on the auditallow like in policy.  There
is no command to dontaudit.  Doing the above turning off the allow_execheap
boolean and then allowing unconfined_t to execheap will actually be more
secure then what you are doing now. And will remove the aggravating messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFR9+oACgkQrlYvE4MpobPCJACguK92fu9lg3bWk/spHT9NtXpM
BxIAoMrdjSWfCmVpM1LRI26+xCLvXP0Y
=AZZh
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux