Re: Ye olde "avc granted"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel J Walsh wrote:
> On 03/26/2013 03:27 PM, m.roth@xxxxxxxxx wrote:
>> Daniel J Walsh wrote:
>>> On 03/26/2013 03:12 PM, m.roth@xxxxxxxxx wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 03/26/2013 03:08 PM, m.roth@xxxxxxxxx wrote:
>>>>>>
>>>>>> Got a server that's throwing a ton of avc granted, all related to
>>>>>> Matlab. I saw something via google from '06, for a java thing - is
>>>>>> there something I can use to shut this up?
>>>>>>
>>>>>> CentOS 5.9, current.
>> <snip>
>>>>> What do the AVC's look like?
>>>>
>>>> type=AVC msg=audit(1364322744.335:646078): avc:  granted  { execheap }
>>>> for pid=22581 comm="MATLAB" scontext=user_u:system_r:unconfined_t:s0
>>>> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>>>
>>> One hack to fix this would be to turn the boolean off and then write a
>>> custom policy module to allow unconfined_t execheap.
>>>
>>> policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; ')
>>> allow unconfined_t self:process execheap;
>>
>> Could I tell it to not audit matlab? If so, what would I tell it not to
>> audit, the executable? The libraries?
>>
> Well the problem is the boolean turns on the auditallow like in policy.
> There is no command to dontaudit.  Doing the above turning off the

I can guess why:  someone might get root, and issue it against their malware.

> allow_execheap boolean and then allowing unconfined_t to execheap will
actually
> be more secure then what you are doing now. And will remove the aggravating
> messages.

Got it. So, should I use your code, above, or, to make it
self-documenting, would this be  valid code:
module matlab 1.0;

gen_requires {
   type unconfined_t;
}

allow unconfined_t self:process execheap;

Thanks, Dan.

     mark

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux