Re: Ye olde "avc granted"

m.roth@xxxxxxxxx · Wed, 27 Mar 2013 16:25:15 -0400



Daniel J Walsh wrote:
> On 03/26/2013 05:13 PM, m.roth@xxxxxxxxx wrote:
>> m.roth@xxxxxxxxx wrote:
>>> Daniel J Walsh wrote:
>>>> On 03/26/2013 03:27 PM, m.roth@xxxxxxxxx wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> On 03/26/2013 03:12 PM, m.roth@xxxxxxxxx wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> On 03/26/2013 03:08 PM, m.roth@xxxxxxxxx wrote:
>>>>>>>>>
>>>>>>>>> Got a server that's throwing a ton of avc granted, all
>>>>>>>>> related to Matlab. I saw something via google from '06, for a
>>>>>>>>> java thing - is there something I can use to shut this up?
>>>>>>>>>
>>>>>>>>> CentOS 5.9, current.
>>>>> <snip>
>>>>>> One hack to fix this would be to turn the boolean off and then
>>>>>> write a custom policy module to allow unconfined_t execheap.
>>>>>>
>>>>>> policy_module(myunconfined, 1.0) gen_require(` type unconfined_t;
>>>>>> ') allow unconfined_t self:process execheap;
>>>>>
>> What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep
>> selinux-policy\* selinux-policy-2.4.6-327.el5
>> selinux-policy-targeted-2.4.6-327.el5
>>
>> audit2allow doesn't seem to have a debug switch, and I've tried exactly
>> what you wrote, as well as the one I posted, and checkmodule chokes on
>> everything.
>>
> How does it choke?

module matlab 1.0;

require {
   type unconfined_t;
}

allow unconfined_t self:process execheap;

checkmodule -M -m -o matlab.mod matlab.te
checkmodule:  loading policy configuration from matlab.te
(unknown source)::ERROR 'unknown class process used in rule' at token ';'
on line 7:
allow unconfined_t self:process execheap;

checkmodule:  error(s) encountered while parsing configuration

Trying:
policy_module(myunconfined, 1.0)

gen_require(`
 type unconfined_t;
')

allow unconfined_t self:process execheap;

gets
checkmodule -M -m -o matlab.mod matlab_dw.te
checkmodule:  loading policy configuration from matlab_dw.te
(unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:


checkmodule:  error(s) encountered while parsing configuration

       mark


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux