On 03/28/2013 08:34 PM, mark wrote:
> On 03/28/13 19:39, Jean-David Beyer wrote:
>> On 03/28/2013 05:27 PM, m.roth@xxxxxxxxx wrote:
>>> Jean-David Beyer wrote:
>>>> On 03/27/2013 04:39 PM, Daniel J Walsh wrote:
>>>>> On 03/27/2013 04:25 PM, m.roth@xxxxxxxxx wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> On 03/26/2013 05:13 PM, m.roth@xxxxxxxxx wrote:
>>>>>>>> m.roth@xxxxxxxxx wrote:
>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>> On 03/26/2013 03:27 PM, m.roth@xxxxxxxxx wrote:
>>>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>>>> On 03/26/2013 03:12 PM, m.roth@xxxxxxxxx wrote:
>>>>>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>>>>>> On 03/26/2013 03:08 PM, m.roth@xxxxxxxxx wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Got a server that's throwing a ton of avc
>>>>>>>>>>>>>>> granted, all related to Matlab. I saw
>>>>>>>>>>>>>>> something via google from '06, for a java thing
>>>>>>>>>>>>>>> - is there something I can use to shut this
>>>>>>>>>>>>>>> up?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> CentOS 5.9, current.
>>>>>>>>>>> <snip>
>>>>>>>>>>>> One hack to fix this would be to turn the boolean
>>>>>>>>>>>> off and then write a custom policy module to allow
>>>>>>>>>>>> unconfined_t execheap.
>>>>>>>>>>>>
>>>>>>>>>>>> policy_module(myunconfined, 1.0) gen_require(` type
>>>>>>>>>>>> unconfined_t; ') allow unconfined_t self:process
>>>>>>>>>>>> execheap;
>>>>>>>>>>>
>>>>>>>> What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa |
>>>>>>>> grep selinux-policy\* selinux-policy-2.4.6-327.el5
>>>>>>>> selinux-policy-targeted-2.4.6-327.el5
>>>>>>>>
>>>>>>>> audit2allow doesn't seem to have a debug switch, and I've
>>>>>>>> tried exactly what you wrote, as well as the one I posted,
>>>>>>>> and checkmodule chokes on everything.
>>>>>>>>
>>>>>>> How does it choke?
>>>>>
>>>>>> module matlab 1.0;
>>>>>
>>>>>> require { type unconfined_t; }
>>>>>
>>>>>> allow unconfined_t self:process execheap;
>>>>>
>>>>>> checkmodule -M -m -o matlab.mod matlab.te checkmodule: loading
>>>>>> policy configuration from matlab.te (unknown source)::ERROR
>>>>>> 'unknown class process used in rule' at token ';' on line 7:
>>>>>> allow unconfined_t self:process execheap;
>>>>>
>>>>>> checkmodule: error(s) encountered while parsing configuration
>>>>>
>>>>>> Trying: policy_module(myunconfined, 1.0)
>>>>>
>>>>>> gen_require(` type unconfined_t; ')
>>>>>
>>>>>> allow unconfined_t self:process execheap;
>>>>>
>>>>>> gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule:
>>>>>> loading policy configuration from matlab_dw.te (unknown
>>>>>> source)::ERROR 'syntax error' at token 'policy_module' on line
>>>>>> 1:
>>>>>
>>>>>> checkmodule: error(s) encountered while parsing configuration
>>>>>
>>>>> Try with the make file
>>>>>
>>>>> make -f /usr/share/selinux/devel/Makefile
>>>>>
>>>>> (If this exists on RHEL5.)
>>>>
>>>> It does in RHEL6
>>>
>>> Not in 5.9.
>>>
>> I do not have RHEL5.9, but I do have CentOS5.9 and it has it.
>> Are Red Hat and CentOS that different?
>
> Not at all: CentOS removed proprietary material, and recompiles from
> RHEL source. That is, in fact, what I'm running.
>
> mark
>
Then I do not understand why you said (unless I misunderstood) that this
was not in 5.9. Since it is in my 5.9, and I sure did not make a special
effort to get it because I do not even run SELinux on that machine.
Where am I misunderstanding?
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
