On 05/27/2009 06:06 AM, Ioannis Aslanidis wrote:
Hello,
I am trying to allow the following audit message through, but it says
that there is a violation. Can anyone explain what exactly is going on?
Thank you,
Ioannis
# cat messages.audit
May 27 01:51:13 streamer012 kernel: audit(1243381873.876:60): avc:
denied { mmap_zero } for pid=3155 comm="glusterfs2"
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=memprotect
# cat selinuxglusterfs.te
module selinuxglusterfs 1.0;
require {
type mount_t;
class memprotect mmap_zero;
}
#============= mount_t ==============
allow mount_t self:memprotect mmap_zero;
Add
domain_mmap_low_type(mount_t)
Will make this problem go away. But I don't beleieve glusetfs should be
causing the mount command to need to mmap_zero. Seems like a kernerl
problem.
# semodule -i selinuxglusterfs.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
mount_t mount_t:memprotect { mmap_zero };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
