On Wed, May 27, 2009 at 7:28 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> On 05/27/2009 06:06 AM, Ioannis Aslanidis wrote:
>>
>> Hello,
>>
>> I am trying to allow the following audit message through, but it says
>> that there is a violation. Can anyone explain what exactly is going on?
>>
>> Thank you,
>>
>> Ioannis
>>
>> # cat messages.audit
>> May 27 01:51:13 streamer012 kernel: audit(1243381873.876:60): avc:
>> denied { mmap_zero } for pid=3155 comm="glusterfs2"
>> scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:system_r:mount_t:s0 tclass=memprotect
>>
>>
>> # cat selinuxglusterfs.te
>>
>> module selinuxglusterfs 1.0;
>>
>> require {
>> type mount_t;
>> class memprotect mmap_zero;
>> }
>>
>> #============= mount_t ==============
>> allow mount_t self:memprotect mmap_zero;
>>
> Add
> domain_mmap_low_type(mount_t)
> Will make this problem go away. But I don't beleieve glusetfs should be
> causing the mount command to need to mmap_zero. Seems like a kernerl
> problem.
Come on now, don't blame the kernel for enforcing things.
If I had to guess the mount command is calling a helper application
which is stupidly doing
mmap(NULL, MAP_FIXED ....)
And it is this mount helper program that should be fixed. Do you have
an /sbin/mount.glusetfs ?
You very very very likely don't need this permission, you need to fix
the app....
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
