Selinux - Clamav
Dominick Grift
domg472 at gmail.com
Tue Jun 8 13:10:56 UTC 2010
On Tue, Jun 08, 2010 at 11:13:07AM +0100, Frank Murphy wrote:
> On 07/06/10 18:38, Frank Murphy wrote:
> --snip--
>
> > Then reproduce. To go back to hidding hidden denials: semodule -B
> >>
> >> Does it work in permissive mode?
> >>>
> >
> > Have now set permissive on clamd & clamscan.
> > Will let you know result tomorrow.
> >
> My bad it's a cron warning, not from logwatch.
>
>
> Still getting below with "Selinux Manager > process domain > clamd
> clamscan permissive"
Looks like a bug in policy. only clamd_t is allowed to execmem when clamd_use_jit is set.
clamscan_t is not included in this boolean. Please consider reporting this bug to fedora bugzilla.
Please include that avc denial ( there should be an avc denial if it is really clamscan that needs the execmem like you seem to suggest. if true you can also include the fix:
tunable_policy(`clamd_use_jit',`
allow clamscan_t self:process execmem;
',`
dontaudit clamscan_t self:process execmem;
')
>
> libclamav JIT: Can't allocate RWX Memory: Permission denied
> libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
> clamd_use_jit on' to allow access
> libclamav JIT: falling back to interpreter mode
> libclamav JIT: Can't allocate RWX Memory: Permission denied
> libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
> clamd_use_jit on' to allow access
> libclamav JIT: falling back to interpreter mode
>
>
>
> --
> Regards,
>
> Frank Murphy
> UTF_8 Encoded
> Friend of Fedora
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100608/e5e1a5ed/attachment.bin
More information about the selinux
mailing list