Ye olde "avc granted"
Daniel J Walsh
dwalsh at redhat.com
Tue Mar 26 19:32:58 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/26/2013 03:27 PM, m.roth at 5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 03/26/2013 03:12 PM, m.roth at 5-cent.us wrote:
>>> Daniel J Walsh wrote:
>>>> On 03/26/2013 03:08 PM, m.roth at 5-cent.us wrote:
>>>>> Hi, folks,
>>>>>
>>>>> Got a server that's throwing a ton of avc granted, all related to
>>>>> Matlab. I saw something via google from '06, for a java thing - is
>>>>> there something I can use to shut this up?
>>>>>
>>>>> CentOS 5.9, current.
> <snip>
>>>> What do the AVC's look like?
>>>
>>> type=AVC msg=audit(1364322744.335:646078): avc: granted { execheap }
>>> for pid=22581 comm="MATLAB" scontext=user_u:system_r:unconfined_t:s0
>>> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>>
>> One hack to fix this would be to turn the boolean off and then write a
>> custom policy module to allow unconfined_t execheap.
>>
>> policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; ')
>> allow unconfined_t self:process execheap;
>
> Could I tell it to not audit matlab? If so, what would I tell it not to
> audit, the executable? The libraries?
>
> mark
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Well the problem is the boolean turns on the auditallow like in policy. There
is no command to dontaudit. Doing the above turning off the allow_execheap
boolean and then allowing unconfined_t to execheap will actually be more
secure then what you are doing now. And will remove the aggravating messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFR9+oACgkQrlYvE4MpobPCJACguK92fu9lg3bWk/spHT9NtXpM
BxIAoMrdjSWfCmVpM1LRI26+xCLvXP0Y
=AZZh
-----END PGP SIGNATURE-----
More information about the selinux
mailing list