Ye olde "avc granted"
m.roth at 5-cent.us
m.roth at 5-cent.us
Tue Mar 26 19:39:58 UTC 2013
Daniel J Walsh wrote:
> On 03/26/2013 03:27 PM, m.roth at 5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 03/26/2013 03:12 PM, m.roth at 5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 03/26/2013 03:08 PM, m.roth at 5-cent.us wrote:
>>>>>>
>>>>>> Got a server that's throwing a ton of avc granted, all related to
>>>>>> Matlab. I saw something via google from '06, for a java thing - is
>>>>>> there something I can use to shut this up?
>>>>>>
>>>>>> CentOS 5.9, current.
>> <snip>
>>>>> What do the AVC's look like?
>>>>
>>>> type=AVC msg=audit(1364322744.335:646078): avc: granted { execheap }
>>>> for pid=22581 comm="MATLAB" scontext=user_u:system_r:unconfined_t:s0
>>>> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>>>
>>> One hack to fix this would be to turn the boolean off and then write a
>>> custom policy module to allow unconfined_t execheap.
>>>
>>> policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; ')
>>> allow unconfined_t self:process execheap;
>>
>> Could I tell it to not audit matlab? If so, what would I tell it not to
>> audit, the executable? The libraries?
>>
> Well the problem is the boolean turns on the auditallow like in policy.
> There is no command to dontaudit. Doing the above turning off the
I can guess why: someone might get root, and issue it against their malware.
> allow_execheap boolean and then allowing unconfined_t to execheap will
actually
> be more secure then what you are doing now. And will remove the aggravating
> messages.
Got it. So, should I use your code, above, or, to make it
self-documenting, would this be valid code:
module matlab 1.0;
gen_requires {
type unconfined_t;
}
allow unconfined_t self:process execheap;
Thanks, Dan.
mark
More information about the selinux
mailing list