Ye olde "avc granted"

Jean-David Beyer jeandavid8 at verizon.net
Thu Mar 28 23:39:19 UTC 2013 

On 03/28/2013 05:27 PM, m.roth at 5-cent.us wrote:
> Jean-David Beyer wrote:
>> On 03/27/2013 04:39 PM, Daniel J Walsh wrote:
>>> On 03/27/2013 04:25 PM, m.roth at 5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 03/26/2013 05:13 PM, m.roth at 5-cent.us wrote:
>>>>>> m.roth at 5-cent.us wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> On 03/26/2013 03:27 PM, m.roth at 5-cent.us wrote:
>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>> On 03/26/2013 03:12 PM, m.roth at 5-cent.us wrote:
>>>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>>>> On 03/26/2013 03:08 PM, m.roth at 5-cent.us wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Got a server that's throwing a ton of avc
>>>>>>>>>>>>> granted, all related to Matlab. I saw
>>>>>>>>>>>>> something via google from '06, for a java thing
>>>>>>>>>>>>> - is there something I can use to shut this
>>>>>>>>>>>>> up?
>>>>>>>>>>>>>
>>>>>>>>>>>>> CentOS 5.9, current.
>>>>>>>>> <snip>
>>>>>>>>>> One hack to fix this would be to turn the boolean
>>>>>>>>>> off and then write a custom policy module to allow
>>>>>>>>>> unconfined_t execheap.
>>>>>>>>>>
>>>>>>>>>> policy_module(myunconfined, 1.0) gen_require(` type
>>>>>>>>>> unconfined_t; ') allow unconfined_t self:process
>>>>>>>>>> execheap;
>>>>>>>>>
>>>>>> What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa |
>>>>>> grep selinux-policy\* selinux-policy-2.4.6-327.el5
>>>>>> selinux-policy-targeted-2.4.6-327.el5
>>>>>>
>>>>>> audit2allow doesn't seem to have a debug switch, and I've
>>>>>> tried exactly what you wrote, as well as the one I posted,
>>>>>> and checkmodule chokes on everything.
>>>>>>
>>>>> How does it choke?
>>>
>>>> module matlab 1.0;
>>>
>>>> require { type unconfined_t; }
>>>
>>>> allow unconfined_t self:process execheap;
>>>
>>>> checkmodule -M -m -o matlab.mod matlab.te checkmodule:  loading
>>>> policy configuration from matlab.te (unknown source)::ERROR
>>>> 'unknown class process used in rule' at token ';' on line 7:
>>>> allow unconfined_t self:process execheap;
>>>
>>>> checkmodule:  error(s) encountered while parsing configuration
>>>
>>>> Trying: policy_module(myunconfined, 1.0)
>>>
>>>> gen_require(` type unconfined_t; ')
>>>
>>>> allow unconfined_t self:process execheap;
>>>
>>>> gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule:
>>>> loading policy configuration from matlab_dw.te (unknown
>>>> source)::ERROR 'syntax error' at token 'policy_module' on line
>>>> 1:
>>>
>>>> checkmodule:  error(s) encountered while parsing configuration
>>>
>>> Try with the make file
>>>
>>> make -f /usr/share/selinux/devel/Makefile
>>>
>>> (If this exists on RHEL5.)
>>
>> It does in RHEL6
> 
> Not in 5.9.
> 
>       mark
> 
> 
I do not have RHEL5.9, but I do have CentOS5.9 and it has it.
Are Red Hat and CentOS that different?

[/etc]$ cat redhat-release
CentOS release 5.9 (Final)
[/etc]$ rpm -qf /usr/share/selinux/devel/Makefile
selinux-policy-devel-2.4.6-338.el5
[/etc]$ ls -l /usr/share/selinux/devel/Makefile
 1 root root 416 Jan  9 05:36 /usr/share/selinux/devel/Makefile

More information about the selinux mailing list