Ye olde "avc granted"

David A. Cafaro dac at cafaro.net
Fri Mar 29 20:40:16 UTC 2013 

On 03/27/2013 04:25 PM, m.roth at 5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 03/26/2013 05:13 PM, m.roth at 5-cent.us wrote:
>>> m.roth at 5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 03/26/2013 03:27 PM, m.roth at 5-cent.us wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> On 03/26/2013 03:12 PM, m.roth at 5-cent.us wrote:
>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>> On 03/26/2013 03:08 PM, m.roth at 5-cent.us wrote:
>>>>>>>>>>
>>>>>>>>>> Got a server that's throwing a ton of avc granted, all
>>>>>>>>>> related to Matlab. I saw something via google from '06, for a
>>>>>>>>>> java thing - is there something I can use to shut this up?
>>>>>>>>>>
>>>>>>>>>> CentOS 5.9, current.
>>>>>> <snip>
>>>>>>> One hack to fix this would be to turn the boolean off and then
>>>>>>> write a custom policy module to allow unconfined_t execheap.
>>>>>>>
>>>>>>> policy_module(myunconfined, 1.0) gen_require(` type unconfined_t;
>>>>>>> ') allow unconfined_t self:process execheap;
>>>>>>
>>> What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep
>>> selinux-policy\* selinux-policy-2.4.6-327.el5
>>> selinux-policy-targeted-2.4.6-327.el5
>>>
>>> audit2allow doesn't seem to have a debug switch, and I've tried exactly
>>> what you wrote, as well as the one I posted, and checkmodule chokes on
>>> everything.
>>>
>> How does it choke?
> 
> module matlab 1.0;
> 
> require {
>    type unconfined_t;
> }
> 
> allow unconfined_t self:process execheap;
> 
> checkmodule -M -m -o matlab.mod matlab.te
> checkmodule:  loading policy configuration from matlab.te
> (unknown source)::ERROR 'unknown class process used in rule' at token ';'
> on line 7:
> allow unconfined_t self:process execheap;
> 
> checkmodule:  error(s) encountered while parsing configuration
> 
> Trying:
> policy_module(myunconfined, 1.0)
> 
> gen_require(`
>  type unconfined_t;
> ')
> 
> allow unconfined_t self:process execheap;
> 
> gets
> checkmodule -M -m -o matlab.mod matlab_dw.te
> checkmodule:  loading policy configuration from matlab_dw.te
> (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:
> 
> 
> checkmodule:  error(s) encountered while parsing configuration
> 
>        mark


Wouldn't it work if you specify the process class in the policy file?
I'm pretty sure this should work on rhel/centos 5.x, don't have a way to
check this moment though:

-----------------------

module matlab 1.0;
require {
	type unconfined_t;
	class process execheap;
}
allow unconfined_t self:process execheap;

------------------------

Cheers,
David

More information about the selinux mailing list