On Fri, Apr 23, 2010 at 02:44:26PM -0400, m.roth(a)5-cent.us wrote:
> > Date: Thu, 22 Apr 2010 22:53:01 +0200
> > From: Dominick Grift <domg472(a)gmail.com>
> > On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth(a)5-cent.us wrote:
>
> >> I've got the java wants to write, and execmem errors. audit2allow
> >> gives me this:
> >> allow httpd_sys_script_t self:process { execmem getsched
};
<snip>
> > By allowing the second line of policy you allow all generic
httpd
>> system scripts to execute anonymous memory and you allow then to set
> > schedule on its own process.
> <snip>
> Looking futher: that second one, I see, is also being caused by matlab,
> which is not an unintelligent package. How serious is it to allow
> that...or is there a policy rule that's been tightened recently that
> used to allow this?
I am not familiar with matlab but are you sure the AVC denial is related
to matlab? Why would matlab run in the httpd generic system script
domain?(what runs it)
Matlab is the 900 kg gorilla of serious math software. No idea why it's
running this way, I'm not the scientists running it.
Eitherway httpd_sys_script_t was never allowed execmem. However if you run
matlab as in unconfined domain (instead of the confined httpd_sys_script_t
domain), then execmem may or may not be allowed depending on the
allow_execmem boolean and or the matlab executable file type.
>
Hmmm...,
ll -Z /usr/local/opt/matlab-2008b/bin/glnxa64/MATLAB
-rwxr-xr-x root root system_u:object_r:bin_t
/usr/local/opt/matlab-2008b/bin/glnxa64/MATLAB
And yes, that's an executable binary.
getsebool -a | grep execmem
allow_execmem --> on
allow_unconfined_execmem_dyntrans --> off
So, given this, I'm not sure how that relates to what you say, above.
mark