On Tue, Jun 08, 2010 at 11:13:07AM +0100, Frank Murphy wrote:
On 07/06/10 18:38, Frank Murphy wrote:
--snip--
> Then reproduce. To go back to hidding hidden denials: semodule -B
>>
>> Does it work in permissive mode?
>>>
>
> Have now set permissive on clamd & clamscan.
> Will let you know result tomorrow.
>
My bad it's a cron warning, not from logwatch.
Still getting below with "Selinux Manager > process domain > clamd
clamscan permissive"
Looks like a bug in policy. only clamd_t is allowed to execmem when clamd_use_jit is set.
clamscan_t is not included in this boolean. Please consider reporting this bug to fedora
bugzilla.
Please include that avc denial ( there should be an avc denial if it is really clamscan
that needs the execmem like you seem to suggest. if true you can also include the fix:
tunable_policy(`clamd_use_jit',`
allow clamscan_t self:process execmem;
',`
dontaudit clamscan_t self:process execmem;
')
libclamav JIT: Can't allocate RWX Memory: Permission denied
libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
clamd_use_jit on' to allow access
libclamav JIT: falling back to interpreter mode
libclamav JIT: Can't allocate RWX Memory: Permission denied
libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
clamd_use_jit on' to allow access
libclamav JIT: falling back to interpreter mode
--
Regards,
Frank Murphy
UTF_8 Encoded
Friend of Fedora
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux