Ye olde "avc granted"

Daniel J Walsh dwalsh at redhat.com
Wed Mar 27 20:39:02 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/27/2013 04:25 PM, m.roth at 5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 03/26/2013 05:13 PM, m.roth at 5-cent.us wrote:
>>> m.roth at 5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 03/26/2013 03:27 PM, m.roth at 5-cent.us wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> On 03/26/2013 03:12 PM, m.roth at 5-cent.us wrote:
>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>> On 03/26/2013 03:08 PM, m.roth at 5-cent.us wrote:
>>>>>>>>>> 
>>>>>>>>>> Got a server that's throwing a ton of avc granted, all 
>>>>>>>>>> related to Matlab. I saw something via google from '06,
>>>>>>>>>> for a java thing - is there something I can use to shut
>>>>>>>>>> this up?
>>>>>>>>>> 
>>>>>>>>>> CentOS 5.9, current.
>>>>>> <snip>
>>>>>>> One hack to fix this would be to turn the boolean off and then 
>>>>>>> write a custom policy module to allow unconfined_t execheap.
>>>>>>> 
>>>>>>> policy_module(myunconfined, 1.0) gen_require(` type
>>>>>>> unconfined_t; ') allow unconfined_t self:process execheap;
>>>>>> 
>>> What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep 
>>> selinux-policy\* selinux-policy-2.4.6-327.el5 
>>> selinux-policy-targeted-2.4.6-327.el5
>>> 
>>> audit2allow doesn't seem to have a debug switch, and I've tried
>>> exactly what you wrote, as well as the one I posted, and checkmodule
>>> chokes on everything.
>>> 
>> How does it choke?
> 
> module matlab 1.0;
> 
> require { type unconfined_t; }
> 
> allow unconfined_t self:process execheap;
> 
> checkmodule -M -m -o matlab.mod matlab.te checkmodule:  loading policy
> configuration from matlab.te (unknown source)::ERROR 'unknown class process
> used in rule' at token ';' on line 7: allow unconfined_t self:process
> execheap;
> 
> checkmodule:  error(s) encountered while parsing configuration
> 
> Trying: policy_module(myunconfined, 1.0)
> 
> gen_require(` type unconfined_t; ')
> 
> allow unconfined_t self:process execheap;
> 
> gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule:  loading
> policy configuration from matlab_dw.te (unknown source)::ERROR 'syntax
> error' at token 'policy_module' on line 1:
> 
> 
> checkmodule:  error(s) encountered while parsing configuration
> 
> mark
> 
> 
Try with the make file

make -f /usr/share/selinux/devel/Makefile

(If this exists on RHEL5.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFTWOYACgkQrlYvE4MpobN37gCeMZOGXqSZI5TLL1wwDbFiH23o
A+AAoOYLdE8SNvdMf41vFLJr7CUpNpER
=3v63
-----END PGP SIGNATURE-----

More information about the selinux mailing list