On Fri, Apr 23, 2010 at 02:44:26PM -0400, m.roth@5-cent.us wrote:
Date: Thu, 22 Apr 2010 22:53:01 +0200 From: Dominick Grift domg472@gmail.com On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:
I've got the java wants to write, and execmem errors. audit2allow gives me this: allow httpd_sys_script_t nfs_t:file { execute execute_no_trans }; allow httpd_sys_script_t self:process { execmem getsched }; allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
By allowing the second line of policy you allow all generic httpd system scripts to execute anonymous memory and you allow then to set schedule on its own process.
<snip> Looking futher: that second one, I see, is also being caused by matlab, which is not an unintelligent package. How serious is it to allow that... or is there a policy rule that's been tightened recently that used to allow this?
I am not familiar with matlab but are you sure the AVC denial is related to matlab? Why would matlab run in the httpd generic system script domain?(what runs it)
Eitherway httpd_sys_script_t was never allowed execmem. However if you run matlab as in unconfined domain (instead of the confined httpd_sys_script_t domain), then execmem may or may not be allowed depending on the allow_execmem boolean and or the matlab executable file type.
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux