Bug 430895
Summary: | AVC denial -- SELinux is preventing beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp) (initrc_t) "execmem" to <Unknown> (initrc_t). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> |
Component: | ejabberd | Assignee: | Peter Lemenkov <lemenkov> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | dwalsh, mcepl, sdeasey |
Target Milestone: | --- | Keywords: | SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-06 15:34:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matěj Cepl
2008-01-30 13:34:42 UTC
This is what I got from audit2allow: [root@hubmaier ~]# grep ejabberd /var/log/audit/audit.log |audit2allow -m ejabberd module ejabberd 1.0; require { type var_log_t; type mail_spool_t; type squid_t; type logrotate_t; type var_lib_t; class file { read write getattr }; } #============= logrotate_t ============== allow logrotate_t mail_spool_t:file getattr; allow logrotate_t var_lib_t:file getattr; #============= squid_t ============== allow squid_t var_log_t:file { read write }; [root@hubmaier ~]# Although, it seems to me that the policy generated by audit2allow doesn't deal with execmem at all. Does this bug still exists with latest selinux and erlang? I have no idea, I gave up on ejabberd and don't have it installed anymore. Dan? I just installed it and started it and did not see any avc, but I have no idea how to configure it or actually use it. This will not generate the AVC in Fedora 9 unless you turn off the allow_execmem/allow_execstack booleans. It would be nice to get a policy. I changed the file context of erlang to unconfined_execmem_exec_t in selinux-policy-3.3.1-45 So even if these booleans are turned off erlang/ejabberd will work. |