Bug 1150106 - SELinux is preventing luajit from using the 'execmem' accesses on a process.
Summary: SELinux is preventing luajit from using the 'execmem' accesses on a process.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: prosody
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:d1115ff8184d928cd37e111d4d9...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-07 12:47 UTC by kuchiman
Modified: 2015-05-20 19:09 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.13.1-105.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-05-20 19:09:56 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description kuchiman 2014-10-07 12:47:29 UTC 
Description of problem:
yum install prosody
systemctl start prosody
SELinux is preventing luajit from using the 'execmem' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If вы считаете, что luajit следует разрешить доступ execmem к процессам с типом prosody_t по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
чтобы разрешить доступ, выполните:
# grep luajit /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:prosody_t:s0
Target Context                system_u:system_r:prosody_t:s0
Target Objects                Unknown [ process ]
Source                        luajit
Source Path                   luajit
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-84.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.1-301.fc21.x86_64 #1 SMP Mon
                              Aug 25 13:06:39 UTC 2014 x86_64 x86_64
Alert Count                   2
First Seen                    2014-10-07 16:45:13 SAMT
Last Seen                     2014-10-07 16:45:14 SAMT
Local ID                      2f07d136-44cb-4662-9ce5-c68930610597

Raw Audit Messages
type=AVC msg=audit(1412685914.16:528): avc:  denied  { execmem } for  pid=6396 comm="luajit" scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:system_r:prosody_t:s0 tclass=process permissive=0


Hash: luajit,prosody_t,prosody_t,process,execmem

Version-Release number of selected component:
selinux-policy-3.13.1-84.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.1-301.fc21.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2014-10-13 13:23:34 UTC 
Does prosody need to have "execmem"?
Comment 2 Robert Scheck 2014-10-13 20:57:27 UTC 
I am no lua expert but I would guess "yes" because of luajit rather lua. And
luajit is needed (at least in Fedora, not in RHEL) because Fedora still ships
a supported version (of luajit) while lua in Fedora is too new. But again, I
might be wrong here this is what I at least got.
Comment 3 Daniel Walsh 2015-01-03 13:47:57 UTC 
b70698eed449b075956fb47dace36aa9ac192efe fixes this in git.
Comment 4 Lukas Vrabec 2015-01-15 15:48:47 UTC 
commit a3c2689c0de4e62f836b98f9e339fb872df02073
Author: Dan Walsh <dwalsh>
Date:   Sat Jan 3 08:47:31 2015 -0500

    Allow prosody_t to execmem, since it is using loajit.
Comment 5 Fedora Admin XMLRPC Client 2015-01-16 17:34:19 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 Fedora Admin XMLRPC Client 2015-02-02 21:25:48 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 7 Robert Scheck 2015-05-20 19:09:56 UTC 
prosody-0.9.8-1.fc20, prosody-0.9.8-1.fc21 and prosody-0.9.8-1.fc22 should
not have any dependency on luajit anymore, rather they use compat-lua (as it
was advised by prosody upstream).
Note You need to log in before you can comment on or make changes to this bug.