Description of problem: yum install prosody systemctl start prosody SELinux is preventing luajit from using the 'execmem' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If вы считаете, что luajit следует разрешить доступ execmem к процессам с типом prosody_t по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do чтобы разрешить доступ, выполните: # grep luajit /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:prosody_t:s0 Target Context system_u:system_r:prosody_t:s0 Target Objects Unknown [ process ] Source luajit Source Path luajit Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-84.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.1-301.fc21.x86_64 #1 SMP Mon Aug 25 13:06:39 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-10-07 16:45:13 SAMT Last Seen 2014-10-07 16:45:14 SAMT Local ID 2f07d136-44cb-4662-9ce5-c68930610597 Raw Audit Messages type=AVC msg=audit(1412685914.16:528): avc: denied { execmem } for pid=6396 comm="luajit" scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:system_r:prosody_t:s0 tclass=process permissive=0 Hash: luajit,prosody_t,prosody_t,process,execmem Version-Release number of selected component: selinux-policy-3.13.1-84.fc21.noarch Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.1-301.fc21.x86_64 type: libreport
Does prosody need to have "execmem"?
I am no lua expert but I would guess "yes" because of luajit rather lua. And luajit is needed (at least in Fedora, not in RHEL) because Fedora still ships a supported version (of luajit) while lua in Fedora is too new. But again, I might be wrong here this is what I at least got.
b70698eed449b075956fb47dace36aa9ac192efe fixes this in git.
commit a3c2689c0de4e62f836b98f9e339fb872df02073 Author: Dan Walsh <dwalsh> Date: Sat Jan 3 08:47:31 2015 -0500 Allow prosody_t to execmem, since it is using loajit.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
prosody-0.9.8-1.fc20, prosody-0.9.8-1.fc21 and prosody-0.9.8-1.fc22 should not have any dependency on luajit anymore, rather they use compat-lua (as it was advised by prosody upstream).