Bug 430895 - AVC denial -- SELinux is preventing beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp) (initrc_t) "execmem" to <Unknown> (initrc_t).
AVC denial -- SELinux is preventing beam.smp(/usr/lib64/erlang/erts-5.6/bin/b...
Product: Fedora
Classification: Fedora
Component: ejabberd (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Peter Lemenkov
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-01-30 08:34 EST by Matěj Cepl
Modified: 2008-05-06 11:34 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-06 11:34:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-01-30 08:34:42 EST
Here we are again -- bug 418131 redivivus-- we still don't have SELinux policy
for ejabberd.

Description of problem:

SELinux is preventing beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp)
(initrc_t) "execmem" to <Unknown> (initrc_t).

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux denied access requested by
beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp). It is not expected that this
access is required by beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp) and this
access may signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require additional

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:initrc_t
Target Context                root:system_r:initrc_t
Target Objects                None [ process ]
Source                        beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp)
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-20.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-7.fc9 #1 SMP Mon
                              Jan 28 19:55:06 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    St 30. leden 2008, 14:19:03 CET
Last Seen                     St 30. leden 2008, 14:19:03 CET
Local ID                      52fac8b6-4b35-4d0e-b405-7fcf3cee6cf2
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1201699143.103:31): avc:  denied  {
execmem } for  pid=3509 comm="beam.smp" scontext=root:system_r:initrc_t:s0
tcontext=root:system_r:initrc_t:s0 tclass=process

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201699143.103:31):
arch=c000003e syscall=9 per=400000 success=yes exit=1073741824 a0=0 a1=a01000
a2=7 a3=62 items=0 ppid=3507 pid=3509 auid=0 uid=498 gid=497 euid=498 suid=498
fsuid=498 egid=497 sgid=497 fsgid=497 tty=(none) comm="beam.smp"
exe="/usr/lib64/erlang/erts-5.6/bin/beam.smp" subj=root:system_r:initrc_t:s0

Version-Release number of selected component (if applicable):
Comment 1 Matěj Cepl 2008-01-30 08:36:54 EST
This is what I got from audit2allow:

[root@hubmaier ~]# grep ejabberd /var/log/audit/audit.log |audit2allow -m ejabberd

module ejabberd 1.0;

require {
	type var_log_t;
	type mail_spool_t;
	type squid_t;
	type logrotate_t;
	type var_lib_t;
	class file { read write getattr };

#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file getattr;
allow logrotate_t var_lib_t:file getattr;

#============= squid_t ==============
allow squid_t var_log_t:file { read write };
[root@hubmaier ~]# 
Comment 3 Matěj Cepl 2008-01-30 08:42:39 EST
Although, it seems to me that the policy generated by audit2allow doesn't deal
with execmem at all.
Comment 4 Peter Lemenkov 2008-03-24 16:54:23 EDT
Does this bug still exists with latest selinux and erlang?
Comment 5 Matěj Cepl 2008-05-06 08:12:36 EDT
I have no idea, I gave up on ejabberd and don't have it installed anymore.
Comment 6 Daniel Walsh 2008-05-06 11:34:30 EDT
I just installed it and started it and did not see any avc, but I have no idea
how to configure it or actually use it.   This will not generate the AVC in
Fedora 9 unless you turn off the allow_execmem/allow_execstack booleans.
It would be nice to get a policy.

I changed the file context of erlang to unconfined_execmem_exec_t in 


So even if these booleans are turned off erlang/ejabberd will work.

Note You need to log in before you can comment on or make changes to this bug.