Here we are again -- bug 418131 redivivus-- we still don't have SELinux policy for ejabberd. Description of problem: SELinux is preventing beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp) (initrc_t) "execmem" to <Unknown> (initrc_t). Detailed Description: [SELinux in permissive mode, the operation would have been denied but was permitted due to enforcing mode.] SELinux denied access requested by beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp). It is not expected that this access is required by beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp) and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:initrc_t Target Context root:system_r:initrc_t Target Objects None [ process ] Source beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp) Port <Unknown> Host hubmaier.ceplovi.cz Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.2.5-20.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name hubmaier.ceplovi.cz Platform Linux hubmaier.ceplovi.cz 2.6.24-7.fc9 #1 SMP Mon Jan 28 19:55:06 EST 2008 x86_64 x86_64 Alert Count 1 First Seen St 30. leden 2008, 14:19:03 CET Last Seen St 30. leden 2008, 14:19:03 CET Local ID 52fac8b6-4b35-4d0e-b405-7fcf3cee6cf2 Line Numbers Raw Audit Messages host=hubmaier.ceplovi.cz type=AVC msg=audit(1201699143.103:31): avc: denied { execmem } for pid=3509 comm="beam.smp" scontext=root:system_r:initrc_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=process host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201699143.103:31): arch=c000003e syscall=9 per=400000 success=yes exit=1073741824 a0=0 a1=a01000 a2=7 a3=62 items=0 ppid=3507 pid=3509 auid=0 uid=498 gid=497 euid=498 suid=498 fsuid=498 egid=497 sgid=497 fsgid=497 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.6/bin/beam.smp" subj=root:system_r:initrc_t:s0 key=(null) Version-Release number of selected component (if applicable): ejabberd-2.0.0-0.rc1.mc.1.fc9.x86_64 selinux-policy-targeted-3.2.5-20.fc9.noarch
This is what I got from audit2allow: [root@hubmaier ~]# grep ejabberd /var/log/audit/audit.log |audit2allow -m ejabberd module ejabberd 1.0; require { type var_log_t; type mail_spool_t; type squid_t; type logrotate_t; type var_lib_t; class file { read write getattr }; } #============= logrotate_t ============== allow logrotate_t mail_spool_t:file getattr; allow logrotate_t var_lib_t:file getattr; #============= squid_t ============== allow squid_t var_log_t:file { read write }; [root@hubmaier ~]#
Although, it seems to me that the policy generated by audit2allow doesn't deal with execmem at all.
Does this bug still exists with latest selinux and erlang?
I have no idea, I gave up on ejabberd and don't have it installed anymore. Dan?
I just installed it and started it and did not see any avc, but I have no idea how to configure it or actually use it. This will not generate the AVC in Fedora 9 unless you turn off the allow_execmem/allow_execstack booleans. It would be nice to get a policy. I changed the file context of erlang to unconfined_execmem_exec_t in selinux-policy-3.3.1-45 So even if these booleans are turned off erlang/ejabberd will work.