Bug 430895 - AVC denial -- SELinux is preventing beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp) (initrc_t) "execmem" to <Unknown> (initrc_t).
Summary: AVC denial -- SELinux is preventing beam.smp(/usr/lib64/erlang/erts-5.6/bin/b...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: ejabberd
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-30 13:34 UTC by Matěj Cepl
Modified: 2018-04-11 12:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-06 15:34:30 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matěj Cepl 2008-01-30 13:34:42 UTC
Here we are again -- bug 418131 redivivus-- we still don't have SELinux policy
for ejabberd.

Description of problem:

SELinux is preventing beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp)
(initrc_t) "execmem" to <Unknown> (initrc_t).

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux denied access requested by
beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp). It is not expected that this
access is required by beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp) and this
access may signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require additional
access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:initrc_t
Target Context                root:system_r:initrc_t
Target Objects                None [ process ]
Source                        beam.smp(/usr/lib64/erlang/erts-5.6/bin/beam.smp)
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-20.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-7.fc9 #1 SMP Mon
                              Jan 28 19:55:06 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    St 30. leden 2008, 14:19:03 CET
Last Seen                     St 30. leden 2008, 14:19:03 CET
Local ID                      52fac8b6-4b35-4d0e-b405-7fcf3cee6cf2
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1201699143.103:31): avc:  denied  {
execmem } for  pid=3509 comm="beam.smp" scontext=root:system_r:initrc_t:s0
tcontext=root:system_r:initrc_t:s0 tclass=process

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201699143.103:31):
arch=c000003e syscall=9 per=400000 success=yes exit=1073741824 a0=0 a1=a01000
a2=7 a3=62 items=0 ppid=3507 pid=3509 auid=0 uid=498 gid=497 euid=498 suid=498
fsuid=498 egid=497 sgid=497 fsgid=497 tty=(none) comm="beam.smp"
exe="/usr/lib64/erlang/erts-5.6/bin/beam.smp" subj=root:system_r:initrc_t:s0
key=(null)

Version-Release number of selected component (if applicable):
ejabberd-2.0.0-0.rc1.mc.1.fc9.x86_64
selinux-policy-targeted-3.2.5-20.fc9.noarch

Comment 1 Matěj Cepl 2008-01-30 13:36:54 UTC
This is what I got from audit2allow:

[root@hubmaier ~]# grep ejabberd /var/log/audit/audit.log |audit2allow -m ejabberd

module ejabberd 1.0;

require {
	type var_log_t;
	type mail_spool_t;
	type squid_t;
	type logrotate_t;
	type var_lib_t;
	class file { read write getattr };
}

#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file getattr;
allow logrotate_t var_lib_t:file getattr;

#============= squid_t ==============
allow squid_t var_log_t:file { read write };
[root@hubmaier ~]# 


Comment 3 Matěj Cepl 2008-01-30 13:42:39 UTC
Although, it seems to me that the policy generated by audit2allow doesn't deal
with execmem at all.

Comment 4 Peter Lemenkov 2008-03-24 20:54:23 UTC
Does this bug still exists with latest selinux and erlang?

Comment 5 Matěj Cepl 2008-05-06 12:12:36 UTC
I have no idea, I gave up on ejabberd and don't have it installed anymore.
Dan?

Comment 6 Daniel Walsh 2008-05-06 15:34:30 UTC
I just installed it and started it and did not see any avc, but I have no idea
how to configure it or actually use it.   This will not generate the AVC in
Fedora 9 unless you turn off the allow_execmem/allow_execstack booleans.
It would be nice to get a policy.

I changed the file context of erlang to unconfined_execmem_exec_t in 

 selinux-policy-3.3.1-45

So even if these booleans are turned off erlang/ejabberd will work.


Note You need to log in before you can comment on or make changes to this bug.