Description of problem: After I upgraded to Fedora 17, I started having the following warning: SELinux is preventing java from using the execmem access on a process. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If si desidera allow httpd scripts and modules execmem/execstack Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean.You can read 'httpd_selinux' man page for more details. Do setsebool -P httpd_execmem 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If si crede che java dovrebbe avere possibilità di accesso execmem ai processi etichettati httpd_t in modo predefinito. Then si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Do consentire questo accesso per il momento eseguendo: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects [ process ] Source java Source Path java Port <Sconosciuto> Host Portatile Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-125.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Portatile Platform Linux Portatile 3.3.7-1.fc17.i686 #1 SMP Mon May 21 22:50:24 UTC 2012 i686 i686 Alert Count 2 First Seen mer 30 mag 2012 07:30:45 CEST Last Seen mer 30 mag 2012 07:32:26 CEST Raw Audit Messages type=AVC msg=audit(1338355946.850:29): avc: denied { execmem } for pid=844 comm="java" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process Hash: java,httpd_t,httpd_t,process,execmem audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
The alert tells you what to do ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If si desidera allow httpd scripts and modules execmem/execstack Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean.You can read 'httpd_selinux' man page for more details. Do setsebool -P httpd_execmem 1