Hi, folks,
Got a server that's throwing a ton of avc granted, all related to Matlab. I saw something via google from '06, for a java thing - is there something I can use to shut this up?
CentOS 5.9, current.
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote:
Hi, folks,
Got a server that's throwing a ton of avc granted, all related to Matlab. I saw something via google from '06, for a java thing - is there something I can use to shut this up?
CentOS 5.9, current.
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Ask on the audit list, I am not sure there is anything you can do.
What do the AVC's look like?
Daniel J Walsh wrote:
On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote:
Hi, folks,
Got a server that's throwing a ton of avc granted, all related to Matlab. I saw something via google from '06, for a java thing - is
there something
I can use to shut this up?
CentOS 5.9, current.
Ask on the audit list, I am not sure there is anything you can do.
What do the AVC's look like?
type=AVC msg=audit(1364322744.335:646078): avc: granted { execheap } for pid=22581 comm="MATLAB" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote:
Hi, folks,
Got a server that's throwing a ton of avc granted, all related to Matlab. I saw something via google from '06, for a java thing - is
there something
I can use to shut this up?
CentOS 5.9, current.
Ask on the audit list, I am not sure there is anything you can do.
What do the AVC's look like?
type=AVC msg=audit(1364322744.335:646078): avc: granted { execheap } for pid=22581 comm="MATLAB" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Ah this is an old selinux-policy thing, to tell you that you have allow_execheap boolean turned on and apps are using execheap.
Probably should turn this off, in policy.
Only way to turn it off is to turn off the boolean which will pribably break MATLAB.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote:
Hi, folks,
Got a server that's throwing a ton of avc granted, all related to Matlab. I saw something via google from '06, for a java thing - is
there something
I can use to shut this up?
CentOS 5.9, current.
Ask on the audit list, I am not sure there is anything you can do.
What do the AVC's look like?
type=AVC msg=audit(1364322744.335:646078): avc: granted { execheap } for pid=22581 comm="MATLAB" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
One hack to fix this would be to turn the boolean off and then write a custom policy module to allow unconfined_t execheap.
policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; ') allow unconfined_t self:process execheap;
Daniel J Walsh wrote:
On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote:
Hi, folks,
Got a server that's throwing a ton of avc granted, all related to Matlab. I saw something via google from '06, for a java thing - is there something I can use to shut this up?
CentOS 5.9, current.
<snip>
What do the AVC's look like?
type=AVC msg=audit(1364322744.335:646078): avc: granted { execheap } for pid=22581 comm="MATLAB" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
One hack to fix this would be to turn the boolean off and then write a custom policy module to allow unconfined_t execheap.
policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; ') allow unconfined_t self:process execheap;
Could I tell it to not audit matlab? If so, what would I tell it not to audit, the executable? The libraries?
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote:
Hi, folks,
Got a server that's throwing a ton of avc granted, all related to Matlab. I saw something via google from '06, for a java thing - is there something I can use to shut this up?
CentOS 5.9, current.
<snip> >>> What do the AVC's look like? >> >> type=AVC msg=audit(1364322744.335:646078): avc: granted { execheap } >> for pid=22581 comm="MATLAB" scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > One hack to fix this would be to turn the boolean off and then write a > custom policy module to allow unconfined_t execheap. > > policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; ') > allow unconfined_t self:process execheap;
Could I tell it to not audit matlab? If so, what would I tell it not to audit, the executable? The libraries?
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Well the problem is the boolean turns on the auditallow like in policy. There is no command to dontaudit. Doing the above turning off the allow_execheap boolean and then allowing unconfined_t to execheap will actually be more secure then what you are doing now. And will remove the aggravating messages.
Daniel J Walsh wrote:
On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote:
Got a server that's throwing a ton of avc granted, all related to Matlab. I saw something via google from '06, for a java thing - is there something I can use to shut this up?
CentOS 5.9, current.
<snip> >>> What do the AVC's look like? >> >> type=AVC msg=audit(1364322744.335:646078): avc: granted { execheap } >> for pid=22581 comm="MATLAB" scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > One hack to fix this would be to turn the boolean off and then write a > custom policy module to allow unconfined_t execheap. > > policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; ') > allow unconfined_t self:process execheap;
Could I tell it to not audit matlab? If so, what would I tell it not to audit, the executable? The libraries?
Well the problem is the boolean turns on the auditallow like in policy. There is no command to dontaudit. Doing the above turning off the
I can guess why: someone might get root, and issue it against their malware.
allow_execheap boolean and then allowing unconfined_t to execheap will
actually
be more secure then what you are doing now. And will remove the aggravating messages.
Got it. So, should I use your code, above, or, to make it self-documenting, would this be valid code: module matlab 1.0;
gen_requires { type unconfined_t; }
allow unconfined_t self:process execheap;
Thanks, Dan.
mark
m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: > > Got a server that's throwing a ton of avc granted, all related to > Matlab. I saw something via google from '06, for a java thing - is > there something I can use to shut this up? > > CentOS 5.9, current.
<snip> > One hack to fix this would be to turn the boolean off and then write a > custom policy module to allow unconfined_t execheap. > > policy_module(myunconfined, 1.0) > gen_require(` > type unconfined_t; >') > allow unconfined_t self:process execheap;
What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep selinux-policy* selinux-policy-2.4.6-327.el5 selinux-policy-targeted-2.4.6-327.el5
audit2allow doesn't seem to have a debug switch, and I've tried exactly what you wrote, as well as the one I posted, and checkmodule chokes on everything.
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote: > On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >> >> Got a server that's throwing a ton of avc granted, all >> related to Matlab. I saw something via google from '06, for a >> java thing - is there something I can use to shut this up? >> >> CentOS 5.9, current.
<snip> > One hack to fix this would be to turn the boolean off and then > write a custom policy module to allow unconfined_t execheap. > > policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; > ') allow unconfined_t self:process execheap;
What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep selinux-policy* selinux-policy-2.4.6-327.el5 selinux-policy-targeted-2.4.6-327.el5
audit2allow doesn't seem to have a debug switch, and I've tried exactly what you wrote, as well as the one I posted, and checkmodule chokes on everything.
mark
How does it choke?
Daniel J Walsh wrote:
On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: > Daniel J Walsh wrote: >> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>> >>> Got a server that's throwing a ton of avc granted, all >>> related to Matlab. I saw something via google from '06, for a >>> java thing - is there something I can use to shut this up? >>> >>> CentOS 5.9, current.
<snip> > One hack to fix this would be to turn the boolean off and then > write a custom policy module to allow unconfined_t execheap. > > policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; > ') allow unconfined_t self:process execheap;
What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep selinux-policy* selinux-policy-2.4.6-327.el5 selinux-policy-targeted-2.4.6-327.el5
audit2allow doesn't seem to have a debug switch, and I've tried exactly what you wrote, as well as the one I posted, and checkmodule chokes on everything.
How does it choke?
module matlab 1.0;
require { type unconfined_t; }
allow unconfined_t self:process execheap;
checkmodule -M -m -o matlab.mod matlab.te checkmodule: loading policy configuration from matlab.te (unknown source)::ERROR 'unknown class process used in rule' at token ';' on line 7: allow unconfined_t self:process execheap;
checkmodule: error(s) encountered while parsing configuration
Trying: policy_module(myunconfined, 1.0)
gen_require(` type unconfined_t; ')
allow unconfined_t self:process execheap;
gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule: loading policy configuration from matlab_dw.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote: > On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >> Daniel J Walsh wrote: >>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>> >>>> Got a server that's throwing a ton of avc granted, all >>>> related to Matlab. I saw something via google from '06, >>>> for a java thing - is there something I can use to shut >>>> this up? >>>> >>>> CentOS 5.9, current.
<snip> > One hack to fix this would be to turn the boolean off and then > write a custom policy module to allow unconfined_t execheap. > > policy_module(myunconfined, 1.0) gen_require(` type > unconfined_t; ') allow unconfined_t self:process execheap;
What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep selinux-policy* selinux-policy-2.4.6-327.el5 selinux-policy-targeted-2.4.6-327.el5
audit2allow doesn't seem to have a debug switch, and I've tried exactly what you wrote, as well as the one I posted, and checkmodule chokes on everything.
How does it choke?
module matlab 1.0;
require { type unconfined_t; }
allow unconfined_t self:process execheap;
checkmodule -M -m -o matlab.mod matlab.te checkmodule: loading policy configuration from matlab.te (unknown source)::ERROR 'unknown class process used in rule' at token ';' on line 7: allow unconfined_t self:process execheap;
checkmodule: error(s) encountered while parsing configuration
Trying: policy_module(myunconfined, 1.0)
gen_require(` type unconfined_t; ')
allow unconfined_t self:process execheap;
gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule: loading policy configuration from matlab_dw.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
mark
Try with the make file
make -f /usr/share/selinux/devel/Makefile
(If this exists on RHEL5.)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/27/2013 04:39 PM, Daniel J Walsh wrote:
On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote: > Daniel J Walsh wrote: >> On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >>> Daniel J Walsh wrote: >>>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>>> >>>>> Got a server that's throwing a ton of avc >>>>> granted, all related to Matlab. I saw >>>>> something via google from '06, for a java thing >>>>> - is there something I can use to shut this >>>>> up? >>>>> >>>>> CentOS 5.9, current. > <snip> >> One hack to fix this would be to turn the boolean >> off and then write a custom policy module to allow >> unconfined_t execheap. >> >> policy_module(myunconfined, 1.0) gen_require(` type >> unconfined_t; ') allow unconfined_t self:process >> execheap; >
What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep selinux-policy* selinux-policy-2.4.6-327.el5 selinux-policy-targeted-2.4.6-327.el5
audit2allow doesn't seem to have a debug switch, and I've tried exactly what you wrote, as well as the one I posted, and checkmodule chokes on everything.
How does it choke?
module matlab 1.0;
require { type unconfined_t; }
allow unconfined_t self:process execheap;
checkmodule -M -m -o matlab.mod matlab.te checkmodule: loading policy configuration from matlab.te (unknown source)::ERROR 'unknown class process used in rule' at token ';' on line 7: allow unconfined_t self:process execheap;
checkmodule: error(s) encountered while parsing configuration
Trying: policy_module(myunconfined, 1.0)
gen_require(` type unconfined_t; ')
allow unconfined_t self:process execheap;
gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule: loading policy configuration from matlab_dw.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
mark
Try with the make file
make -f /usr/share/selinux/devel/Makefile
(If this exists on RHEL5.)
It does in RHEL6
$ rpm -qf /usr/share/selinux/devel/Makefile selinux-policy-3.7.19-195.el6_4.3.noarch
It does in CentOS 5 $ rpm -qf /usr/share/selinux/devel/Makefile selinux-policy-devel-2.4.6-338.el5
Jean-David Beyer wrote:
On 03/27/2013 04:39 PM, Daniel J Walsh wrote:
On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
Daniel J Walsh wrote: > On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote: >> Daniel J Walsh wrote: >>> On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >>>> Daniel J Walsh wrote: >>>>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>>>> >>>>>> Got a server that's throwing a ton of avc >>>>>> granted, all related to Matlab. I saw >>>>>> something via google from '06, for a java thing >>>>>> - is there something I can use to shut this >>>>>> up? >>>>>> >>>>>> CentOS 5.9, current. >> <snip> >>> One hack to fix this would be to turn the boolean >>> off and then write a custom policy module to allow >>> unconfined_t execheap. >>> >>> policy_module(myunconfined, 1.0) gen_require(` type >>> unconfined_t; ') allow unconfined_t self:process >>> execheap; >>
What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep selinux-policy* selinux-policy-2.4.6-327.el5 selinux-policy-targeted-2.4.6-327.el5
audit2allow doesn't seem to have a debug switch, and I've tried exactly what you wrote, as well as the one I posted, and checkmodule chokes on everything.
How does it choke?
module matlab 1.0;
require { type unconfined_t; }
allow unconfined_t self:process execheap;
checkmodule -M -m -o matlab.mod matlab.te checkmodule: loading policy configuration from matlab.te (unknown source)::ERROR 'unknown class process used in rule' at token ';' on line 7: allow unconfined_t self:process execheap;
checkmodule: error(s) encountered while parsing configuration
Trying: policy_module(myunconfined, 1.0)
gen_require(` type unconfined_t; ')
allow unconfined_t self:process execheap;
gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule: loading policy configuration from matlab_dw.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
Try with the make file
make -f /usr/share/selinux/devel/Makefile
(If this exists on RHEL5.)
It does in RHEL6
Not in 5.9.
mark
On Thu, 2013-03-28 at 17:27 -0400, m.roth@5-cent.us wrote:
Try with the make file
make -f /usr/share/selinux/devel/Makefile
(If this exists on RHEL5.)
It does in RHEL6
Not in 5.9.
mark
See if it is in the selinux-policy-devel package
repoquery -ql selinux-policy-devel | grep -i makefile
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 03/28/2013 05:27 PM, m.roth@5-cent.us wrote:
Jean-David Beyer wrote:
On 03/27/2013 04:39 PM, Daniel J Walsh wrote:
On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote: > Daniel J Walsh wrote: >> On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote: >>> Daniel J Walsh wrote: >>>> On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >>>>> Daniel J Walsh wrote: >>>>>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>>>>> >>>>>>> Got a server that's throwing a ton of avc >>>>>>> granted, all related to Matlab. I saw >>>>>>> something via google from '06, for a java thing >>>>>>> - is there something I can use to shut this >>>>>>> up? >>>>>>> >>>>>>> CentOS 5.9, current. >>> <snip> >>>> One hack to fix this would be to turn the boolean >>>> off and then write a custom policy module to allow >>>> unconfined_t execheap. >>>> >>>> policy_module(myunconfined, 1.0) gen_require(` type >>>> unconfined_t; ') allow unconfined_t self:process >>>> execheap; >>> What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep selinux-policy* selinux-policy-2.4.6-327.el5 selinux-policy-targeted-2.4.6-327.el5
audit2allow doesn't seem to have a debug switch, and I've tried exactly what you wrote, as well as the one I posted, and checkmodule chokes on everything.
How does it choke?
module matlab 1.0;
require { type unconfined_t; }
allow unconfined_t self:process execheap;
checkmodule -M -m -o matlab.mod matlab.te checkmodule: loading policy configuration from matlab.te (unknown source)::ERROR 'unknown class process used in rule' at token ';' on line 7: allow unconfined_t self:process execheap;
checkmodule: error(s) encountered while parsing configuration
Trying: policy_module(myunconfined, 1.0)
gen_require(` type unconfined_t; ')
allow unconfined_t self:process execheap;
gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule: loading policy configuration from matlab_dw.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
Try with the make file
make -f /usr/share/selinux/devel/Makefile
(If this exists on RHEL5.)
It does in RHEL6
Not in 5.9.
mark
I do not have RHEL5.9, but I do have CentOS5.9 and it has it. Are Red Hat and CentOS that different?
[/etc]$ cat redhat-release CentOS release 5.9 (Final) [/etc]$ rpm -qf /usr/share/selinux/devel/Makefile selinux-policy-devel-2.4.6-338.el5 [/etc]$ ls -l /usr/share/selinux/devel/Makefile 1 root root 416 Jan 9 05:36 /usr/share/selinux/devel/Makefile
On 03/28/13 19:39, Jean-David Beyer wrote:
On 03/28/2013 05:27 PM, m.roth@5-cent.us wrote:
Jean-David Beyer wrote:
On 03/27/2013 04:39 PM, Daniel J Walsh wrote:
On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote: > m.roth@5-cent.us wrote: >> Daniel J Walsh wrote: >>> On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote: >>>> Daniel J Walsh wrote: >>>>> On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >>>>>> Daniel J Walsh wrote: >>>>>>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>>>>>> >>>>>>>> Got a server that's throwing a ton of avc >>>>>>>> granted, all related to Matlab. I saw >>>>>>>> something via google from '06, for a java thing >>>>>>>> - is there something I can use to shut this >>>>>>>> up? >>>>>>>> >>>>>>>> CentOS 5.9, current. >>>> <snip> >>>>> One hack to fix this would be to turn the boolean >>>>> off and then write a custom policy module to allow >>>>> unconfined_t execheap. >>>>> >>>>> policy_module(myunconfined, 1.0) gen_require(` type >>>>> unconfined_t; ') allow unconfined_t self:process >>>>> execheap; >>>> > What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | > grep selinux-policy* selinux-policy-2.4.6-327.el5 > selinux-policy-targeted-2.4.6-327.el5 > > audit2allow doesn't seem to have a debug switch, and I've > tried exactly what you wrote, as well as the one I posted, > and checkmodule chokes on everything. > How does it choke?
module matlab 1.0;
require { type unconfined_t; }
allow unconfined_t self:process execheap;
checkmodule -M -m -o matlab.mod matlab.te checkmodule: loading policy configuration from matlab.te (unknown source)::ERROR 'unknown class process used in rule' at token ';' on line 7: allow unconfined_t self:process execheap;
checkmodule: error(s) encountered while parsing configuration
Trying: policy_module(myunconfined, 1.0)
gen_require(` type unconfined_t; ')
allow unconfined_t self:process execheap;
gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule: loading policy configuration from matlab_dw.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
Try with the make file
make -f /usr/share/selinux/devel/Makefile
(If this exists on RHEL5.)
It does in RHEL6
Not in 5.9.
I do not have RHEL5.9, but I do have CentOS5.9 and it has it. Are Red Hat and CentOS that different?
Not at all: CentOS removed proprietary material, and recompiles from RHEL source. That is, in fact, what I'm running.
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/28/2013 08:34 PM, mark wrote:
On 03/28/13 19:39, Jean-David Beyer wrote:
On 03/28/2013 05:27 PM, m.roth@5-cent.us wrote:
Jean-David Beyer wrote:
On 03/27/2013 04:39 PM, Daniel J Walsh wrote:
On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote: > On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote: >> m.roth@5-cent.us wrote: >>> Daniel J Walsh wrote: >>>> On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote: >>>>> Daniel J Walsh wrote: >>>>>> On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >>>>>>> Daniel J Walsh wrote: >>>>>>>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>>>>>>> >>>>>>>>> Got a server that's throwing a ton of avc >>>>>>>>> granted, all related to Matlab. I saw something >>>>>>>>> via google from '06, for a java thing - is >>>>>>>>> there something I can use to shut this up? >>>>>>>>> >>>>>>>>> CentOS 5.9, current. >>>>> <snip> >>>>>> One hack to fix this would be to turn the boolean off >>>>>> and then write a custom policy module to allow >>>>>> unconfined_t execheap. >>>>>> >>>>>> policy_module(myunconfined, 1.0) gen_require(` type >>>>>> unconfined_t; ') allow unconfined_t self:process >>>>>> execheap; >>>>> >> What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | >> grep selinux-policy* selinux-policy-2.4.6-327.el5 >> selinux-policy-targeted-2.4.6-327.el5 >> >> audit2allow doesn't seem to have a debug switch, and I've >> tried exactly what you wrote, as well as the one I posted, >> and checkmodule chokes on everything. >> > How does it choke?
module matlab 1.0;
require { type unconfined_t; }
allow unconfined_t self:process execheap;
checkmodule -M -m -o matlab.mod matlab.te checkmodule: loading policy configuration from matlab.te (unknown source)::ERROR 'unknown class process used in rule' at token ';' on line 7: allow unconfined_t self:process execheap;
checkmodule: error(s) encountered while parsing configuration
Trying: policy_module(myunconfined, 1.0)
gen_require(` type unconfined_t; ')
allow unconfined_t self:process execheap;
gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule: loading policy configuration from matlab_dw.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
Try with the make file
make -f /usr/share/selinux/devel/Makefile
(If this exists on RHEL5.)
It does in RHEL6
Not in 5.9.
I do not have RHEL5.9, but I do have CentOS5.9 and it has it. Are Red Hat and CentOS that different?
Not at all: CentOS removed proprietary material, and recompiles from RHEL source. That is, in fact, what I'm running.
mark
You mean other then taking food out of the mouth of my Children? :^)
Daniel J Walsh wrote:
On 03/28/2013 08:34 PM, mark wrote:
On 03/28/13 19:39, Jean-David Beyer wrote:
On 03/28/2013 05:27 PM, m.roth@5-cent.us wrote:
Jean-David Beyer wrote:
On 03/27/2013 04:39 PM, Daniel J Walsh wrote:
On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote: > Daniel J Walsh wrote: >> On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote: >>> m.roth@5-cent.us wrote: >>>> Daniel J Walsh wrote: >>>>> On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote: >>>>>> Daniel J Walsh wrote: >>>>>>> On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >>>>>>>> Daniel J Walsh wrote: >>>>>>>>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>>>>>>>>
<MVNCH>
It does in RHEL6
Not in 5.9.
I do not have RHEL5.9, but I do have CentOS5.9 and it has it. Are Red Hat and CentOS that different?
Not at all: CentOS removed proprietary material, and recompiles from RHEL source. That is, in fact, what I'm running.
Hey, we do have at least one or two licenses for RHEL! Surely your children can eat on that.... <g>
I was on redhat for years at home, until they split to fedora and RHEL, and I couldn't afford what was it, $180 or so, for RHEL, and fedora's bleeding edge, not leading edge (*bleah*). Till I shut it down, not needing it, about '09, my firewall/router was an old PC running rh 9....
mark
On 03/28/2013 08:34 PM, mark wrote:
On 03/28/13 19:39, Jean-David Beyer wrote:
On 03/28/2013 05:27 PM, m.roth@5-cent.us wrote:
Jean-David Beyer wrote:
On 03/27/2013 04:39 PM, Daniel J Walsh wrote:
On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote: > On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote: >> m.roth@5-cent.us wrote: >>> Daniel J Walsh wrote: >>>> On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote: >>>>> Daniel J Walsh wrote: >>>>>> On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >>>>>>> Daniel J Walsh wrote: >>>>>>>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>>>>>>> >>>>>>>>> Got a server that's throwing a ton of avc >>>>>>>>> granted, all related to Matlab. I saw >>>>>>>>> something via google from '06, for a java thing >>>>>>>>> - is there something I can use to shut this >>>>>>>>> up? >>>>>>>>> >>>>>>>>> CentOS 5.9, current. >>>>> <snip> >>>>>> One hack to fix this would be to turn the boolean >>>>>> off and then write a custom policy module to allow >>>>>> unconfined_t execheap. >>>>>> >>>>>> policy_module(myunconfined, 1.0) gen_require(` type >>>>>> unconfined_t; ') allow unconfined_t self:process >>>>>> execheap; >>>>> >> What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | >> grep selinux-policy* selinux-policy-2.4.6-327.el5 >> selinux-policy-targeted-2.4.6-327.el5 >> >> audit2allow doesn't seem to have a debug switch, and I've >> tried exactly what you wrote, as well as the one I posted, >> and checkmodule chokes on everything. >> > How does it choke?
module matlab 1.0;
require { type unconfined_t; }
allow unconfined_t self:process execheap;
checkmodule -M -m -o matlab.mod matlab.te checkmodule: loading policy configuration from matlab.te (unknown source)::ERROR 'unknown class process used in rule' at token ';' on line 7: allow unconfined_t self:process execheap;
checkmodule: error(s) encountered while parsing configuration
Trying: policy_module(myunconfined, 1.0)
gen_require(` type unconfined_t; ')
allow unconfined_t self:process execheap;
gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule: loading policy configuration from matlab_dw.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
Try with the make file
make -f /usr/share/selinux/devel/Makefile
(If this exists on RHEL5.)
It does in RHEL6
Not in 5.9.
I do not have RHEL5.9, but I do have CentOS5.9 and it has it. Are Red Hat and CentOS that different?
Not at all: CentOS removed proprietary material, and recompiles from RHEL source. That is, in fact, what I'm running.
mark
Then I do not understand why you said (unless I misunderstood) that this was not in 5.9. Since it is in my 5.9, and I sure did not make a special effort to get it because I do not even run SELinux on that machine.
Where am I misunderstanding?
Jean-David Beyer wrote:
On 03/28/2013 08:34 PM, mark wrote:
On 03/28/13 19:39, Jean-David Beyer wrote:
On 03/28/2013 05:27 PM, m.roth@5-cent.us wrote:
Jean-David Beyer wrote:
On 03/27/2013 04:39 PM, Daniel J Walsh wrote:
On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote: > Daniel J Walsh wrote: >> On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote: >>> m.roth@5-cent.us wrote: >>>> Daniel J Walsh wrote: >>>>> On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote: >>>>>> Daniel J Walsh wrote: >>>>>>> On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >>>>>>>> Daniel J Walsh wrote: >>>>>>>>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>>>>>>>> >>>>>>>>>> Got a server that's throwing a ton of avc >>>>>>>>>> granted, all related to Matlab. I saw >>>>>>>>>> something via google from '06, for a java thing >>>>>>>>>> - is there something I can use to shut this >>>>>>>>>> up? >>>>>>>>>> >>>>>>>>>> CentOS 5.9, current. >>>>>> <snip> >>>>>>> One hack to fix this would be to turn the boolean >>>>>>> off and then write a custom policy module to allow >>>>>>> unconfined_t execheap. >>>>>>> >>>>>>> policy_module(myunconfined, 1.0) gen_require(` type >>>>>>> unconfined_t; ') allow unconfined_t self:process >>>>>>> execheap; >>>>>> >>> What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | >>> grep selinux-policy* selinux-policy-2.4.6-327.el5 >>> selinux-policy-targeted-2.4.6-327.el5
<snip>
It does in RHEL6
Not in 5.9.
I do not have RHEL5.9, but I do have CentOS5.9 and it has it. Are Red Hat and CentOS that different?
Not at all: CentOS removed proprietary material, and recompiles from RHEL source. That is, in fact, what I'm running.
Then I do not understand why you said (unless I misunderstood) that this was not in 5.9. Since it is in my 5.9, and I sure did not make a special effort to get it because I do not even run SELinux on that machine.
Where am I misunderstanding?
Was it you who mentioned selinux-policy-devel? At any rate, it's not installed.
Thing is, I'd really like to know what's wrong with my syntax, that I can't just use the same routine that I do when I get an output from audit2allow. There's *got* to be something I have missing.
mark
On Fri, 2013-03-29 at 09:45 -0400, m.roth@5-cent.us wrote:
Jean-David Beyer wrote:
On 03/28/2013 08:34 PM, mark wrote:
On 03/28/13 19:39, Jean-David Beyer wrote:
On 03/28/2013 05:27 PM, m.roth@5-cent.us wrote:
Jean-David Beyer wrote:
On 03/27/2013 04:39 PM, Daniel J Walsh wrote: > On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote: >> Daniel J Walsh wrote: >>> On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote: >>>> m.roth@5-cent.us wrote: >>>>> Daniel J Walsh wrote: >>>>>> On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote: >>>>>>> Daniel J Walsh wrote: >>>>>>>> On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >>>>>>>>> Daniel J Walsh wrote: >>>>>>>>>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>>>>>>>>> >>>>>>>>>>> Got a server that's throwing a ton of avc >>>>>>>>>>> granted, all related to Matlab. I saw >>>>>>>>>>> something via google from '06, for a java thing >>>>>>>>>>> - is there something I can use to shut this >>>>>>>>>>> up? >>>>>>>>>>> >>>>>>>>>>> CentOS 5.9, current. >>>>>>> <snip> >>>>>>>> One hack to fix this would be to turn the boolean >>>>>>>> off and then write a custom policy module to allow >>>>>>>> unconfined_t execheap. >>>>>>>> >>>>>>>> policy_module(myunconfined, 1.0) gen_require(` type >>>>>>>> unconfined_t; ') allow unconfined_t self:process >>>>>>>> execheap; >>>>>>> >>>> What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | >>>> grep selinux-policy* selinux-policy-2.4.6-327.el5 >>>> selinux-policy-targeted-2.4.6-327.el5
<snip> >>>>> It does in RHEL6 >>>> >>>> Not in 5.9. >>>> >>> I do not have RHEL5.9, but I do have CentOS5.9 and it has it. >>> Are Red Hat and CentOS that different? >> >> Not at all: CentOS removed proprietary material, and recompiles from >> RHEL source. That is, in fact, what I'm running. >> > Then I do not understand why you said (unless I misunderstood) that this > was not in 5.9. Since it is in my 5.9, and I sure did not make a special > effort to get it because I do not even run SELinux on that machine. > > Where am I misunderstanding?
Was it you who mentioned selinux-policy-devel? At any rate, it's not installed.
Thing is, I'd really like to know what's wrong with my syntax, that I can't just use the same routine that I do when I get an output from audit2allow. There's *got* to be something I have missing.
The issue is that there are two ways of writing policy. One is using raw policy (writing it in a language that selinux understands( and one is using human readable policy (an abstraction)
The policy_module() is a human readable way of declaring a policy module. Its raw counterpart is "module $NAME $VERSION;"
The checkmodule utility can only work with the raw policy language, and so it chokes on the human readable policy module declaration.
Basically the human readable policy abstraction layer was just built on top of the existing infrastructure. So the old stuff doesnt know the new stuff, but the new stuff does know the old stuff (e.g. you could use raw policy with the refpolicy Makefile but you can't use human readable policy with checkmodule)
It can be confusing
writing raw policy has it advantages/disadvantages just as writing human readable policy.
raw policy gives one a bit more flexibility but it's often less efficient and harder to maintain than human readable policy.
So if you write policy then you should first identify raw policy and human readable policy, then consider that one cannot write/compile human readable policy with the raw policy development utils (checkmodule) and then you should be on your way.
mark-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Fri, 2013-03-29 at 09:45 -0400, m.roth@5-cent.us wrote:
Was it you who mentioned selinux-policy-devel? At any rate, it's not installed.
That was me. I suggest you install it: yum install selinux-policy-devel
Then you can build your source policy module using the enclosed makefile:
make -f /usr/share/selinux/devel/Makefile $MODULENAME.pp
On 03/27/2013 04:25 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 05:13 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 03/26/2013 03:27 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote: > On 03/26/2013 03:12 PM, m.roth@5-cent.us wrote: >> Daniel J Walsh wrote: >>> On 03/26/2013 03:08 PM, m.roth@5-cent.us wrote: >>>> >>>> Got a server that's throwing a ton of avc granted, all >>>> related to Matlab. I saw something via google from '06, for a >>>> java thing - is there something I can use to shut this up? >>>> >>>> CentOS 5.9, current.
<snip> > One hack to fix this would be to turn the boolean off and then > write a custom policy module to allow unconfined_t execheap. > > policy_module(myunconfined, 1.0) gen_require(` type unconfined_t; > ') allow unconfined_t self:process execheap;
What a *pain*. As I said, I'm on CentOS 5.9, and rpm -qa | grep selinux-policy* selinux-policy-2.4.6-327.el5 selinux-policy-targeted-2.4.6-327.el5
audit2allow doesn't seem to have a debug switch, and I've tried exactly what you wrote, as well as the one I posted, and checkmodule chokes on everything.
How does it choke?
module matlab 1.0;
require { type unconfined_t; }
allow unconfined_t self:process execheap;
checkmodule -M -m -o matlab.mod matlab.te checkmodule: loading policy configuration from matlab.te (unknown source)::ERROR 'unknown class process used in rule' at token ';' on line 7: allow unconfined_t self:process execheap;
checkmodule: error(s) encountered while parsing configuration
Trying: policy_module(myunconfined, 1.0)
gen_require(` type unconfined_t; ')
allow unconfined_t self:process execheap;
gets checkmodule -M -m -o matlab.mod matlab_dw.te checkmodule: loading policy configuration from matlab_dw.te (unknown source)::ERROR 'syntax error' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
mark
Wouldn't it work if you specify the process class in the policy file? I'm pretty sure this should work on rhel/centos 5.x, don't have a way to check this moment though:
-----------------------
module matlab 1.0; require { type unconfined_t; class process execheap; } allow unconfined_t self:process execheap;
------------------------
Cheers, David
Wouldn't it work if you specify the process class in the policy file? I'm pretty sure this should work on rhel/centos 5.x, don't have a way to check this moment though:
This should work yes
module matlab 1.0; require { type unconfined_t; class process execheap; } allow unconfined_t self:process execheap;
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
David Cafaro -
Dominick Grift -
Jean-David Beyer -
mark