FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-07-2010, 10:09 AM
Frank Murphy
 
Default Selinux - Clamav

Running the lastest clamav.

logwatch gives the following:

libclamav JIT: Can't allocate RWX Memory: Permission denied
libclamav JIT: SELinux is preventing 'execmem' access.
Run 'setsebool -P clamd_use_jit on' to allow access
libclamav JIT: falling back to interpreter mode


setsebool -P clamd_use_jit on

doesn't seem to stick,
as I still get the warnings.

selinux-policy-3.7.19-23.fc13.noarch
selinux-policy-targeted-3.7.19-23.fc13.noarch
clamav-0.96.1-1300.fc13.i686


--
Regards,

Frank Murphy
UTF_8 Encoded
Friend of Fedora
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-07-2010, 12:51 PM
Dominick Grift
 
Default Selinux - Clamav

On Mon, Jun 07, 2010 at 11:09:01AM +0100, Frank Murphy wrote:
> Running the lastest clamav.
>
> logwatch gives the following:
>
> libclamav JIT: Can't allocate RWX Memory: Permission denied
> libclamav JIT: SELinux is preventing 'execmem' access.
> Run 'setsebool -P clamd_use_jit on' to allow access
> libclamav JIT: falling back to interpreter mode
>
>
> setsebool -P clamd_use_jit on
>
> doesn't seem to stick,
> as I still get the warnings.
>
> selinux-policy-3.7.19-23.fc13.noarch
> selinux-policy-targeted-3.7.19-23.fc13.noarch
> clamav-0.96.1-1300.fc13.i686
>

Are you seeying any avc denials? if not, try semodule -DB to load policy with hidden denials removed. Then reproduce. To go back to hidding hidden denials: semodule -B

Does it work in permissive mode?
>
> --
> Regards,
>
> Frank Murphy
> UTF_8 Encoded
> Friend of Fedora
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-07-2010, 05:38 PM
Frank Murphy
 
Default Selinux - Clamav

On 07/06/10 13:51, Dominick Grift wrote:
--snip--
>> setsebool -P clamd_use_jit on
>>
>> doesn't seem to stick,
>> as I still get the warnings.
>>
>> selinux-policy-3.7.19-23.fc13.noarch
>> selinux-policy-targeted-3.7.19-23.fc13.noarch
>> clamav-0.96.1-1300.fc13.i686
>>
>
> Are you seeying any avc denials? if not, try semodule -DB to load policy with hidden denials removed.

No

Then reproduce. To go back to hidding hidden denials: semodule -B
>
> Does it work in permissive mode?
>>

Have now set permissive on clamd & clamscan.
Will let you know result tomorrow.


--
Regards,

Frank Murphy
UTF_8 Encoded
Friend of Fedora
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-08-2010, 10:13 AM
Frank Murphy
 
Default Selinux - Clamav

On 07/06/10 18:38, Frank Murphy wrote:
--snip--

> Then reproduce. To go back to hidding hidden denials: semodule -B
>>
>> Does it work in permissive mode?
>>>
>
> Have now set permissive on clamd & clamscan.
> Will let you know result tomorrow.
>
My bad it's a cron warning, not from logwatch.


Still getting below with "Selinux Manager > process domain > clamd
clamscan permissive"

libclamav JIT: Can't allocate RWX Memory: Permission denied
libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
clamd_use_jit on' to allow access
libclamav JIT: falling back to interpreter mode
libclamav JIT: Can't allocate RWX Memory: Permission denied
libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
clamd_use_jit on' to allow access
libclamav JIT: falling back to interpreter mode



--
Regards,

Frank Murphy
UTF_8 Encoded
Friend of Fedora
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-08-2010, 01:10 PM
Dominick Grift
 
Default Selinux - Clamav

On Tue, Jun 08, 2010 at 11:13:07AM +0100, Frank Murphy wrote:
> On 07/06/10 18:38, Frank Murphy wrote:
> --snip--
>
> > Then reproduce. To go back to hidding hidden denials: semodule -B
> >>
> >> Does it work in permissive mode?
> >>>
> >
> > Have now set permissive on clamd & clamscan.
> > Will let you know result tomorrow.
> >
> My bad it's a cron warning, not from logwatch.
>
>
> Still getting below with "Selinux Manager > process domain > clamd
> clamscan permissive"

Looks like a bug in policy. only clamd_t is allowed to execmem when clamd_use_jit is set.
clamscan_t is not included in this boolean. Please consider reporting this bug to fedora bugzilla.

Please include that avc denial ( there should be an avc denial if it is really clamscan that needs the execmem like you seem to suggest. if true you can also include the fix:

tunable_policy(`clamd_use_jit',`
allow clamscan_t selfrocess execmem;
',`
dontaudit clamscan_t selfrocess execmem;
')

>
> libclamav JIT: Can't allocate RWX Memory: Permission denied
> libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
> clamd_use_jit on' to allow access
> libclamav JIT: falling back to interpreter mode
> libclamav JIT: Can't allocate RWX Memory: Permission denied
> libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
> clamd_use_jit on' to allow access
> libclamav JIT: falling back to interpreter mode
>
>
>
> --
> Regards,
>
> Frank Murphy
> UTF_8 Encoded
> Friend of Fedora
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 11:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org