execmod avcs from today's policy
Stephen Smalley
sds at epoch.ncsc.mil
Fri Jan 28 18:55:51 UTC 2005
On Fri, 2005-01-28 at 11:38, Tom London wrote:
> Jan 28 07:54:57 fedora kernel: audit(1106927697.979:0): avc: denied
> { execmod } for pid=3549 comm=java path=/lib/libc-2.3.4.so dev=hda2
> ino=3178539 scontext=user_u:user_r:user_t
> tcontext=system_u:object_r:shlib_t tclass=file
Naturally, relabeling libc to texrel_shlib_t isn't an option.
Likewise for ld.so. java needs to run in its own domain so that we only
have to give execmod to shlib_t to specific domains, not the base user
domain. Care to make one?
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list