When trying to boot a 2.6.10 kernel, with the SELinux patch from the NSA website applied, I'm getting a LOT of denial messages such as the ones shown below. This hoses the boot process to the point where the box is essentially unusable (no networking, impossible to logon at the console, etc.). Under 2.6.9, the same policy works just fine.

   audit(1105293465.527:0): avc:  denied  { execmem } for  pid=237 comm=uname scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process
   audit(1105293465.663:0): avc:  denied  { execmem } for  pid=240 comm=touch scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process
   audit(1105293466.661:0): avc:  denied  { execmem } for  pid=259 comm=sync scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process
   audit(1105293466.716:0): avc:  denied  { execmem } for  pid=262 comm=uname scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process

I haven't seen any mention of this on the list... any idea what's going on? My policy source files are from cvs, as of three weeks or so ago. I don't mind updating to current cvs if necessary, but don't see any obvious updates relating to execmem. The server is an old Pentium II box (nothing at all unusual about it), running Debian sid.

I can update my policy to allow the execmem easily enough, but would expect to find it already in cvs if this was an expected issue. Any thoughts?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



application/pgp-signature attachment: Digital signature