[Pkg-clamav-devel] Bug#588599: tracking it down
Russell Coker
russell at coker.com.au
Mon Jul 12 09:39:09 UTC 2010
cli_bytecode_init_jit() in libclamav/c++/bytecode2llvm.cpp in the clamav
source tree has the following:
sys::MemoryBlock B = sys::Memory::AllocateRWX(4096, NULL, &ErrMsg);
if (B.base() == 0) {
errs() << MODULE << ErrMsg << "\n";
#ifdef __linux__
errs() << MODULE << "SELinux is preventing 'execmem' access. Run
'setsebool -P clamd_use_jit on' to allow access\n";
#endif
errs() << MODULE << "falling back to interpreter mode\n";
return 0;
} else {
sys::Memory::ReleaseRWX(B);
}
The fact that the developers assumed that SE Linux is the only mechanism that
prevents RWX access is interesting.
In the SE Linux policy the boolean in question only applies to the clamd_t
domain not the freshclam_t domain, but for some reason freshclam uses the jit
anyway. Should we put in a dontaudit rule for freshclam_t (to silently deny
execmem and force using the interpreter all the time) or include it in the
boolean section so that it gets execmem access if clamd_t gets it?
Also on my system the error message about SE Linux doesn't seem to get written
to the log file, so I only found it by reading the source.
More information about the Pkg-clamav-devel
mailing list