Dominick wrote:
On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:
I've got the java wants to write, and execmem errors. audit2allow gives me this: allow httpd_sys_script_t nfs_t:file { execute execute_no_trans }; allow httpd_sys_script_t self:process { execmem getsched }; allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
label the target in this interaction (usr_t file) with type bin_t. You can find the location and/or the inode of the location in the AVC denial.
Right, *thank* you. Took care of both files (from rule one and three).
What would be the impact of implementing this policy on a server visible to the world? Would it open up some huge, known hole?
<snip>
By allowing the second line of policy you allow all generic httpd system scripts to execute anonymous memory and you allow then to set schedule on its own process.
info about execmem:
Thanks, I'll look at that tomorrow (I'm getting ready to leave for the day).
How about this one: we're stuck with CA's SiteMinder, and it wants, apparently, to rotate its logs. The AVC is type=AVC msg=audit(1271964387.568:10240): avc: denied { rename } for pid=7171 comm="LLAWP" name="smagent.log.69" dev=sda3 ino=46108075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
I'm in permissive mode on this box, but I've got several others that aren't. audit2allow gives me <snip> allow httpd_t httpd_log_t:file rename; allow httpd_t java_exec_t:file { read getattr execute execute_no_trans }; allow httpd_t proc_net_t:dir search; allow httpd_t proc_net_t:file { read getattr }; allow httpd_t self:process { execstack execmem };
Do I have mislabeled files there, as well; if not, would would be the impact of, say, the java rule, or the dir search rule?
mark