On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@xxxxxxxxx wrote: > I've got the java wants to write, and execmem errors. audit2allow gives me > this: > allow httpd_sys_script_t nfs_t:file { execute execute_no_trans }; > allow httpd_sys_script_t self:process { execmem getsched }; > allow httpd_sys_script_t usr_t:file { execute execute_no_trans }; label the target in this interaction (usr_t file) with type bin_t. You can find the location and/or the inode of the location in the AVC denial. > > What would be the impact of implementing this policy on a server visible > to the world? Would it open up some huge, known hole? The impact would be that all generic httpd system scripts will be able to execute files with type nfs_t (nfs mount files) and run it in the callers (httpd_sys_script_t) domain. By allowing the second line of policy you allow all generic httpd system scripts to execute anonymous memory and you allow then to set schedule on its own process. info about execmem: http://people.redhat.com/drepper/selinux-mem.html The third and last rule signals a mislabeled file. You should label that file with the generic type for binaries (bin_t) If you would allow httpd_sys_script_t (generic httpd system scripts) to execute files with type usr_t, then generic httpd system scripts will be allowed to execute generic files in /usr (not encouraged). > > mark > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpXaXhbPWr1k.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux