Impact?

[m.roth at 5-cent.us]

Dominick wrote:
> On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth at 5-cent.us wrote:
>> I've got the java wants to write, and execmem errors. audit2allow gives
>> me this:
>> allow httpd_sys_script_t nfs_t:file { execute execute_no_trans };
>> allow httpd_sys_script_t self:process { execmem getsched };
>> allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
>
> label the target in this interaction (usr_t file) with type bin_t. You can
> find the location and/or the inode of the location in the AVC denial.

Right, *thank* you. Took care of both files (from rule one and three).
>>
>> What would be the impact of implementing this policy on a server visible
>> to the world? Would it open up some huge, known hole?
<snip>
> By allowing the second line of policy you allow all generic httpd system
> scripts to execute anonymous memory and you allow then to set schedule on
> its own process.
>
> info about execmem:
>
> http://people.redhat.com/drepper/selinux-mem.html

Thanks, I'll look at that tomorrow (I'm getting ready to leave for the day).

How about this one: we're stuck with CA's SiteMinder, and it wants,
apparently, to rotate its logs. The AVC is
type=AVC msg=audit(1271964387.568:10240): avc:  denied  { rename } for 
pid=7171 comm="LLAWP" name="smagent.log.69" dev=sda3 ino=46108075
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_log_t:s0 tclass=file

I'm in permissive mode on this box, but I've got several others that
aren't. audit2allow gives me
<snip>
allow httpd_t httpd_log_t:file rename;
allow httpd_t java_exec_t:file { read getattr execute execute_no_trans };
allow httpd_t proc_net_t:dir search;
allow httpd_t proc_net_t:file { read getattr };
allow httpd_t self:process { execstack execmem };

Do I have mislabeled files there, as well; if not, would would be the
impact of, say, the java rule, or the dir search rule?

        mark