Bug 1469167 - RFE: create a plugin which analyzes execmem denials
RFE: create a plugin which analyzes execmem denials
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: setroubleshoot-plugins (Show other bugs)
7.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Petr Lautrbach
Milos Malik
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-10 10:44 EDT by Milos Malik
Modified: 2017-08-01 03:46 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2017-07-10 10:44:49 EDT
Description of problem:
* there are setroubleshoot plugins which are able to analyze execheap, execmod and execstack AVCs, but there is no plugin which would be able to correctly analyze execmem AVCs and which would provide a relevant advice
* selinux-policy brings several booleans related to execmem AVCs

Version-Release number of selected component (if applicable):
setroubleshoot-server-3.2.28-3.el7.x86_64
setroubleshoot-3.2.28-3.el7.x86_64
setroubleshoot-plugins-3.0.65-1.el7.noarch

How reproducible:
* always

Actual results:
* allow_execmem plugin does not exist

Expected results:
* allow_execmem plugin exists

Additional info:
# getsebool -a | grep execmem
boinc_execmem --> off
cluster_use_execmem --> off
cups_execmem --> off
deny_execmem --> off
glance_use_execmem --> off
httpd_execmem --> on
virt_use_execmem --> on
xserver_execmem --> off
#
Comment 2 Milos Malik 2017-07-10 10:57:28 EDT
Filed with upstream as https://github.com/fedora-selinux/setroubleshoot/issues/55

Note You need to log in before you can comment on or make changes to this bug.