plugins: Add plugin which analyzes execmem denials
The plugin reacts to all execmem AVC's, suggesting a possibility to
switch a boolean if the access can be allowed by one, or report the
issue when no boolean can allow the access.
"Safe" version:
type=AVC msg=audit(1475320275.871:1076): avc: denied { execmem } for
pid=30139 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1
SELinux is preventing php-fpm from using the execmem access on a process.
***** Plugin allow_execmem (53.1 confidence) suggests ************
If you know why php-fpm needs to map a memory region that is both
executable and writable and understand that this is a potential
security problem.
Then you can allow the mapping by switching one of the following
booleans: httpd_execmem
Do
follow the advice of the catchall_boolean plugin, otherwise contact
your security administrator and report this issue
***** Plugin catchall_boolean (42.6 confidence) suggests **********
If you want to allow httpd scripts and modules execmem/execstack
Then you must tell SELinux about this by enabling the 'httpd_execmem'
boolean. You can read 'httpd_selinux' man page for more details.
Do
setsebool -P httpd_execmem 1
--------------------------------------------------------------------
"Unsafe" version:
type=AVC msg=audit(1475320275.871:1076): avc: denied { execmem } for
pid=30139 comm="php-fpm" scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
***** Plugin allow_execmem (91.4 confidence) suggests ************
If this issue occurred during normal system operation.
Then this alert could be a serious issue and your system could be
compromised.
Do
contact your security administrator and report this issue
--------------------------------------------------------------------
Fixes:
https://github.com/fedora-selinux/setroubleshoot/issues/55