From: William Roberts <bill.c.roberts@gmail.com>
To: Rahmadi Trimananda <rtrimana@uci.edu>
Cc: selinux@tycho.nsa.gov
Subject: Re: Running Java and JVM on SELinux
Date: Mon, 3 Apr 2017 19:57:54 -0700 [thread overview]
Message-ID: <CAFftDdor2dnN=gKPuDYrYaHxsvinx6Mszzjnq9+Cs049p+i0=g@mail.gmail.com> (raw)
In-Reply-To: <CAHFUiBO6wYvSURpf72Qy7z1TkMtPrEd6ajC8Ox-RFPBC3jj_ZA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 13127 bytes --]
On Apr 3, 2017 19:35, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
I have more error messages from /var/log/audit/audit.log if this is of any
use for you. And yeah, it works in permissive mode (sudo setenforce 0).
BTW, what do you mean by "run javac in strace"?
iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
javac
type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
pid=1656 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491260813.624:793): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b8c548 a1=b92cc8 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1656 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491260813.634:794): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1656
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491261632.611:875): avc: denied { mmap_zero } for
pid=1759 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491261632.611:875): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b47a68 a1=bca488 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1759 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491261632.621:876): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1759
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491262641.248:924): avc: denied { mmap_zero } for
pid=1792 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491262641.248:924): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=a3ede8 a1=b88d68 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1792 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491262641.248:925): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1792
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491263457.665:1069): avc: denied { mmap_zero } for
pid=1945 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491263457.665:1069): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b975e8 a1=b8b708 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1945 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491263457.665:1070): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1945
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491263668.304:1140): avc: denied { mmap_zero } for
pid=1977 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491263668.304:1140): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b89d88 a1=b48ac8 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1977 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491263668.304:1141): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491273121.724:1264): avc: denied { mmap_zero } for
pid=2176 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=1
type=SYSCALL msg=audit(1491273121.724:1264): arch=40000028 syscall=11
per=800000 success=yes exit=0 a0=fd27c8 a1=f44a68 a2=fb4408 a3=55428f00
items=0 ppid=2125 pid=2176 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1491273121.724:1264): proctitle="javac"
type=AVC msg=audit(1491273200.654:1273): avc: denied { mmap_zero } for
pid=2190 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491273200.654:1273): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=1019f28 a1=1020668 a2=fb4408 a3=55428f00
items=0 ppid=2125 pid=2190 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491273200.654:1274): auid=1001 uid=1001 gid=1001
ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2190
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin javac" sig=11
That's what we're looking for. Looks like MLS issues, but I'd let someone
from the desktop world weigh in. Since you have syscall auditing enabled
you don't need strace. But as far as running javac in strace, something
like: strace javac foo.java would be an example command.
On Mon, Apr 3, 2017 at 7:17 PM, William Roberts <bill.c.roberts@gmail.com>
wrote:
>
>
> On Apr 3, 2017 19:12, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>
> This is the result of "dmesg | grep avc". Please let me know if you need
> more information about my system (RaspberryPi 2 running Raspbian Jessie).
>
> [ 2.275229] audit: type=1400 audit(2.249:3): avc: denied { associate
> } for pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
> [ 2.577155] audit: type=1400 audit(2.549:4): avc: denied { wake_alarm
> } for pid=1 comm="systemd" capability=35 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
> [ 2.601211] audit: type=1400 audit(2.569:5): avc: denied { execstack
> } for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.601321] audit: type=1400 audit(2.569:6): avc: denied { execmem }
> for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.605393] audit: type=1400 audit(2.579:7): avc: denied { execmod }
> for pid=95 comm="systemd-fstab-g" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
> [ 3.201440] audit: type=1400 audit(3.169:8): avc: denied { execstack
> } for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.201499] audit: type=1400 audit(3.169:9): avc: denied { execmem }
> for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.217575] audit: type=1400 audit(3.189:10): avc: denied { execstack
> } for pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0
> tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
> [ 5.291711] audit: type=1400 audit(1491249900.889:59): avc: denied {
> mmap_zero } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
> permissive=1
> [ 5.304205] audit: type=1400 audit(1491249900.909:60): avc: denied {
> execstack } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.304582] audit: type=1400 audit(1491249900.909:61): avc: denied {
> execmem } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.306197] audit: type=1400 audit(1491249900.909:62): avc: denied {
> use } for pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts"
> ino=3 scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
> [ 5.355105] audit: type=1400 audit(1491249900.959:63): avc: denied {
> execmod } for pid=243 comm="alsactl" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
> [ 5.357519] audit: type=1400 audit(1491249900.959:64): avc: denied {
> write } for pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.357705] audit: type=1400 audit(1491249900.959:65): avc: denied {
> add_name } for pid=243 comm="alsactl" name="asound.state.lock"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.358083] audit: type=1400 audit(1491249900.959:66): avc: denied {
> create } for pid=243 comm="alsactl" name="asound.state.lock"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358671] audit: type=1400 audit(1491249900.959:67): avc: denied {
> read write open } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358893] audit: type=1400 audit(1491249900.959:68): avc: denied {
> getattr } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>
>
>
> I don't see anything that would prevent running javac offhand, perhaps
> others more versed in the desktop side can help tomorrow morning.
>
> Make sure you run javac so we can see any avc messages generated for it.
> Also run javac in strace and see where it's dying. Does this work in
> permissive mode? Ie sudo setenforce 0?
>
>
> On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.c.roberts@gmail.com>
> wrote:
>
>> Do you see any "avc: denied" messages in dmesg/syslog? If so send them.
>>
>> On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>>
>>> Hi All,
>>>
>>> I am trying to run javac and java on my Raspbian while SELinux is
>>> enabled. However, I keep getting "Segmentation fault", even when I just run
>>> "javac" or "java". This happens in enforcing mode, but it doesn't happen
>>> with "gcc". I am wondering why, because both are in /usr/bin directory and
>>> both binaries have the same context.
>>>
>>> Can somebody please help?
>>>
>>> Thank you so much!
>>>
>>> Regards,
>>> Rahmadi
>>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>>
>>
>
>
> --
> Kind regards,
> Rahmadi Trimananda
>
> Ph.D. student @ University of California, Irvine
> "Stay hungry, stay foolish!" - Steve Jobs -
>
>
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 18163 bytes --]
next prev parent reply other threads:[~2017-04-04 2:57 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-03 23:26 Running Java and JVM on SELinux Rahmadi Trimananda
2017-04-04 1:54 ` William Roberts
2017-04-04 2:12 ` Rahmadi Trimananda
2017-04-04 2:17 ` William Roberts
2017-04-04 2:35 ` Rahmadi Trimananda
2017-04-04 2:38 ` Rahmadi Trimananda
2017-04-04 2:52 ` Russell Coker
2017-04-04 4:34 ` Rahmadi Trimananda
2017-04-04 4:53 ` William Roberts
2017-04-04 5:43 ` Russell Coker
2017-04-04 6:32 ` Rahmadi Trimananda
2017-04-04 6:37 ` Rahmadi Trimananda
2017-04-04 6:54 ` Russell Coker
2017-04-04 2:57 ` William Roberts [this message]
2017-04-04 2:59 ` William Roberts
2017-04-04 14:47 ` Stephen Smalley
2017-04-04 15:44 ` Rahmadi Trimananda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFftDdor2dnN=gKPuDYrYaHxsvinx6Mszzjnq9+Cs049p+i0=g@mail.gmail.com' \
--to=bill.c.roberts@gmail.com \
--cc=rtrimana@uci.edu \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.