From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v342vv8b019865 for ; Mon, 3 Apr 2017 22:57:57 -0400 Received: by mail-oi0-f54.google.com with SMTP id f193so148565839oib.2 for ; Mon, 03 Apr 2017 19:57:55 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: From: William Roberts Date: Mon, 3 Apr 2017 19:57:54 -0700 Message-ID: Subject: Re: Running Java and JVM on SELinux To: Rahmadi Trimananda Cc: selinux@tycho.nsa.gov Content-Type: multipart/alternative; boundary=001a113deb0c3b4fe0054c4e714c List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --001a113deb0c3b4fe0054c4e714c Content-Type: text/plain; charset=UTF-8 On Apr 3, 2017 19:35, "Rahmadi Trimananda" wrote: I have more error messages from /var/log/audit/audit.log if this is of any use for you. And yeah, it works in permissive mode (sudo setenforce 0). BTW, what do you mean by "run javac in strace"? iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep javac type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for pid=1656 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0 type=SYSCALL msg=audit(1491260813.624:793): arch=40000028 syscall=11 per=800000 success=no exit=-13 a0=b8c548 a1=b92cc8 a2=ae2408 a3=9c663500 items=0 ppid=989 pid=1656 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_ABEND msg=audit(1491260813.634:794): auid=1001 uid=1001 gid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1656 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11 type=AVC msg=audit(1491261632.611:875): avc: denied { mmap_zero } for pid=1759 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0 type=SYSCALL msg=audit(1491261632.611:875): arch=40000028 syscall=11 per=800000 success=no exit=-13 a0=b47a68 a1=bca488 a2=ae2408 a3=9c663500 items=0 ppid=989 pid=1759 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_ABEND msg=audit(1491261632.621:876): auid=1001 uid=1001 gid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1759 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11 type=AVC msg=audit(1491262641.248:924): avc: denied { mmap_zero } for pid=1792 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0 type=SYSCALL msg=audit(1491262641.248:924): arch=40000028 syscall=11 per=800000 success=no exit=-13 a0=a3ede8 a1=b88d68 a2=ae2408 a3=9c663500 items=0 ppid=989 pid=1792 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_ABEND msg=audit(1491262641.248:925): auid=1001 uid=1001 gid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1792 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11 type=AVC msg=audit(1491263457.665:1069): avc: denied { mmap_zero } for pid=1945 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0 type=SYSCALL msg=audit(1491263457.665:1069): arch=40000028 syscall=11 per=800000 success=no exit=-13 a0=b975e8 a1=b8b708 a2=ae2408 a3=9c663500 items=0 ppid=989 pid=1945 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_ABEND msg=audit(1491263457.665:1070): auid=1001 uid=1001 gid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1945 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11 type=AVC msg=audit(1491263668.304:1140): avc: denied { mmap_zero } for pid=1977 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0 type=SYSCALL msg=audit(1491263668.304:1140): arch=40000028 syscall=11 per=800000 success=no exit=-13 a0=b89d88 a1=b48ac8 a2=ae2408 a3=9c663500 items=0 ppid=989 pid=1977 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_ABEND msg=audit(1491263668.304:1141): auid=1001 uid=1001 gid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11 type=AVC msg=audit(1491273121.724:1264): avc: denied { mmap_zero } for pid=2176 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=1 type=SYSCALL msg=audit(1491273121.724:1264): arch=40000028 syscall=11 per=800000 success=yes exit=0 a0=fd27c8 a1=f44a68 a2=fb4408 a3=55428f00 items=0 ppid=2125 pid=2176 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1491273121.724:1264): proctitle="javac" type=AVC msg=audit(1491273200.654:1273): avc: denied { mmap_zero } for pid=2190 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0 type=SYSCALL msg=audit(1491273200.654:1273): arch=40000028 syscall=11 per=800000 success=no exit=-13 a0=1019f28 a1=1020668 a2=fb4408 a3=55428f00 items=0 ppid=2125 pid=2190 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_ABEND msg=audit(1491273200.654:1274): auid=1001 uid=1001 gid=1001 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2190 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin javac" sig=11 That's what we're looking for. Looks like MLS issues, but I'd let someone from the desktop world weigh in. Since you have syscall auditing enabled you don't need strace. But as far as running javac in strace, something like: strace javac foo.java would be an example command. On Mon, Apr 3, 2017 at 7:17 PM, William Roberts wrote: > > > On Apr 3, 2017 19:12, "Rahmadi Trimananda" wrote: > > This is the result of "dmesg | grep avc". Please let me know if you need > more information about my system (RaspberryPi 2 running Raspbian Jessie). > > [ 2.275229] audit: type=1400 audit(2.249:3): avc: denied { associate > } for pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0 > tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 > [ 2.577155] audit: type=1400 audit(2.549:4): avc: denied { wake_alarm > } for pid=1 comm="systemd" capability=35 scontext=system_u:system_r:init_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1 > [ 2.601211] audit: type=1400 audit(2.569:5): avc: denied { execstack > } for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1 > [ 2.601321] audit: type=1400 audit(2.569:6): avc: denied { execmem } > for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1 > [ 2.605393] audit: type=1400 audit(2.579:7): avc: denied { execmod } > for pid=95 comm="systemd-fstab-g" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so" > dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 > [ 3.201440] audit: type=1400 audit(3.169:8): avc: denied { execstack > } for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1 > [ 3.201499] audit: type=1400 audit(3.169:9): avc: denied { execmem } > for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1 > [ 3.217575] audit: type=1400 audit(3.189:10): avc: denied { execstack > } for pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0 > tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1 > [ 5.291711] audit: type=1400 audit(1491249900.889:59): avc: denied { > mmap_zero } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect > permissive=1 > [ 5.304205] audit: type=1400 audit(1491249900.909:60): avc: denied { > execstack } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process > permissive=1 > [ 5.304582] audit: type=1400 audit(1491249900.909:61): avc: denied { > execmem } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process > permissive=1 > [ 5.306197] audit: type=1400 audit(1491249900.909:62): avc: denied { > use } for pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts" > ino=3 scontext=system_u:system_r:syslogd_t:s0 > tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1 > [ 5.355105] audit: type=1400 audit(1491249900.959:63): avc: denied { > execmod } for pid=243 comm="alsactl" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so" > dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 > [ 5.357519] audit: type=1400 audit(1491249900.959:64): avc: denied { > write } for pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104 > scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 > [ 5.357705] audit: type=1400 audit(1491249900.959:65): avc: denied { > add_name } for pid=243 comm="alsactl" name="asound.state.lock" > scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 > [ 5.358083] audit: type=1400 audit(1491249900.959:66): avc: denied { > create } for pid=243 comm="alsactl" name="asound.state.lock" > scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 > [ 5.358671] audit: type=1400 audit(1491249900.959:67): avc: denied { > read write open } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock" > dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 > [ 5.358893] audit: type=1400 audit(1491249900.959:68): avc: denied { > getattr } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock" > dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 > > > > I don't see anything that would prevent running javac offhand, perhaps > others more versed in the desktop side can help tomorrow morning. > > Make sure you run javac so we can see any avc messages generated for it. > Also run javac in strace and see where it's dying. Does this work in > permissive mode? Ie sudo setenforce 0? > > > On Mon, Apr 3, 2017 at 6:54 PM, William Roberts > wrote: > >> Do you see any "avc: denied" messages in dmesg/syslog? If so send them. >> >> On Apr 3, 2017 16:28, "Rahmadi Trimananda" wrote: >> >>> Hi All, >>> >>> I am trying to run javac and java on my Raspbian while SELinux is >>> enabled. However, I keep getting "Segmentation fault", even when I just run >>> "javac" or "java". This happens in enforcing mode, but it doesn't happen >>> with "gcc". I am wondering why, because both are in /usr/bin directory and >>> both binaries have the same context. >>> >>> Can somebody please help? >>> >>> Thank you so much! >>> >>> Regards, >>> Rahmadi >>> >>> >>> _______________________________________________ >>> Selinux mailing list >>> Selinux@tycho.nsa.gov >>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >>> To get help, send an email containing "help" to >>> Selinux-request@tycho.nsa.gov. >>> >> > > > -- > Kind regards, > Rahmadi Trimananda > > Ph.D. student @ University of California, Irvine > "Stay hungry, stay foolish!" - Steve Jobs - > > > -- Kind regards, Rahmadi Trimananda Ph.D. student @ University of California, Irvine "Stay hungry, stay foolish!" - Steve Jobs - --001a113deb0c3b4fe0054c4e714c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Apr 3, 2017 19:35, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
I have more error messa= ges from /var/log/audit/audit.log if this is of any use for you. And yeah, = it works in permissive mode (sudo setenforce 0). BTW, what do you mean by &= quot;run javac in strace"?

iotuser@raspberrypi= :~/policy $ sudo cat /var/log/audit/audit.log | grep javac
type= =3DAVC msg=3Daudit(1491260813.624:793): avc: =C2=A0denied =C2=A0{ mmap_zero= } for =C2=A0pid=3D1656 comm=3D"javac" scontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=3Dmemprotect permis= sive=3D0
type=3DSYSCALL msg=3Daudit(1491260813.624:793): arch=3D4= 0000028 syscall=3D11 per=3D800000 success=3Dno exit=3D-13 a0=3Db8c548 a1=3D= b92cc8 a2=3Dae2408 a3=3D9c663500 items=3D0 ppid=3D989 pid=3D1656 auid=3D100= 1 uid=3D1001 gid=3D1001 euid=3D1001 suid=3D1001 fsuid=3D1001 egid=3D1001 sg= id=3D1001 fsgid=3D1001 tty=3Dpts0 ses=3D3 comm=3D"javac" exe=3D&q= uot;/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" subj= =3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=3D(null)<= /div>
type=3DANOM_ABEND msg=3Daudit(1491260813.634:794): auid=3D1001 ui= d=3D1001 gid=3D1001 ses=3D3 subj=3Dunconfined_u:unconfined_r:unconfine= d_t:s0-s0:c0.c1023 pid=3D1656 comm=3D"javac" exe=3D"/usr/lib= /jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=3D11
type=3DAVC msg=3Daudit(1491261632.611:875): avc: =C2=A0denied =C2=A0{ mm= ap_zero } for =C2=A0pid=3D1759 comm=3D"javac" scontext=3Dunconfin= ed_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=3Dunconfin= ed_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=3Dmemprotect= permissive=3D0
type=3DSYSCALL msg=3Daudit(1491261632.611:875): a= rch=3D40000028 syscall=3D11 per=3D800000 success=3Dno exit=3D-13 a0=3Db47a6= 8 a1=3Dbca488 a2=3Dae2408 a3=3D9c663500 items=3D0 ppid=3D989 pid=3D1759 aui= d=3D1001 uid=3D1001 gid=3D1001 euid=3D1001 suid=3D1001 fsuid=3D1001 egid=3D= 1001 sgid=3D1001 fsgid=3D1001 tty=3Dpts0 ses=3D3 comm=3D"javac" e= xe=3D"/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac&quo= t; subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=3D= (null)
type=3DANOM_ABEND msg=3Daudit(1491261632.621:876): auid=3D= 1001 uid=3D1001 gid=3D1001 ses=3D3 subj=3Dunconfined_u:unconfined_r:un= confined_t:s0-s0:c0.c1023 pid=3D1759 comm=3D"javac" exe=3D"/= usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=3D11<= /div>
type=3DAVC msg=3Daudit(1491262641.248:924): avc: =C2=A0denied =C2= =A0{ mmap_zero } for =C2=A0pid=3D1792 comm=3D"javac" scontext=3Du= nconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=3Du= nconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=3Dmem= protect permissive=3D0
type=3DSYSCALL msg=3Daudit(1491262641.248:= 924): arch=3D40000028 syscall=3D11 per=3D800000 success=3Dno exit=3D-13 a0= =3Da3ede8 a1=3Db88d68 a2=3Dae2408 a3=3D9c663500 items=3D0 ppid=3D989 pid=3D= 1792 auid=3D1001 uid=3D1001 gid=3D1001 euid=3D1001 suid=3D1001 fsuid=3D1001= egid=3D1001 sgid=3D1001 fsgid=3D1001 tty=3Dpts0 ses=3D3 comm=3D"javac= " exe=3D"/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/j= avac" subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c102= 3 key=3D(null)
type=3DANOM_ABEND msg=3Daudit(1491262641.248:925):= auid=3D1001 uid=3D1001 gid=3D1001 ses=3D3 subj=3Dunconfined_u:unconfined_<= wbr>r:unconfined_t:s0-s0:c0.c1023 pid=3D1792 comm=3D"javac" exe= =3D"/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"= sig=3D11
type=3DAVC msg=3Daudit(1491263457.665:1069): avc: = =C2=A0denied =C2=A0{ mmap_zero } for =C2=A0pid=3D1945 comm=3D"javac&qu= ot; scontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1= 023 tcontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1= 023 tclass=3Dmemprotect permissive=3D0
type=3DSYSCALL msg=3Daudit= (1491263457.665:1069): arch=3D40000028 syscall=3D11 per=3D800000 succe= ss=3Dno exit=3D-13 a0=3Db975e8 a1=3Db8b708 a2=3Dae2408 a3=3D9c663500 items= =3D0 ppid=3D989 pid=3D1945 auid=3D1001 uid=3D1001 gid=3D1001 euid=3D1001 su= id=3D1001 fsuid=3D1001 egid=3D1001 sgid=3D1001 fsgid=3D1001 tty=3Dpts0 ses= =3D3 comm=3D"javac" exe=3D"/usr/lib/jvm/jdk-8-oracle-ar= m32-vfp-hflt/bin/javac" subj=3Dunconfined_u:unconfined_r:unc= onfined_t:s0-s0:c0.c1023 key=3D(null)
type=3DANOM_ABEND msg=3Daud= it(1491263457.665:1070): auid=3D1001 uid=3D1001 gid=3D1001 ses=3D3 sub= j=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3D1945 c= omm=3D"javac" exe=3D"/usr/lib/jvm/jdk-8-oracle-arm32-vf= p-hflt/bin/javac" sig=3D11
type=3DAVC msg=3Daudit(14912= 63668.304:1140): avc: =C2=A0denied =C2=A0{ mmap_zero } for =C2=A0pid= =3D1977 comm=3D"javac" scontext=3Dunconfined_u:unconfined_r:= unconfined_t:s0-s0:c0.c1023 tcontext=3Dunconfined_u:unconfined_r:= unconfined_t:s0-s0:c0.c1023 tclass=3Dmemprotect permissive=3D0
type=3DSYSCALL msg=3Daudit(1491263668.304:1140): arch=3D40000028 sy= scall=3D11 per=3D800000 success=3Dno exit=3D-13 a0=3Db89d88 a1=3Db48ac8 a2= =3Dae2408 a3=3D9c663500 items=3D0 ppid=3D989 pid=3D1977 auid=3D1001 uid=3D1= 001 gid=3D1001 euid=3D1001 suid=3D1001 fsuid=3D1001 egid=3D1001 sgid=3D1001= fsgid=3D1001 tty=3Dpts0 ses=3D3 comm=3D"javac" exe=3D"/usr/= lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" subj=3Dunconf= ined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=3D(null)
type=3DANOM_ABEND msg=3Daudit(1491263668.304:1141): auid=3D1001 uid= =3D1001 gid=3D1001 ses=3D3 subj=3Dunconfined_u:unconfined_r:unconfined= _t:s0-s0:c0.c1023 pid=3D1977 comm=3D"javac" exe=3D"/usr/lib/= jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=3D11
type=3DAVC msg=3Daudit(1491273121.724:1264): avc: =C2=A0denied =C2= =A0{ mmap_zero } for =C2=A0pid=3D2176 comm=3D"javac" scontext=3Du= nconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=3Du= nconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=3Dmem= protect permissive=3D1
type=3DSYSCALL msg=3Daudit(1491273121.724:= 1264): arch=3D40000028 syscall=3D11 per=3D800000 success=3Dyes exit=3D= 0 a0=3Dfd27c8 a1=3Df44a68 a2=3Dfb4408 a3=3D55428f00 items=3D0 ppid=3D2125 p= id=3D2176 auid=3D1001 uid=3D1001 gid=3D1001 euid=3D1001 suid=3D1001 fsuid= =3D1001 egid=3D1001 sgid=3D1001 fsgid=3D1001 tty=3Dpts3 ses=3D11 comm=3D&qu= ot;javac" exe=3D"/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bi= n/javac" subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0= :c0.c1023 key=3D(null)
type=3DPROCTITLE msg=3Daudit(1491273121.72= 4:1264): proctitle=3D"javac"
type=3DAVC msg=3Daudi= t(1491273200.654:1273): avc: =C2=A0denied =C2=A0{ mmap_zero } for =C2= =A0pid=3D2190 comm=3D"javac" scontext=3Dunconfined_u:unconfi= ned_r:unconfined_t:s0-s0:c0.c1023 tcontext=3Dunconfined_u:unconfi= ned_r:unconfined_t:s0-s0:c0.c1023 tclass=3Dmemprotect permissive=3D0
type=3DSYSCALL msg=3Daudit(1491273200.654:1273): arch=3D40000= 028 syscall=3D11 per=3D800000 success=3Dno exit=3D-13 a0=3D1019f28 a1=3D102= 0668 a2=3Dfb4408 a3=3D55428f00 items=3D0 ppid=3D2125 pid=3D2190 auid=3D1001= uid=3D1001 gid=3D1001 euid=3D1001 suid=3D1001 fsuid=3D1001 egid=3D1001 sgi= d=3D1001 fsgid=3D1001 tty=3Dpts3 ses=3D11 comm=3D"javac" exe=3D&q= uot;/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" subj= =3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=3D(null)<= /div>
type=3DANOM_ABEND msg=3Daudit(1491273200.654:1274): auid=3D1= 001 uid=3D1001 gid=3D1001 ses=3D11 subj=3Dunconfined_u:unconfined_r:un= confined_t:s0-s0:c0.c1023 pid=3D2190 comm=3D"javac" exe=3D"/= usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin javac" sig=3D11
=

That's what we're looking for. Looks like MLS issues,= but I'd let someone from the desktop world weigh in. Since you have sy= scall auditing enabled you don't need strace. But as far as running jav= ac in strace, something like: strace javac foo.java would be an example com= mand.




On Mon, Apr 3, 2017 at = 7:17 PM, William Roberts <bill.c.roberts@gmail.com> w= rote:


On Apr 3, 2017 19:1= 2, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
This is the result of "dmesg | grep avc". Please let me know= if you need more information about my system (RaspberryPi 2 running Raspbi= an Jessie).

[ =C2=A0 =C2=A02.275229] audit: type=3D= 1400 audit(2.249:3): avc: =C2=A0denied =C2=A0{ associate } for =C2=A0pid=3D= 1 comm=3D"systemd" name=3D"pts" scontext=3Dsystem_u:obj= ect_r:devpts_t:s0 tcontext=3Dsystem_u:object_r:device_t:s0 tclass= =3Dfilesystem permissive=3D1
[ =C2=A0 =C2=A02.577155] audit: type= =3D1400 audit(2.549:4): avc: =C2=A0denied =C2=A0{ wake_alarm } for =C2=A0pi= d=3D1 comm=3D"systemd" capability=3D35 =C2=A0scontext=3Dsystem_u:= system_r:init_t:s0 tcontext=3Dsystem_u:system_r:init_t:s0 tclass= =3Dcapability2 permissive=3D1
[ =C2=A0 =C2=A02.601211] audit: typ= e=3D1400 audit(2.569:5): avc: =C2=A0denied =C2=A0{ execstack } for =C2=A0pi= d=3D95 comm=3D"systemd-fstab-g" scontext=3Dsystem_u:system_r:ini<= wbr>t_t:s0 tcontext=3Dsystem_u:system_r:init_t:s0 tclass=3Dprocess per= missive=3D1
[ =C2=A0 =C2=A02.601321] audit: type=3D1400 audit(2.5= 69:6): avc: =C2=A0denied =C2=A0{ execmem } for =C2=A0pid=3D95 comm=3D"= systemd-fstab-g" scontext=3Dsystem_u:system_r:init_t:s0 tcontext= =3Dsystem_u:system_r:init_t:s0 tclass=3Dprocess permissive=3D1
[ =C2=A0 =C2=A02.605393] audit: type=3D1400 audit(2.579:7): avc: =C2=A0d= enied =C2=A0{ execmod } for =C2=A0pid=3D95 comm=3D"systemd-fstab-g&quo= t; path=3D"/usr/lib/arm-linux-gnueabihf/libarmmem.so" dev=3D= "mmcblk0p2" ino=3D144391 scontext=3Dsystem_u:system_r:init_t= :s0 tcontext=3Dsystem_u:object_r:lib_t:s0 tclass=3Dfile permissive=3D1=
[ =C2=A0 =C2=A03.201440] audit: type=3D1400 audit(3.169:8): avc:= =C2=A0denied =C2=A0{ execstack } for =C2=A0pid=3D107 comm=3D"mount&qu= ot; scontext=3Dsystem_u:system_r:mount_t:s0 tcontext=3Dsystem_u:system= _r:mount_t:s0 tclass=3Dprocess permissive=3D1
[ =C2=A0 =C2= =A03.201499] audit: type=3D1400 audit(3.169:9): avc: =C2=A0denied =C2=A0{ e= xecmem } for =C2=A0pid=3D107 comm=3D"mount" scontext=3Dsystem_u:s= ystem_r:mount_t:s0 tcontext=3Dsystem_u:system_r:mount_t:s0 tclass= =3Dprocess permissive=3D1
[ =C2=A0 =C2=A03.217575] audit: type=3D= 1400 audit(3.189:10): avc: =C2=A0denied =C2=A0{ execstack } for =C2=A0pid= =3D108 comm=3D"kmod" scontext=3Dsystem_u:system_r:insmod_t:s= 0 tcontext=3Dsystem_u:system_r:insmod_t:s0 tclass=3Dprocess permissive= =3D1
[ =C2=A0 =C2=A05.291711] audit: type=3D1400 audit(1491249900= .889:59): avc: =C2=A0denied =C2=A0{ mmap_zero } for =C2=A0pid=3D243 comm=3D= "alsactl" scontext=3Dsystem_u:system_r:alsa_t:s0-s0:c0.c1023= tcontext=3Dsystem_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=3Dmemprotec= t permissive=3D1
[ =C2=A0 =C2=A05.304205] audit: type=3D1400 audi= t(1491249900.909:60): avc: =C2=A0denied =C2=A0{ execstack } for =C2=A0pid= =3D243 comm=3D"alsactl" scontext=3Dsystem_u:system_r:alsa_t:= s0-s0:c0.c1023 tcontext=3Dsystem_u:system_r:alsa_t:s0-s0:c0.c1023 tcla= ss=3Dprocess permissive=3D1
[ =C2=A0 =C2=A05.304582] audit: type= =3D1400 audit(1491249900.909:61): avc: =C2=A0denied =C2=A0{ execmem } for = =C2=A0pid=3D243 comm=3D"alsactl" scontext=3Dsystem_u:system_r:als= a_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:system_r:alsa_t:s0-s0:c0.c= 1023 tclass=3Dprocess permissive=3D1
[ =C2=A0 =C2=A05.306197] aud= it: type=3D1400 audit(1491249900.909:62): avc: =C2=A0denied =C2=A0{ use } f= or =C2=A0pid=3D120 comm=3D"systemd-journal" path=3D"/dev/pts= /0" dev=3D"devpts" ino=3D3 scontext=3Dsystem_u:system_r:sys<= wbr>logd_t:s0 tcontext=3Dsystem_u:system_r:plymouthd_t:s0 tclass=3Dfd = permissive=3D1
[ =C2=A0 =C2=A05.355105] audit: type=3D1400 audit(= 1491249900.959:63): avc: =C2=A0denied =C2=A0{ execmod } for =C2=A0pid=3D243= comm=3D"alsactl" path=3D"/usr/lib/arm-linux-gnueabihf/= libarmmem.so" dev=3D"mmcblk0p2" ino=3D144391 scontext=3Dsyst= em_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:lib_t:s0 tclass=3Dfile permissive=3D1
[ =C2=A0 =C2=A05.357519] au= dit: type=3D1400 audit(1491249900.959:64): avc: =C2=A0denied =C2=A0{ write = } for =C2=A0pid=3D243 comm=3D"alsactl" name=3D"/" dev= =3D"tmpfs" ino=3D5104 scontext=3Dsystem_u:system_r:alsa_t:s0= -s0:c0.c1023 tcontext=3Dsystem_u:object_r:var_lock_t:s0 tclass=3Ddir p= ermissive=3D1
[ =C2=A0 =C2=A05.357705] audit: type=3D1400 audit(1= 491249900.959:65): avc: =C2=A0denied =C2=A0{ add_name } for =C2=A0pid=3D243= comm=3D"alsactl" name=3D"asound.state.lock" scontext= =3Dsystem_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_= r:var_lock_t:s0 tclass=3Ddir permissive=3D1
[ =C2=A0 =C2=A05= .358083] audit: type=3D1400 audit(1491249900.959:66): avc: =C2=A0denied =C2= =A0{ create } for =C2=A0pid=3D243 comm=3D"alsactl" name=3D"a= sound.state.lock" scontext=3Dsystem_u:system_r:alsa_t:s0-s0:c0.c1= 023 tcontext=3Dsystem_u:object_r:var_lock_t:s0 tclass=3Dfile permissiv= e=3D1
[ =C2=A0 =C2=A05.358671] audit: type=3D1400 audit(149124990= 0.959:67): avc: =C2=A0denied =C2=A0{ read write open } for =C2=A0pid=3D243 = comm=3D"alsactl" path=3D"/run/lock/asound.state.lock&qu= ot; dev=3D"tmpfs" ino=3D1816 scontext=3Dsystem_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:var_lock_t:s0 tclass= =3Dfile permissive=3D1
[ =C2=A0 =C2=A05.358893] audit: type=3D140= 0 audit(1491249900.959:68): avc: =C2=A0denied =C2=A0{ getattr } for =C2=A0p= id=3D243 comm=3D"alsactl" path=3D"/run/lock/asound.state.lock" dev=3D"tmpfs" ino=3D1816 scontext=3Dsystem_u:system_= r:alsa_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:var_lock_t:s= 0 tclass=3Dfile permissive=3D1


I don't see anything that would prevent running javac offhand= , perhaps others more versed in the desktop side can help tomorrow morning.=

Make sure you run javac= so we can see any avc messages generated for it. Also run javac in strace = and see where it's dying. Does this work in permissive mode? Ie sudo se= tenforce 0?


On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.= c.roberts@gmail.com> wrote:
Do you see any "avc: denied" messages in dmesg= /syslog? If so send them.

On Apr 3, 2017 16:28, "Rahmadi Trimananda"= <rtrimana@uci.edu= > wrote:
Hi All,

I am trying to= run javac and java on my Raspbian while SELinux is enabled. However, I kee= p getting "Segmentation fault", even when I just run "javac&= quot; or "java". This happens in enforcing mode, but it doesn'= ;t happen with "gcc". I am wondering why, because both are in /us= r/bin directory and both binaries have the same context.

Can somebody please help?

Thank you so much= !

Regards,
Rahmadi


_______________________________________________
Selinux mailing list
Selinux@tycho.ns= a.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Selinux-request@tycho.nsa= .gov.



--
Kind regards,
Rahmadi Trimananda

Ph.D. student @ University of California, Irvine
"Stay hung= ry, stay foolish!" - Steve Jobs -




--
Kind regards,
Rahmadi Trimananda

Ph.D. student @ University of California, Irvine
"Stay= hungry, stay foolish!" - Steve Jobs -

--001a113deb0c3b4fe0054c4e714c--