* Running Java and JVM on SELinux
@ 2017-04-03 23:26 Rahmadi Trimananda
2017-04-04 1:54 ` William Roberts
0 siblings, 1 reply; 17+ messages in thread
From: Rahmadi Trimananda @ 2017-04-03 23:26 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 401 bytes --]
Hi All,
I am trying to run javac and java on my Raspbian while SELinux is enabled.
However, I keep getting "Segmentation fault", even when I just run "javac"
or "java". This happens in enforcing mode, but it doesn't happen with
"gcc". I am wondering why, because both are in /usr/bin directory and both
binaries have the same context.
Can somebody please help?
Thank you so much!
Regards,
Rahmadi
[-- Attachment #2: Type: text/html, Size: 610 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-03 23:26 Running Java and JVM on SELinux Rahmadi Trimananda
@ 2017-04-04 1:54 ` William Roberts
2017-04-04 2:12 ` Rahmadi Trimananda
0 siblings, 1 reply; 17+ messages in thread
From: William Roberts @ 2017-04-04 1:54 UTC (permalink / raw)
To: Rahmadi Trimananda; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 815 bytes --]
Do you see any "avc: denied" messages in dmesg/syslog? If so send them.
On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
> Hi All,
>
> I am trying to run javac and java on my Raspbian while SELinux is enabled.
> However, I keep getting "Segmentation fault", even when I just run "javac"
> or "java". This happens in enforcing mode, but it doesn't happen with
> "gcc". I am wondering why, because both are in /usr/bin directory and both
> binaries have the same context.
>
> Can somebody please help?
>
> Thank you so much!
>
> Regards,
> Rahmadi
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
[-- Attachment #2: Type: text/html, Size: 1455 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 1:54 ` William Roberts
@ 2017-04-04 2:12 ` Rahmadi Trimananda
2017-04-04 2:17 ` William Roberts
2017-04-04 14:47 ` Stephen Smalley
0 siblings, 2 replies; 17+ messages in thread
From: Rahmadi Trimananda @ 2017-04-04 2:12 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 5590 bytes --]
This is the result of "dmesg | grep avc". Please let me know if you need
more information about my system (RaspberryPi 2 running Raspbian Jessie).
[ 2.275229] audit: type=1400 audit(2.249:3): avc: denied { associate }
for pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
[ 2.577155] audit: type=1400 audit(2.549:4): avc: denied { wake_alarm
} for pid=1 comm="systemd" capability=35
scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=capability2 permissive=1
[ 2.601211] audit: type=1400 audit(2.569:5): avc: denied { execstack }
for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
[ 2.601321] audit: type=1400 audit(2.569:6): avc: denied { execmem }
for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
[ 2.605393] audit: type=1400 audit(2.579:7): avc: denied { execmod }
for pid=95 comm="systemd-fstab-g"
path="/usr/lib/arm-linux-gnueabihf/libarmmem.so" dev="mmcblk0p2" ino=144391
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file permissive=1
[ 3.201440] audit: type=1400 audit(3.169:8): avc: denied { execstack }
for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
[ 3.201499] audit: type=1400 audit(3.169:9): avc: denied { execmem }
for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
[ 3.217575] audit: type=1400 audit(3.189:10): avc: denied { execstack
} for pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0
tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
[ 5.291711] audit: type=1400 audit(1491249900.889:59): avc: denied {
mmap_zero } for pid=243 comm="alsactl"
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
permissive=1
[ 5.304205] audit: type=1400 audit(1491249900.909:60): avc: denied {
execstack } for pid=243 comm="alsactl"
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process permissive=1
[ 5.304582] audit: type=1400 audit(1491249900.909:61): avc: denied {
execmem } for pid=243 comm="alsactl"
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process permissive=1
[ 5.306197] audit: type=1400 audit(1491249900.909:62): avc: denied {
use } for pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts"
ino=3 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
[ 5.355105] audit: type=1400 audit(1491249900.959:63): avc: denied {
execmod } for pid=243 comm="alsactl"
path="/usr/lib/arm-linux-gnueabihf/libarmmem.so" dev="mmcblk0p2" ino=144391
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
[ 5.357519] audit: type=1400 audit(1491249900.959:64): avc: denied {
write } for pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
[ 5.357705] audit: type=1400 audit(1491249900.959:65): avc: denied {
add_name } for pid=243 comm="alsactl" name="asound.state.lock"
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
[ 5.358083] audit: type=1400 audit(1491249900.959:66): avc: denied {
create } for pid=243 comm="alsactl" name="asound.state.lock"
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
[ 5.358671] audit: type=1400 audit(1491249900.959:67): avc: denied {
read write open } for pid=243 comm="alsactl"
path="/run/lock/asound.state.lock" dev="tmpfs" ino=1816
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
[ 5.358893] audit: type=1400 audit(1491249900.959:68): avc: denied {
getattr } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.c.roberts@gmail.com>
wrote:
> Do you see any "avc: denied" messages in dmesg/syslog? If so send them.
>
> On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>
>> Hi All,
>>
>> I am trying to run javac and java on my Raspbian while SELinux is
>> enabled. However, I keep getting "Segmentation fault", even when I just run
>> "javac" or "java". This happens in enforcing mode, but it doesn't happen
>> with "gcc". I am wondering why, because both are in /usr/bin directory and
>> both binaries have the same context.
>>
>> Can somebody please help?
>>
>> Thank you so much!
>>
>> Regards,
>> Rahmadi
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 7440 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 2:12 ` Rahmadi Trimananda
@ 2017-04-04 2:17 ` William Roberts
2017-04-04 2:35 ` Rahmadi Trimananda
2017-04-04 14:47 ` Stephen Smalley
1 sibling, 1 reply; 17+ messages in thread
From: William Roberts @ 2017-04-04 2:17 UTC (permalink / raw)
To: Rahmadi Trimananda; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 5983 bytes --]
On Apr 3, 2017 19:12, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
This is the result of "dmesg | grep avc". Please let me know if you need
more information about my system (RaspberryPi 2 running Raspbian Jessie).
[ 2.275229] audit: type=1400 audit(2.249:3): avc: denied { associate }
for pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
[ 2.577155] audit: type=1400 audit(2.549:4): avc: denied { wake_alarm
} for pid=1 comm="systemd" capability=35 scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
[ 2.601211] audit: type=1400 audit(2.569:5): avc: denied { execstack }
for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
[ 2.601321] audit: type=1400 audit(2.569:6): avc: denied { execmem }
for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
[ 2.605393] audit: type=1400 audit(2.579:7): avc: denied { execmod }
for pid=95 comm="systemd-fstab-g"
path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
[ 3.201440] audit: type=1400 audit(3.169:8): avc: denied { execstack }
for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
[ 3.201499] audit: type=1400 audit(3.169:9): avc: denied { execmem }
for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
[ 3.217575] audit: type=1400 audit(3.189:10): avc: denied { execstack
} for pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0
tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
[ 5.291711] audit: type=1400 audit(1491249900.889:59): avc: denied {
mmap_zero } for pid=243 comm="alsactl"
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
permissive=1
[ 5.304205] audit: type=1400 audit(1491249900.909:60): avc: denied {
execstack } for pid=243 comm="alsactl"
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process permissive=1
[ 5.304582] audit: type=1400 audit(1491249900.909:61): avc: denied {
execmem } for pid=243 comm="alsactl"
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process permissive=1
[ 5.306197] audit: type=1400 audit(1491249900.909:62): avc: denied {
use } for pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts"
ino=3 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:plymouthd_t:s0
tclass=fd permissive=1
[ 5.355105] audit: type=1400 audit(1491249900.959:63): avc: denied {
execmod } for pid=243 comm="alsactl"
path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
[ 5.357519] audit: type=1400 audit(1491249900.959:64): avc: denied {
write } for pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0
tclass=dir permissive=1
[ 5.357705] audit: type=1400 audit(1491249900.959:65): avc: denied {
add_name } for pid=243 comm="alsactl" name="asound.state.lock"
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0
tclass=dir permissive=1
[ 5.358083] audit: type=1400 audit(1491249900.959:66): avc: denied {
create } for pid=243 comm="alsactl" name="asound.state.lock"
scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0
tclass=file permissive=1
[ 5.358671] audit: type=1400 audit(1491249900.959:67): avc: denied {
read write open } for pid=243 comm="alsactl"
path="/run/lock/asound.state.lock"
dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
[ 5.358893] audit: type=1400 audit(1491249900.959:68): avc: denied {
getattr } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
I don't see anything that would prevent running javac offhand, perhaps
others more versed in the desktop side can help tomorrow morning.
Make sure you run javac so we can see any avc messages generated for it.
Also run javac in strace and see where it's dying. Does this work in
permissive mode? Ie sudo setenforce 0?
On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.c.roberts@gmail.com>
wrote:
> Do you see any "avc: denied" messages in dmesg/syslog? If so send them.
>
> On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>
>> Hi All,
>>
>> I am trying to run javac and java on my Raspbian while SELinux is
>> enabled. However, I keep getting "Segmentation fault", even when I just run
>> "javac" or "java". This happens in enforcing mode, but it doesn't happen
>> with "gcc". I am wondering why, because both are in /usr/bin directory and
>> both binaries have the same context.
>>
>> Can somebody please help?
>>
>> Thank you so much!
>>
>> Regards,
>> Rahmadi
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 8791 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 2:17 ` William Roberts
@ 2017-04-04 2:35 ` Rahmadi Trimananda
2017-04-04 2:38 ` Rahmadi Trimananda
` (2 more replies)
0 siblings, 3 replies; 17+ messages in thread
From: Rahmadi Trimananda @ 2017-04-04 2:35 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 12776 bytes --]
I have more error messages from /var/log/audit/audit.log if this is of any
use for you. And yeah, it works in permissive mode (sudo setenforce 0).
BTW, what do you mean by "run javac in strace"?
iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
javac
type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
pid=1656 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491260813.624:793): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b8c548 a1=b92cc8 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1656 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491260813.634:794): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1656
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491261632.611:875): avc: denied { mmap_zero } for
pid=1759 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491261632.611:875): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b47a68 a1=bca488 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1759 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491261632.621:876): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1759
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491262641.248:924): avc: denied { mmap_zero } for
pid=1792 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491262641.248:924): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=a3ede8 a1=b88d68 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1792 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491262641.248:925): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1792
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491263457.665:1069): avc: denied { mmap_zero } for
pid=1945 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491263457.665:1069): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b975e8 a1=b8b708 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1945 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491263457.665:1070): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1945
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491263668.304:1140): avc: denied { mmap_zero } for
pid=1977 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491263668.304:1140): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b89d88 a1=b48ac8 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1977 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491263668.304:1141): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491273121.724:1264): avc: denied { mmap_zero } for
pid=2176 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=1
type=SYSCALL msg=audit(1491273121.724:1264): arch=40000028 syscall=11
per=800000 success=yes exit=0 a0=fd27c8 a1=f44a68 a2=fb4408 a3=55428f00
items=0 ppid=2125 pid=2176 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1491273121.724:1264): proctitle="javac"
type=AVC msg=audit(1491273200.654:1273): avc: denied { mmap_zero } for
pid=2190 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491273200.654:1273): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=1019f28 a1=1020668 a2=fb4408 a3=55428f00
items=0 ppid=2125 pid=2190 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491273200.654:1274): auid=1001 uid=1001 gid=1001
ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2190
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin javac" sig=11
On Mon, Apr 3, 2017 at 7:17 PM, William Roberts <bill.c.roberts@gmail.com>
wrote:
>
>
> On Apr 3, 2017 19:12, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>
> This is the result of "dmesg | grep avc". Please let me know if you need
> more information about my system (RaspberryPi 2 running Raspbian Jessie).
>
> [ 2.275229] audit: type=1400 audit(2.249:3): avc: denied { associate
> } for pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
> [ 2.577155] audit: type=1400 audit(2.549:4): avc: denied { wake_alarm
> } for pid=1 comm="systemd" capability=35 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
> [ 2.601211] audit: type=1400 audit(2.569:5): avc: denied { execstack
> } for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.601321] audit: type=1400 audit(2.569:6): avc: denied { execmem }
> for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.605393] audit: type=1400 audit(2.579:7): avc: denied { execmod }
> for pid=95 comm="systemd-fstab-g" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
> [ 3.201440] audit: type=1400 audit(3.169:8): avc: denied { execstack
> } for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.201499] audit: type=1400 audit(3.169:9): avc: denied { execmem }
> for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.217575] audit: type=1400 audit(3.189:10): avc: denied { execstack
> } for pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0
> tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
> [ 5.291711] audit: type=1400 audit(1491249900.889:59): avc: denied {
> mmap_zero } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
> permissive=1
> [ 5.304205] audit: type=1400 audit(1491249900.909:60): avc: denied {
> execstack } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.304582] audit: type=1400 audit(1491249900.909:61): avc: denied {
> execmem } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.306197] audit: type=1400 audit(1491249900.909:62): avc: denied {
> use } for pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts"
> ino=3 scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
> [ 5.355105] audit: type=1400 audit(1491249900.959:63): avc: denied {
> execmod } for pid=243 comm="alsactl" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
> [ 5.357519] audit: type=1400 audit(1491249900.959:64): avc: denied {
> write } for pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.357705] audit: type=1400 audit(1491249900.959:65): avc: denied {
> add_name } for pid=243 comm="alsactl" name="asound.state.lock"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.358083] audit: type=1400 audit(1491249900.959:66): avc: denied {
> create } for pid=243 comm="alsactl" name="asound.state.lock"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358671] audit: type=1400 audit(1491249900.959:67): avc: denied {
> read write open } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358893] audit: type=1400 audit(1491249900.959:68): avc: denied {
> getattr } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>
>
>
> I don't see anything that would prevent running javac offhand, perhaps
> others more versed in the desktop side can help tomorrow morning.
>
> Make sure you run javac so we can see any avc messages generated for it.
> Also run javac in strace and see where it's dying. Does this work in
> permissive mode? Ie sudo setenforce 0?
>
>
> On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.c.roberts@gmail.com>
> wrote:
>
>> Do you see any "avc: denied" messages in dmesg/syslog? If so send them.
>>
>> On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>>
>>> Hi All,
>>>
>>> I am trying to run javac and java on my Raspbian while SELinux is
>>> enabled. However, I keep getting "Segmentation fault", even when I just run
>>> "javac" or "java". This happens in enforcing mode, but it doesn't happen
>>> with "gcc". I am wondering why, because both are in /usr/bin directory and
>>> both binaries have the same context.
>>>
>>> Can somebody please help?
>>>
>>> Thank you so much!
>>>
>>> Regards,
>>> Rahmadi
>>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>>
>>
>
>
> --
> Kind regards,
> Rahmadi Trimananda
>
> Ph.D. student @ University of California, Irvine
> "Stay hungry, stay foolish!" - Steve Jobs -
>
>
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 16640 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 2:35 ` Rahmadi Trimananda
@ 2017-04-04 2:38 ` Rahmadi Trimananda
2017-04-04 2:52 ` Russell Coker
2017-04-04 2:57 ` William Roberts
2 siblings, 0 replies; 17+ messages in thread
From: Rahmadi Trimananda @ 2017-04-04 2:38 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 13667 bytes --]
More info about javac.. according to some blogs/forums, javac/java has to
be of type textrel_shlib_t, and I can see that it has the right type.
iotuser@raspberrypi:~/policy $ ls
/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac -Z
system_u:object_r:textrel_shlib_t:SystemLow
/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac
On Mon, Apr 3, 2017 at 7:35 PM, Rahmadi Trimananda <rtrimana@uci.edu> wrote:
> I have more error messages from /var/log/audit/audit.log if this is of any
> use for you. And yeah, it works in permissive mode (sudo setenforce 0).
> BTW, what do you mean by "run javac in strace"?
>
> iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
> javac
> type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
> pid=1656 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491260813.624:793): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=b8c548 a1=b92cc8 a2=ae2408 a3=9c663500
> items=0 ppid=989 pid=1656 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491260813.634:794): auid=1001 uid=1001 gid=1001
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1656
> comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> sig=11
> type=AVC msg=audit(1491261632.611:875): avc: denied { mmap_zero } for
> pid=1759 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491261632.611:875): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=b47a68 a1=bca488 a2=ae2408 a3=9c663500
> items=0 ppid=989 pid=1759 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491261632.621:876): auid=1001 uid=1001 gid=1001
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1759
> comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> sig=11
> type=AVC msg=audit(1491262641.248:924): avc: denied { mmap_zero } for
> pid=1792 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491262641.248:924): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=a3ede8 a1=b88d68 a2=ae2408 a3=9c663500
> items=0 ppid=989 pid=1792 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491262641.248:925): auid=1001 uid=1001 gid=1001
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1792
> comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> sig=11
> type=AVC msg=audit(1491263457.665:1069): avc: denied { mmap_zero } for
> pid=1945 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491263457.665:1069): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=b975e8 a1=b8b708 a2=ae2408 a3=9c663500
> items=0 ppid=989 pid=1945 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491263457.665:1070): auid=1001 uid=1001
> gid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> pid=1945 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> sig=11
> type=AVC msg=audit(1491263668.304:1140): avc: denied { mmap_zero } for
> pid=1977 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491263668.304:1140): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=b89d88 a1=b48ac8 a2=ae2408 a3=9c663500
> items=0 ppid=989 pid=1977 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491263668.304:1141): auid=1001 uid=1001
> gid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> pid=1977 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> sig=11
> type=AVC msg=audit(1491273121.724:1264): avc: denied { mmap_zero } for
> pid=2176 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=1
> type=SYSCALL msg=audit(1491273121.724:1264): arch=40000028 syscall=11
> per=800000 success=yes exit=0 a0=fd27c8 a1=f44a68 a2=fb4408 a3=55428f00
> items=0 ppid=2125 pid=2176 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=PROCTITLE msg=audit(1491273121.724:1264): proctitle="javac"
> type=AVC msg=audit(1491273200.654:1273): avc: denied { mmap_zero } for
> pid=2190 comm="javac" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491273200.654:1273): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=1019f28 a1=1020668 a2=fb4408 a3=55428f00
> items=0 ppid=2125 pid=2190 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491273200.654:1274): auid=1001 uid=1001
> gid=1001 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> pid=2190 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin
> javac" sig=11
>
> On Mon, Apr 3, 2017 at 7:17 PM, William Roberts <bill.c.roberts@gmail.com>
> wrote:
>
>>
>>
>> On Apr 3, 2017 19:12, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>>
>> This is the result of "dmesg | grep avc". Please let me know if you need
>> more information about my system (RaspberryPi 2 running Raspbian Jessie).
>>
>> [ 2.275229] audit: type=1400 audit(2.249:3): avc: denied { associate
>> } for pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0
>> tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
>> [ 2.577155] audit: type=1400 audit(2.549:4): avc: denied {
>> wake_alarm } for pid=1 comm="systemd" capability=35
>> scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0
>> tclass=capability2 permissive=1
>> [ 2.601211] audit: type=1400 audit(2.569:5): avc: denied { execstack
>> } for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
>> [ 2.601321] audit: type=1400 audit(2.569:6): avc: denied { execmem }
>> for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
>> [ 2.605393] audit: type=1400 audit(2.579:7): avc: denied { execmod }
>> for pid=95 comm="systemd-fstab-g" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
>> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
>> [ 3.201440] audit: type=1400 audit(3.169:8): avc: denied { execstack
>> } for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
>> [ 3.201499] audit: type=1400 audit(3.169:9): avc: denied { execmem }
>> for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
>> [ 3.217575] audit: type=1400 audit(3.189:10): avc: denied {
>> execstack } for pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0
>> tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
>> [ 5.291711] audit: type=1400 audit(1491249900.889:59): avc: denied {
>> mmap_zero } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
>> permissive=1
>> [ 5.304205] audit: type=1400 audit(1491249900.909:60): avc: denied {
>> execstack } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
>> permissive=1
>> [ 5.304582] audit: type=1400 audit(1491249900.909:61): avc: denied {
>> execmem } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
>> permissive=1
>> [ 5.306197] audit: type=1400 audit(1491249900.909:62): avc: denied {
>> use } for pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts"
>> ino=3 scontext=system_u:system_r:syslogd_t:s0
>> tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
>> [ 5.355105] audit: type=1400 audit(1491249900.959:63): avc: denied {
>> execmod } for pid=243 comm="alsactl" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
>> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
>> [ 5.357519] audit: type=1400 audit(1491249900.959:64): avc: denied {
>> write } for pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104
>> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
>> [ 5.357705] audit: type=1400 audit(1491249900.959:65): avc: denied {
>> add_name } for pid=243 comm="alsactl" name="asound.state.lock"
>> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
>> [ 5.358083] audit: type=1400 audit(1491249900.959:66): avc: denied {
>> create } for pid=243 comm="alsactl" name="asound.state.lock"
>> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>> [ 5.358671] audit: type=1400 audit(1491249900.959:67): avc: denied {
>> read write open } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
>> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>> [ 5.358893] audit: type=1400 audit(1491249900.959:68): avc: denied {
>> getattr } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
>> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>>
>>
>>
>> I don't see anything that would prevent running javac offhand, perhaps
>> others more versed in the desktop side can help tomorrow morning.
>>
>> Make sure you run javac so we can see any avc messages generated for it.
>> Also run javac in strace and see where it's dying. Does this work in
>> permissive mode? Ie sudo setenforce 0?
>>
>>
>> On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.c.roberts@gmail.com
>> > wrote:
>>
>>> Do you see any "avc: denied" messages in dmesg/syslog? If so send them.
>>>
>>> On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am trying to run javac and java on my Raspbian while SELinux is
>>>> enabled. However, I keep getting "Segmentation fault", even when I just run
>>>> "javac" or "java". This happens in enforcing mode, but it doesn't happen
>>>> with "gcc". I am wondering why, because both are in /usr/bin directory and
>>>> both binaries have the same context.
>>>>
>>>> Can somebody please help?
>>>>
>>>> Thank you so much!
>>>>
>>>> Regards,
>>>> Rahmadi
>>>>
>>>>
>>>> _______________________________________________
>>>> Selinux mailing list
>>>> Selinux@tycho.nsa.gov
>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>> To get help, send an email containing "help" to
>>>> Selinux-request@tycho.nsa.gov.
>>>>
>>>
>>
>>
>> --
>> Kind regards,
>> Rahmadi Trimananda
>>
>> Ph.D. student @ University of California, Irvine
>> "Stay hungry, stay foolish!" - Steve Jobs -
>>
>>
>>
>
>
> --
> Kind regards,
> Rahmadi Trimananda
>
> Ph.D. student @ University of California, Irvine
> "Stay hungry, stay foolish!" - Steve Jobs -
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 18245 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 2:35 ` Rahmadi Trimananda
2017-04-04 2:38 ` Rahmadi Trimananda
@ 2017-04-04 2:52 ` Russell Coker
2017-04-04 4:34 ` Rahmadi Trimananda
2017-04-04 2:57 ` William Roberts
2 siblings, 1 reply; 17+ messages in thread
From: Russell Coker @ 2017-04-04 2:52 UTC (permalink / raw)
To: selinux
On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote:
> I have more error messages from /var/log/audit/audit.log if this is of any
> use for you. And yeah, it works in permissive mode (sudo setenforce 0).
> BTW, what do you mean by "run javac in strace"?
>
> iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
> javac
> type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
> pid=1656 comm="javac"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
Try permitting that one and see if it changes things. What version of javac
are you using? Is it an old version?
Also when posting such things to the list please include the output of
auditallow as well as the raw AVC messages whenever you send more than 2-3
entries. When your MUA wraps the lines the result isn't accepted by
audit2allow and that makes it less convenient for us to process your messages
(usually audit2allow output is more useful than reading raw AVC log entries).
If there is only a single AVC message then we can all run audit2allow in our
heads. ;)
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 2:35 ` Rahmadi Trimananda
2017-04-04 2:38 ` Rahmadi Trimananda
2017-04-04 2:52 ` Russell Coker
@ 2017-04-04 2:57 ` William Roberts
2017-04-04 2:59 ` William Roberts
2 siblings, 1 reply; 17+ messages in thread
From: William Roberts @ 2017-04-04 2:57 UTC (permalink / raw)
To: Rahmadi Trimananda; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 13127 bytes --]
On Apr 3, 2017 19:35, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
I have more error messages from /var/log/audit/audit.log if this is of any
use for you. And yeah, it works in permissive mode (sudo setenforce 0).
BTW, what do you mean by "run javac in strace"?
iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
javac
type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
pid=1656 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491260813.624:793): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b8c548 a1=b92cc8 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1656 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491260813.634:794): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1656
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491261632.611:875): avc: denied { mmap_zero } for
pid=1759 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491261632.611:875): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b47a68 a1=bca488 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1759 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491261632.621:876): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1759
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491262641.248:924): avc: denied { mmap_zero } for
pid=1792 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491262641.248:924): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=a3ede8 a1=b88d68 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1792 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491262641.248:925): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1792
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491263457.665:1069): avc: denied { mmap_zero } for
pid=1945 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491263457.665:1069): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b975e8 a1=b8b708 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1945 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491263457.665:1070): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1945
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491263668.304:1140): avc: denied { mmap_zero } for
pid=1977 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491263668.304:1140): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b89d88 a1=b48ac8 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1977 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491263668.304:1141): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491273121.724:1264): avc: denied { mmap_zero } for
pid=2176 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=1
type=SYSCALL msg=audit(1491273121.724:1264): arch=40000028 syscall=11
per=800000 success=yes exit=0 a0=fd27c8 a1=f44a68 a2=fb4408 a3=55428f00
items=0 ppid=2125 pid=2176 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1491273121.724:1264): proctitle="javac"
type=AVC msg=audit(1491273200.654:1273): avc: denied { mmap_zero } for
pid=2190 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491273200.654:1273): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=1019f28 a1=1020668 a2=fb4408 a3=55428f00
items=0 ppid=2125 pid=2190 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491273200.654:1274): auid=1001 uid=1001 gid=1001
ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2190
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin javac" sig=11
That's what we're looking for. Looks like MLS issues, but I'd let someone
from the desktop world weigh in. Since you have syscall auditing enabled
you don't need strace. But as far as running javac in strace, something
like: strace javac foo.java would be an example command.
On Mon, Apr 3, 2017 at 7:17 PM, William Roberts <bill.c.roberts@gmail.com>
wrote:
>
>
> On Apr 3, 2017 19:12, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>
> This is the result of "dmesg | grep avc". Please let me know if you need
> more information about my system (RaspberryPi 2 running Raspbian Jessie).
>
> [ 2.275229] audit: type=1400 audit(2.249:3): avc: denied { associate
> } for pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
> [ 2.577155] audit: type=1400 audit(2.549:4): avc: denied { wake_alarm
> } for pid=1 comm="systemd" capability=35 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
> [ 2.601211] audit: type=1400 audit(2.569:5): avc: denied { execstack
> } for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.601321] audit: type=1400 audit(2.569:6): avc: denied { execmem }
> for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.605393] audit: type=1400 audit(2.579:7): avc: denied { execmod }
> for pid=95 comm="systemd-fstab-g" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
> [ 3.201440] audit: type=1400 audit(3.169:8): avc: denied { execstack
> } for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.201499] audit: type=1400 audit(3.169:9): avc: denied { execmem }
> for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.217575] audit: type=1400 audit(3.189:10): avc: denied { execstack
> } for pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0
> tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
> [ 5.291711] audit: type=1400 audit(1491249900.889:59): avc: denied {
> mmap_zero } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
> permissive=1
> [ 5.304205] audit: type=1400 audit(1491249900.909:60): avc: denied {
> execstack } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.304582] audit: type=1400 audit(1491249900.909:61): avc: denied {
> execmem } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.306197] audit: type=1400 audit(1491249900.909:62): avc: denied {
> use } for pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts"
> ino=3 scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
> [ 5.355105] audit: type=1400 audit(1491249900.959:63): avc: denied {
> execmod } for pid=243 comm="alsactl" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
> [ 5.357519] audit: type=1400 audit(1491249900.959:64): avc: denied {
> write } for pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.357705] audit: type=1400 audit(1491249900.959:65): avc: denied {
> add_name } for pid=243 comm="alsactl" name="asound.state.lock"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.358083] audit: type=1400 audit(1491249900.959:66): avc: denied {
> create } for pid=243 comm="alsactl" name="asound.state.lock"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358671] audit: type=1400 audit(1491249900.959:67): avc: denied {
> read write open } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358893] audit: type=1400 audit(1491249900.959:68): avc: denied {
> getattr } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>
>
>
> I don't see anything that would prevent running javac offhand, perhaps
> others more versed in the desktop side can help tomorrow morning.
>
> Make sure you run javac so we can see any avc messages generated for it.
> Also run javac in strace and see where it's dying. Does this work in
> permissive mode? Ie sudo setenforce 0?
>
>
> On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.c.roberts@gmail.com>
> wrote:
>
>> Do you see any "avc: denied" messages in dmesg/syslog? If so send them.
>>
>> On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>>
>>> Hi All,
>>>
>>> I am trying to run javac and java on my Raspbian while SELinux is
>>> enabled. However, I keep getting "Segmentation fault", even when I just run
>>> "javac" or "java". This happens in enforcing mode, but it doesn't happen
>>> with "gcc". I am wondering why, because both are in /usr/bin directory and
>>> both binaries have the same context.
>>>
>>> Can somebody please help?
>>>
>>> Thank you so much!
>>>
>>> Regards,
>>> Rahmadi
>>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>>
>>
>
>
> --
> Kind regards,
> Rahmadi Trimananda
>
> Ph.D. student @ University of California, Irvine
> "Stay hungry, stay foolish!" - Steve Jobs -
>
>
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 18163 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 2:57 ` William Roberts
@ 2017-04-04 2:59 ` William Roberts
0 siblings, 0 replies; 17+ messages in thread
From: William Roberts @ 2017-04-04 2:59 UTC (permalink / raw)
To: Rahmadi Trimananda; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 13318 bytes --]
On Apr 3, 2017 19:57, "William Roberts" <bill.c.roberts@gmail.com> wrote:
On Apr 3, 2017 19:35, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
I have more error messages from /var/log/audit/audit.log if this is of any
use for you. And yeah, it works in permissive mode (sudo setenforce 0).
BTW, what do you mean by "run javac in strace"?
iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
javac
type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
pid=1656 comm="javac" scontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491260813.624:793): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b8c548 a1=b92cc8 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1656 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491260813.634:794): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1656
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491261632.611:875): avc: denied { mmap_zero } for
pid=1759 comm="javac" scontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491261632.611:875): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b47a68 a1=bca488 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1759 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491261632.621:876): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1759
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491262641.248:924): avc: denied { mmap_zero } for
pid=1792 comm="javac" scontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491262641.248:924): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=a3ede8 a1=b88d68 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1792 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491262641.248:925): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1792
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491263457.665:1069): avc: denied { mmap_zero } for
pid=1945 comm="javac" scontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491263457.665:1069): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b975e8 a1=b8b708 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1945 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491263457.665:1070): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1945
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491263668.304:1140): avc: denied { mmap_zero } for
pid=1977 comm="javac" scontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491263668.304:1140): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b89d88 a1=b48ac8 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1977 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491263668.304:1141): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491273121.724:1264): avc: denied { mmap_zero } for
pid=2176 comm="javac" scontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=1
type=SYSCALL msg=audit(1491273121.724:1264): arch=40000028 syscall=11
per=800000 success=yes exit=0 a0=fd27c8 a1=f44a68 a2=fb4408 a3=55428f00
items=0 ppid=2125 pid=2176 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1491273121.724:1264): proctitle="javac"
type=AVC msg=audit(1491273200.654:1273): avc: denied { mmap_zero } for
pid=2190 comm="javac" scontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfin
ed_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491273200.654:1273): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=1019f28 a1=1020668 a2=fb4408 a3=55428f00
items=0 ppid=2125 pid=2190 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491273200.654:1274): auid=1001 uid=1001 gid=1001
ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2190
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin javac" sig=11
That's what we're looking for. Looks like MLS issues, but I'd let someone
from the desktop world weigh in. Since you have syscall auditing enabled
you don't need strace. But as far as running javac in strace, something
like: strace javac foo.java would be an example command.
Actually I take back that MLS issue, I have no idea, wait for those
qualified for real answers.
On Mon, Apr 3, 2017 at 7:17 PM, William Roberts <bill.c.roberts@gmail.com>
wrote:
>
>
> On Apr 3, 2017 19:12, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>
> This is the result of "dmesg | grep avc". Please let me know if you need
> more information about my system (RaspberryPi 2 running Raspbian Jessie).
>
> [ 2.275229] audit: type=1400 audit(2.249:3): avc: denied { associate
> } for pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
> [ 2.577155] audit: type=1400 audit(2.549:4): avc: denied { wake_alarm
> } for pid=1 comm="systemd" capability=35 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
> [ 2.601211] audit: type=1400 audit(2.569:5): avc: denied { execstack
> } for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.601321] audit: type=1400 audit(2.569:6): avc: denied { execmem }
> for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.605393] audit: type=1400 audit(2.579:7): avc: denied { execmod }
> for pid=95 comm="systemd-fstab-g" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
> [ 3.201440] audit: type=1400 audit(3.169:8): avc: denied { execstack
> } for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.201499] audit: type=1400 audit(3.169:9): avc: denied { execmem }
> for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.217575] audit: type=1400 audit(3.189:10): avc: denied { execstack
> } for pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0
> tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
> [ 5.291711] audit: type=1400 audit(1491249900.889:59): avc: denied {
> mmap_zero } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
> permissive=1
> [ 5.304205] audit: type=1400 audit(1491249900.909:60): avc: denied {
> execstack } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.304582] audit: type=1400 audit(1491249900.909:61): avc: denied {
> execmem } for pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.306197] audit: type=1400 audit(1491249900.909:62): avc: denied {
> use } for pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts"
> ino=3 scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
> [ 5.355105] audit: type=1400 audit(1491249900.959:63): avc: denied {
> execmod } for pid=243 comm="alsactl" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
> [ 5.357519] audit: type=1400 audit(1491249900.959:64): avc: denied {
> write } for pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.357705] audit: type=1400 audit(1491249900.959:65): avc: denied {
> add_name } for pid=243 comm="alsactl" name="asound.state.lock"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.358083] audit: type=1400 audit(1491249900.959:66): avc: denied {
> create } for pid=243 comm="alsactl" name="asound.state.lock"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358671] audit: type=1400 audit(1491249900.959:67): avc: denied {
> read write open } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358893] audit: type=1400 audit(1491249900.959:68): avc: denied {
> getattr } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>
>
>
> I don't see anything that would prevent running javac offhand, perhaps
> others more versed in the desktop side can help tomorrow morning.
>
> Make sure you run javac so we can see any avc messages generated for it.
> Also run javac in strace and see where it's dying. Does this work in
> permissive mode? Ie sudo setenforce 0?
>
>
> On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.c.roberts@gmail.com>
> wrote:
>
>> Do you see any "avc: denied" messages in dmesg/syslog? If so send them.
>>
>> On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
>>
>>> Hi All,
>>>
>>> I am trying to run javac and java on my Raspbian while SELinux is
>>> enabled. However, I keep getting "Segmentation fault", even when I just run
>>> "javac" or "java". This happens in enforcing mode, but it doesn't happen
>>> with "gcc". I am wondering why, because both are in /usr/bin directory and
>>> both binaries have the same context.
>>>
>>> Can somebody please help?
>>>
>>> Thank you so much!
>>>
>>> Regards,
>>> Rahmadi
>>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>>
>>
>
>
> --
> Kind regards,
> Rahmadi Trimananda
>
> Ph.D. student @ University of California, Irvine
> "Stay hungry, stay foolish!" - Steve Jobs -
>
>
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 19161 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 2:52 ` Russell Coker
@ 2017-04-04 4:34 ` Rahmadi Trimananda
2017-04-04 4:53 ` William Roberts
2017-04-04 5:43 ` Russell Coker
0 siblings, 2 replies; 17+ messages in thread
From: Rahmadi Trimananda @ 2017-04-04 4:34 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 1911 bytes --]
Umm, how's the easiest way to permit that one? Do I need to create a local
policy or can I just use a command line? Sorry I am really a newbie. :)
I am using javac 1.8.0_65. It is the same version for the "java" program.
java version "1.8.0_65"
Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode)
On Mon, Apr 3, 2017 at 7:52 PM, Russell Coker <russell@coker.com.au> wrote:
> On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote:
> > I have more error messages from /var/log/audit/audit.log if this is of
> any
> > use for you. And yeah, it works in permissive mode (sudo setenforce 0).
> > BTW, what do you mean by "run javac in strace"?
> >
> > iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
> > javac
> > type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
> > pid=1656 comm="javac"
> > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tclass=memprotect permissive=0
>
> Try permitting that one and see if it changes things. What version of
> javac
> are you using? Is it an old version?
>
> Also when posting such things to the list please include the output of
> auditallow as well as the raw AVC messages whenever you send more than 2-3
> entries. When your MUA wraps the lines the result isn't accepted by
> audit2allow and that makes it less convenient for us to process your
> messages
> (usually audit2allow output is more useful than reading raw AVC log
> entries).
>
> If there is only a single AVC message then we can all run audit2allow in
> our
> heads. ;)
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 2876 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 4:34 ` Rahmadi Trimananda
@ 2017-04-04 4:53 ` William Roberts
2017-04-04 5:43 ` Russell Coker
1 sibling, 0 replies; 17+ messages in thread
From: William Roberts @ 2017-04-04 4:53 UTC (permalink / raw)
To: Rahmadi Trimananda; +Cc: russell, selinux
[-- Attachment #1: Type: text/plain, Size: 2283 bytes --]
On Apr 3, 2017 21:35, "Rahmadi Trimananda" <rtrimana@uci.edu> wrote:
Umm, how's the easiest way to permit that one? Do I need to create a local
policy or can I just use a command line? Sorry I am really a newbie. :)
That would be a command, but the logs you provided should be enough.
I am using javac 1.8.0_65. It is the same version for the "java" program.
java version "1.8.0_65"
Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode)
On Mon, Apr 3, 2017 at 7:52 PM, Russell Coker <russell@coker.com.au> wrote:
> On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote:
> > I have more error messages from /var/log/audit/audit.log if this is of
> any
> > use for you. And yeah, it works in permissive mode (sudo setenforce 0).
> > BTW, what do you mean by "run javac in strace"?
> >
> > iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
> > javac
> > type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
> > pid=1656 comm="javac"
> > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tclass=memprotect permissive=0
>
> Try permitting that one and see if it changes things. What version of
> javac
> are you using? Is it an old version?
>
> Also when posting such things to the list please include the output of
> auditallow as well as the raw AVC messages whenever you send more than 2-3
> entries. When your MUA wraps the lines the result isn't accepted by
> audit2allow and that makes it less convenient for us to process your
> messages
> (usually audit2allow output is more useful than reading raw AVC log
> entries).
>
> If there is only a single AVC message then we can all run audit2allow in
> our
> heads. ;)
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to
Selinux-request@tycho.nsa.gov.
[-- Attachment #2: Type: text/html, Size: 4080 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 4:34 ` Rahmadi Trimananda
2017-04-04 4:53 ` William Roberts
@ 2017-04-04 5:43 ` Russell Coker
2017-04-04 6:32 ` Rahmadi Trimananda
1 sibling, 1 reply; 17+ messages in thread
From: Russell Coker @ 2017-04-04 5:43 UTC (permalink / raw)
To: Rahmadi Trimananda; +Cc: selinux
On Tue, 4 Apr 2017 02:34:14 PM Rahmadi Trimananda wrote:
> Umm, how's the easiest way to permit that one? Do I need to create a local
> policy or can I just use a command line? Sorry I am really a newbie. :)
Run "audit2allow -l -R < /var/log/audit/audit.log > local.te", that will
generate the policy.
policy_module(local,0.0.0)
Edit local.te to remove allow lines that you don't want and also add the above
as the first line.
Create a symlink from the example Makefile (which is /usr/share/doc/selinux-
policy-dev/examples/Makefile on Debian if you have the selinux-policy-dev
package installed) to the current directory. Then run "make load" and your
policy will be compiled and loaded.
> I am using javac 1.8.0_65. It is the same version for the "java" program.
>
> java version "1.8.0_65"
> Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
> Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode)
I'm using openjdk which doesn't appear to require such access.
$ java -version
openjdk version "1.8.0_121"
OpenJDK Runtime Environment (build 1.8.0_121-8u121-b13-4-b13)
OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode)
> On Mon, Apr 3, 2017 at 7:52 PM, Russell Coker <russell@coker.com.au> wrote:
> > On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote:
> > > I have more error messages from /var/log/audit/audit.log if this is of
> >
> > any
> >
> > > use for you. And yeah, it works in permissive mode (sudo setenforce 0).
> > > BTW, what do you mean by "run javac in strace"?
> > >
> > > iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
> > > javac
> > > type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
> > >
> > > pid=1656 comm="javac"
> > >
> > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > tclass=memprotect permissive=0
> >
> > Try permitting that one and see if it changes things. What version of
> > javac
> > are you using? Is it an old version?
> >
> > Also when posting such things to the list please include the output of
> > auditallow as well as the raw AVC messages whenever you send more than
> > 2-3 entries. When your MUA wraps the lines the result isn't accepted by
> > audit2allow and that makes it less convenient for us to process your
> > messages
> > (usually audit2allow output is more useful than reading raw AVC log
> > entries).
> >
> > If there is only a single AVC message then we can all run audit2allow in
> > our
> > heads. ;)
> >
> > --
> > My Main Blog http://etbe.coker.com.au/
> > My Documents Blog http://doc.coker.com.au/
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 5:43 ` Russell Coker
@ 2017-04-04 6:32 ` Rahmadi Trimananda
2017-04-04 6:37 ` Rahmadi Trimananda
0 siblings, 1 reply; 17+ messages in thread
From: Rahmadi Trimananda @ 2017-04-04 6:32 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 3662 bytes --]
Alright, I am getting a different error this time after giving permission
to mmap_zero. This is after running java or javac in enforcing mode.
Java HotSpot(TM) Client VM warning: INFO: os::commit_memory(0x740ab000,
163840, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 163840 bytes for committing
reserved memory.
# An error report file with more information is saved as:
# /home/iotuser/policy/debug/hs_err_pid2878.log
On Mon, Apr 3, 2017 at 10:43 PM, Russell Coker <russell@coker.com.au> wrote:
> On Tue, 4 Apr 2017 02:34:14 PM Rahmadi Trimananda wrote:
> > Umm, how's the easiest way to permit that one? Do I need to create a
> local
> > policy or can I just use a command line? Sorry I am really a newbie. :)
>
> Run "audit2allow -l -R < /var/log/audit/audit.log > local.te", that will
> generate the policy.
>
> policy_module(local,0.0.0)
>
> Edit local.te to remove allow lines that you don't want and also add the
> above
> as the first line.
>
> Create a symlink from the example Makefile (which is
> /usr/share/doc/selinux-
> policy-dev/examples/Makefile on Debian if you have the selinux-policy-dev
> package installed) to the current directory. Then run "make load" and your
> policy will be compiled and loaded.
>
> > I am using javac 1.8.0_65. It is the same version for the "java" program.
> >
> > java version "1.8.0_65"
> > Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
> > Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode)
>
> I'm using openjdk which doesn't appear to require such access.
>
> $ java -version
> openjdk version "1.8.0_121"
> OpenJDK Runtime Environment (build 1.8.0_121-8u121-b13-4-b13)
> OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode)
>
> > On Mon, Apr 3, 2017 at 7:52 PM, Russell Coker <russell@coker.com.au>
> wrote:
> > > On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote:
> > > > I have more error messages from /var/log/audit/audit.log if this is
> of
> > >
> > > any
> > >
> > > > use for you. And yeah, it works in permissive mode (sudo setenforce
> 0).
> > > > BTW, what do you mean by "run javac in strace"?
> > > >
> > > > iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log |
> grep
> > > > javac
> > > > type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero }
> for
> > > >
> > > > pid=1656 comm="javac"
> > > >
> > > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > > tclass=memprotect permissive=0
> > >
> > > Try permitting that one and see if it changes things. What version of
> > > javac
> > > are you using? Is it an old version?
> > >
> > > Also when posting such things to the list please include the output of
> > > auditallow as well as the raw AVC messages whenever you send more than
> > > 2-3 entries. When your MUA wraps the lines the result isn't accepted
> by
> > > audit2allow and that makes it less convenient for us to process your
> > > messages
> > > (usually audit2allow output is more useful than reading raw AVC log
> > > entries).
> > >
> > > If there is only a single AVC message then we can all run audit2allow
> in
> > > our
> > > heads. ;)
> > >
> > > --
> > > My Main Blog http://etbe.coker.com.au/
> > > My Documents Blog http://doc.coker.com.au/
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 5281 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 6:32 ` Rahmadi Trimananda
@ 2017-04-04 6:37 ` Rahmadi Trimananda
2017-04-04 6:54 ` Russell Coker
0 siblings, 1 reply; 17+ messages in thread
From: Rahmadi Trimananda @ 2017-04-04 6:37 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 4521 bytes --]
It seems that I need execmem and execstack as well? Here's the output from
audit2allow:
require {
type unconfined_t;
class process { execstack execmem };
class memprotect mmap_zero;
}
#============= unconfined_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_t self:memprotect mmap_zero;
#!!!! This avc can be allowed using the boolean 'allow_execstack'
allow unconfined_t self:process { execstack execmem };
libs_legacy_use_shared_libs(unconfined_t)
On Mon, Apr 3, 2017 at 11:32 PM, Rahmadi Trimananda <rtrimana@uci.edu>
wrote:
> Alright, I am getting a different error this time after giving permission
> to mmap_zero. This is after running java or javac in enforcing mode.
>
> Java HotSpot(TM) Client VM warning: INFO: os::commit_memory(0x740ab000,
> 163840, 1) failed; error='Permission denied' (errno=13)
> #
> # There is insufficient memory for the Java Runtime Environment to
> continue.
> # Native memory allocation (mmap) failed to map 163840 bytes for
> committing reserved memory.
> # An error report file with more information is saved as:
> # /home/iotuser/policy/debug/hs_err_pid2878.log
>
> On Mon, Apr 3, 2017 at 10:43 PM, Russell Coker <russell@coker.com.au>
> wrote:
>
>> On Tue, 4 Apr 2017 02:34:14 PM Rahmadi Trimananda wrote:
>> > Umm, how's the easiest way to permit that one? Do I need to create a
>> local
>> > policy or can I just use a command line? Sorry I am really a newbie. :)
>>
>> Run "audit2allow -l -R < /var/log/audit/audit.log > local.te", that will
>> generate the policy.
>>
>> policy_module(local,0.0.0)
>>
>> Edit local.te to remove allow lines that you don't want and also add the
>> above
>> as the first line.
>>
>> Create a symlink from the example Makefile (which is
>> /usr/share/doc/selinux-
>> policy-dev/examples/Makefile on Debian if you have the selinux-policy-dev
>> package installed) to the current directory. Then run "make load" and
>> your
>> policy will be compiled and loaded.
>>
>> > I am using javac 1.8.0_65. It is the same version for the "java"
>> program.
>> >
>> > java version "1.8.0_65"
>> > Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
>> > Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode)
>>
>> I'm using openjdk which doesn't appear to require such access.
>>
>> $ java -version
>> openjdk version "1.8.0_121"
>> OpenJDK Runtime Environment (build 1.8.0_121-8u121-b13-4-b13)
>> OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode)
>>
>> > On Mon, Apr 3, 2017 at 7:52 PM, Russell Coker <russell@coker.com.au>
>> wrote:
>> > > On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote:
>> > > > I have more error messages from /var/log/audit/audit.log if this is
>> of
>> > >
>> > > any
>> > >
>> > > > use for you. And yeah, it works in permissive mode (sudo setenforce
>> 0).
>> > > > BTW, what do you mean by "run javac in strace"?
>> > > >
>> > > > iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log |
>> grep
>> > > > javac
>> > > > type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero }
>> for
>> > > >
>> > > > pid=1656 comm="javac"
>> > > >
>> > > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> > > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> > > > tclass=memprotect permissive=0
>> > >
>> > > Try permitting that one and see if it changes things. What version of
>> > > javac
>> > > are you using? Is it an old version?
>> > >
>> > > Also when posting such things to the list please include the output of
>> > > auditallow as well as the raw AVC messages whenever you send more than
>> > > 2-3 entries. When your MUA wraps the lines the result isn't accepted
>> by
>> > > audit2allow and that makes it less convenient for us to process your
>> > > messages
>> > > (usually audit2allow output is more useful than reading raw AVC log
>> > > entries).
>> > >
>> > > If there is only a single AVC message then we can all run audit2allow
>> in
>> > > our
>> > > heads. ;)
>> > >
>> > > --
>> > > My Main Blog http://etbe.coker.com.au/
>> > > My Documents Blog http://doc.coker.com.au/
>>
>> --
>> My Main Blog http://etbe.coker.com.au/
>> My Documents Blog http://doc.coker.com.au/
>>
>
>
>
> --
> Kind regards,
> Rahmadi Trimananda
>
> Ph.D. student @ University of California, Irvine
> "Stay hungry, stay foolish!" - Steve Jobs -
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 6798 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 6:37 ` Rahmadi Trimananda
@ 2017-04-04 6:54 ` Russell Coker
0 siblings, 0 replies; 17+ messages in thread
From: Russell Coker @ 2017-04-04 6:54 UTC (permalink / raw)
To: selinux
On Tue, 4 Apr 2017 04:37:59 PM Rahmadi Trimananda wrote:
> It seems that I need execmem and execstack as well? Here's the output from
> audit2allow:
>
> require {
> type unconfined_t;
> class process { execstack execmem };
> class memprotect mmap_zero;
> }
>
> #============= unconfined_t ==============
>
> #!!!! This avc is allowed in the current policy
> allow unconfined_t self:memprotect mmap_zero;
The "-l" option to audit2allow stops it generating duplicate rules.
> #!!!! This avc can be allowed using the boolean 'allow_execstack'
> allow unconfined_t self:process { execstack execmem };
> libs_legacy_use_shared_libs(unconfined_t)
Run "setsebool -P allow_execstack 1" to allow this. But maybe try a different
java system like openjdk.
> On Mon, Apr 3, 2017 at 11:32 PM, Rahmadi Trimananda <rtrimana@uci.edu>
>
> wrote:
> > Alright, I am getting a different error this time after giving permission
> > to mmap_zero. This is after running java or javac in enforcing mode.
> >
> > Java HotSpot(TM) Client VM warning: INFO: os::commit_memory(0x740ab000,
> > 163840, 1) failed; error='Permission denied' (errno=13)
> > #
> > # There is insufficient memory for the Java Runtime Environment to
> > continue.
> > # Native memory allocation (mmap) failed to map 163840 bytes for
> > committing reserved memory.
> > # An error report file with more information is saved as:
> > # /home/iotuser/policy/debug/hs_err_pid2878.log
> >
> > On Mon, Apr 3, 2017 at 10:43 PM, Russell Coker <russell@coker.com.au>
> >
> > wrote:
> >> On Tue, 4 Apr 2017 02:34:14 PM Rahmadi Trimananda wrote:
> >> > Umm, how's the easiest way to permit that one? Do I need to create a
> >>
> >> local
> >>
> >> > policy or can I just use a command line? Sorry I am really a newbie.
> >> > :)
> >>
> >> Run "audit2allow -l -R < /var/log/audit/audit.log > local.te", that will
> >> generate the policy.
> >>
> >> policy_module(local,0.0.0)
> >>
> >> Edit local.te to remove allow lines that you don't want and also add the
> >> above
> >> as the first line.
> >>
> >> Create a symlink from the example Makefile (which is
> >> /usr/share/doc/selinux-
> >> policy-dev/examples/Makefile on Debian if you have the
> >> selinux-policy-dev package installed) to the current directory. Then
> >> run "make load" and your
> >> policy will be compiled and loaded.
> >>
> >> > I am using javac 1.8.0_65. It is the same version for the "java"
> >>
> >> program.
> >>
> >> > java version "1.8.0_65"
> >> > Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
> >> > Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode)
> >>
> >> I'm using openjdk which doesn't appear to require such access.
> >>
> >> $ java -version
> >> openjdk version "1.8.0_121"
> >> OpenJDK Runtime Environment (build 1.8.0_121-8u121-b13-4-b13)
> >> OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode)
> >>
> >> > On Mon, Apr 3, 2017 at 7:52 PM, Russell Coker <russell@coker.com.au>
> >>
> >> wrote:
> >> > > On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote:
> >> > > > I have more error messages from /var/log/audit/audit.log if this
> >> > > > is
> >>
> >> of
> >>
> >> > > any
> >> > >
> >> > > > use for you. And yeah, it works in permissive mode (sudo
> >> > > > setenforce
> >>
> >> 0).
> >>
> >> > > > BTW, what do you mean by "run javac in strace"?
> >> > > >
> >> > > > iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log |
> >>
> >> grep
> >>
> >> > > > javac
> >> > > > type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero
> >> > > > }
> >>
> >> for
> >>
> >> > > > pid=1656 comm="javac"
> >> > > >
> >> > > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> > > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> > > > tclass=memprotect permissive=0
> >> > >
> >> > > Try permitting that one and see if it changes things. What version
> >> > > of javac
> >> > > are you using? Is it an old version?
> >> > >
> >> > > Also when posting such things to the list please include the output
> >> > > of auditallow as well as the raw AVC messages whenever you send
> >> > > more than 2-3 entries. When your MUA wraps the lines the result
> >> > > isn't accepted
> >>
> >> by
> >>
> >> > > audit2allow and that makes it less convenient for us to process your
> >> > > messages
> >> > > (usually audit2allow output is more useful than reading raw AVC log
> >> > > entries).
> >> > >
> >> > > If there is only a single AVC message then we can all run
> >> > > audit2allow
> >>
> >> in
> >>
> >> > > our
> >> > > heads. ;)
> >> > >
> >> > > --
> >> > > My Main Blog http://etbe.coker.com.au/
> >> > > My Documents Blog http://doc.coker.com.au/
> >>
> >> --
> >> My Main Blog http://etbe.coker.com.au/
> >> My Documents Blog http://doc.coker.com.au/
> >
> > --
> > Kind regards,
> > Rahmadi Trimananda
> >
> > Ph.D. student @ University of California, Irvine
> > "Stay hungry, stay foolish!" - Steve Jobs -
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 2:12 ` Rahmadi Trimananda
2017-04-04 2:17 ` William Roberts
@ 2017-04-04 14:47 ` Stephen Smalley
2017-04-04 15:44 ` Rahmadi Trimananda
1 sibling, 1 reply; 17+ messages in thread
From: Stephen Smalley @ 2017-04-04 14:47 UTC (permalink / raw)
To: Rahmadi Trimananda, William Roberts, Russell Coker; +Cc: selinux
On Mon, 2017-04-03 at 19:12 -0700, Rahmadi Trimananda wrote:
> This is the result of "dmesg | grep avc". Please let me know if you
> need more information about my system (RaspberryPi 2 running Raspbian
> Jessie).
>
> [ 2.275229] audit: type=1400 audit(2.249:3): avc: denied {
> associate } for pid=1 comm="systemd" name="pts"
> scontext=system_u:object_r:devpts_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
> [ 2.577155] audit: type=1400 audit(2.549:4): avc: denied {
> wake_alarm } for pid=1 comm="systemd" capability=35
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
These two are harmless and allowed in Fedora policy.
> [ 2.601211] audit: type=1400 audit(2.569:5): avc: denied {
> execstack } for pid=95 comm="systemd-fstab-g"
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.601321] audit: type=1400 audit(2.569:6): avc: denied {
> execmem } for pid=95 comm="systemd-fstab-g"
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
These two are undesirable for security. Suggests that your userspace
binaries are legacy or built insecurely, with RWE segments.
> [ 2.605393] audit: type=1400 audit(2.579:7): avc: denied {
> execmod } for pid=95 comm="systemd-fstab-g" path="/usr/lib/arm-
> linux-gnueabihf/libarmmem.so" dev="mmcblk0p2" ino=144391
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
This implies that this particular .so file should be assigned the
textrel_shlib_t type instead.
> [ 3.201440] audit: type=1400 audit(3.169:8): avc: denied {
> execstack } for pid=107 comm="mount"
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.201499] audit: type=1400 audit(3.169:9): avc: denied {
> execmem } for pid=107 comm="mount"
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.217575] audit: type=1400 audit(3.189:10): avc: denied {
> execstack } for pid=108 comm="kmod"
> scontext=system_u:system_r:insmod_t:s0
> tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
These fall into the same category as the init_t denials above; not
desirable; indicate legacy or insecurely built userspace.
> [ 5.291711] audit: type=1400 audit(1491249900.889:59): avc:
> denied { mmap_zero } for pid=243 comm="alsactl"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
> permissive=1
This along with your java denials raises a question about your kernel
config, particularly the value of CONFIG_LSM_MMAP_MIN_ADDR. Should
match the value of /proc/sys/vm/mmap_min_addr in general. Defaults to
32K for ARM, 64K for others.
> [ 5.304205] audit: type=1400 audit(1491249900.909:60): avc:
> denied { execstack } for pid=243 comm="alsactl"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.304582] audit: type=1400 audit(1491249900.909:61): avc:
> denied { execmem } for pid=243 comm="alsactl"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
More evidence of insecure userspace.
> [ 5.306197] audit: type=1400 audit(1491249900.909:62): avc:
> denied { use } for pid=120 comm="systemd-journal"
> path="/dev/pts/0" dev="devpts" ino=3
> scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
Harmless, allow.
> [ 5.355105] audit: type=1400 audit(1491249900.959:63): avc:
> denied { execmod } for pid=243 comm="alsactl" path="/usr/lib/arm-
> linux-gnueabihf/libarmmem.so" dev="mmcblk0p2" ino=144391
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
Label with textrel_shlib_t.
> [ 5.357519] audit: type=1400 audit(1491249900.959:64): avc:
> denied { write } for pid=243 comm="alsactl" name="/" dev="tmpfs"
> ino=5104 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.357705] audit: type=1400 audit(1491249900.959:65): avc:
> denied { add_name } for pid=243 comm="alsactl"
> name="asound.state.lock" scontext=system_u:system_r:alsa_t:s0-
> s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
> permissive=1
> [ 5.358083] audit: type=1400 audit(1491249900.959:66): avc:
> denied { create } for pid=243 comm="alsactl"
> name="asound.state.lock" scontext=system_u:system_r:alsa_t:s0-
> s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
> permissive=1
> [ 5.358671] audit: type=1400 audit(1491249900.959:67): avc:
> denied { read write open } for pid=243 comm="alsactl"
> path="/run/lock/asound.state.lock" dev="tmpfs" ino=1816
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358893] audit: type=1400 audit(1491249900.959:68): avc:
> denied { getattr } for pid=243 comm="alsactl"
> path="/run/lock/asound.state.lock" dev="tmpfs" ino=1816
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
Allowed by current refpolicy,
commit efce2657e248b5b0ff61fc05e5cae036760a1294
Author: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Sat Jul 5 18:19:14 2014 +0200
Enable asound.state.lock support
asound.state.lock file when managing alsa state operations.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
diff --git a/alsa.te b/alsa.te
index 814b426..6f7f2f9 100644
--- a/alsa.te
+++ b/alsa.te
@@ -24,6 +24,9 @@ files_tmpfs_file(alsa_tmpfs_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
+type alsa_var_lock_t;
+files_lock_file(alsa_var_lock_t)
+
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
@@ -57,6 +60,9 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+allow alsa_t alsa_var_lock_t:file manage_file_perms;
+files_lock_filetrans(alsa_t, alsa_var_lock_t, file);
+
kernel_read_system_state(alsa_t)
corecmd_exec_bin(alsa_t)
>
> On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.c.roberts@gmail
> .com> wrote:
> > Do you see any "avc: denied" messages in dmesg/syslog? If so send
> > them.
> >
> > On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@uci.edu>
> > wrote:
> > > Hi All,
> > >
> > > I am trying to run javac and java on my Raspbian while SELinux is
> > > enabled. However, I keep getting "Segmentation fault", even when
> > > I just run "javac" or "java". This happens in enforcing mode, but
> > > it doesn't happen with "gcc". I am wondering why, because both
> > > are in /usr/bin directory and both binaries have the same
> > > context.
> > >
> > > Can somebody please help?
> > >
> > > Thank you so much!
> > >
> > > Regards,
> > > Rahmadi
> > >
> > >
> > > _______________________________________________
> > > Selinux mailing list
> > > Selinux@tycho.nsa.gov
> > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > > To get help, send an email containing "help" to Selinux-request@t
> > > ycho.nsa.gov.
>
>
>
> --
> Kind regards,
> Rahmadi Trimananda
>
> Ph.D. student @ University of California, Irvine
> "Stay hungry, stay foolish!" - Steve Jobs -
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho
> .nsa.gov.
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: Running Java and JVM on SELinux
2017-04-04 14:47 ` Stephen Smalley
@ 2017-04-04 15:44 ` Rahmadi Trimananda
0 siblings, 0 replies; 17+ messages in thread
From: Rahmadi Trimananda @ 2017-04-04 15:44 UTC (permalink / raw)
To: Stephen Smalley; +Cc: William Roberts, Russell Coker, selinux
[-- Attachment #1: Type: text/plain, Size: 8800 bytes --]
Thanks Guys! Actually I tried the OpenJDK Java and Javac and it solves the
problem. I'll try to deal with the other permission problems later as I
build up my knowledge.
I'll ask more questions in a separate thread about policies as I found less
examples online about generating local policies.
Thanks!
On Tue, Apr 4, 2017 at 7:47 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Mon, 2017-04-03 at 19:12 -0700, Rahmadi Trimananda wrote:
> > This is the result of "dmesg | grep avc". Please let me know if you
> > need more information about my system (RaspberryPi 2 running Raspbian
> > Jessie).
> >
> > [ 2.275229] audit: type=1400 audit(2.249:3): avc: denied {
> > associate } for pid=1 comm="systemd" name="pts"
> > scontext=system_u:object_r:devpts_t:s0
> > tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
> > [ 2.577155] audit: type=1400 audit(2.549:4): avc: denied {
> > wake_alarm } for pid=1 comm="systemd" capability=35
> > scontext=system_u:system_r:init_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
>
> These two are harmless and allowed in Fedora policy.
>
> > [ 2.601211] audit: type=1400 audit(2.569:5): avc: denied {
> > execstack } for pid=95 comm="systemd-fstab-g"
> > scontext=system_u:system_r:init_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> > [ 2.601321] audit: type=1400 audit(2.569:6): avc: denied {
> > execmem } for pid=95 comm="systemd-fstab-g"
> > scontext=system_u:system_r:init_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
>
> These two are undesirable for security. Suggests that your userspace
> binaries are legacy or built insecurely, with RWE segments.
>
> > [ 2.605393] audit: type=1400 audit(2.579:7): avc: denied {
> > execmod } for pid=95 comm="systemd-fstab-g" path="/usr/lib/arm-
> > linux-gnueabihf/libarmmem.so" dev="mmcblk0p2" ino=144391
> > scontext=system_u:system_r:init_t:s0
> > tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
>
> This implies that this particular .so file should be assigned the
> textrel_shlib_t type instead.
>
> > [ 3.201440] audit: type=1400 audit(3.169:8): avc: denied {
> > execstack } for pid=107 comm="mount"
> > scontext=system_u:system_r:mount_t:s0
> > tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> > [ 3.201499] audit: type=1400 audit(3.169:9): avc: denied {
> > execmem } for pid=107 comm="mount"
> > scontext=system_u:system_r:mount_t:s0
> > tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> > [ 3.217575] audit: type=1400 audit(3.189:10): avc: denied {
> > execstack } for pid=108 comm="kmod"
> > scontext=system_u:system_r:insmod_t:s0
> > tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
>
> These fall into the same category as the init_t denials above; not
> desirable; indicate legacy or insecurely built userspace.
>
> > [ 5.291711] audit: type=1400 audit(1491249900.889:59): avc:
> > denied { mmap_zero } for pid=243 comm="alsactl"
> > scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
> > permissive=1
>
> This along with your java denials raises a question about your kernel
> config, particularly the value of CONFIG_LSM_MMAP_MIN_ADDR. Should
> match the value of /proc/sys/vm/mmap_min_addr in general. Defaults to
> 32K for ARM, 64K for others.
>
> > [ 5.304205] audit: type=1400 audit(1491249900.909:60): avc:
> > denied { execstack } for pid=243 comm="alsactl"
> > scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> > permissive=1
> > [ 5.304582] audit: type=1400 audit(1491249900.909:61): avc:
> > denied { execmem } for pid=243 comm="alsactl"
> > scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> > permissive=1
>
> More evidence of insecure userspace.
>
> > [ 5.306197] audit: type=1400 audit(1491249900.909:62): avc:
> > denied { use } for pid=120 comm="systemd-journal"
> > path="/dev/pts/0" dev="devpts" ino=3
> > scontext=system_u:system_r:syslogd_t:s0
> > tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
>
> Harmless, allow.
>
> > [ 5.355105] audit: type=1400 audit(1491249900.959:63): avc:
> > denied { execmod } for pid=243 comm="alsactl" path="/usr/lib/arm-
> > linux-gnueabihf/libarmmem.so" dev="mmcblk0p2" ino=144391
> > scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
>
> Label with textrel_shlib_t.
>
> > [ 5.357519] audit: type=1400 audit(1491249900.959:64): avc:
> > denied { write } for pid=243 comm="alsactl" name="/" dev="tmpfs"
> > ino=5104 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> > [ 5.357705] audit: type=1400 audit(1491249900.959:65): avc:
> > denied { add_name } for pid=243 comm="alsactl"
> > name="asound.state.lock" scontext=system_u:system_r:alsa_t:s0-
> > s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
> > permissive=1
> > [ 5.358083] audit: type=1400 audit(1491249900.959:66): avc:
> > denied { create } for pid=243 comm="alsactl"
> > name="asound.state.lock" scontext=system_u:system_r:alsa_t:s0-
> > s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
> > permissive=1
> > [ 5.358671] audit: type=1400 audit(1491249900.959:67): avc:
> > denied { read write open } for pid=243 comm="alsactl"
> > path="/run/lock/asound.state.lock" dev="tmpfs" ino=1816
> > scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> > [ 5.358893] audit: type=1400 audit(1491249900.959:68): avc:
> > denied { getattr } for pid=243 comm="alsactl"
> > path="/run/lock/asound.state.lock" dev="tmpfs" ino=1816
> > scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>
> Allowed by current refpolicy,
> commit efce2657e248b5b0ff61fc05e5cae036760a1294
> Author: Sven Vermeulen <sven.vermeulen@siphos.be>
> Date: Sat Jul 5 18:19:14 2014 +0200
>
> Enable asound.state.lock support
>
> asound.state.lock file when managing alsa state operations.
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
>
> diff --git a/alsa.te b/alsa.te
> index 814b426..6f7f2f9 100644
> --- a/alsa.te
> +++ b/alsa.te
> @@ -24,6 +24,9 @@ files_tmpfs_file(alsa_tmpfs_t)
> type alsa_var_lib_t;
> files_type(alsa_var_lib_t)
>
> +type alsa_var_lock_t;
> +files_lock_file(alsa_var_lock_t)
> +
> type alsa_home_t;
> userdom_user_home_content(alsa_home_t)
>
> @@ -57,6 +60,9 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
> manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
> manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
>
> +allow alsa_t alsa_var_lock_t:file manage_file_perms;
> +files_lock_filetrans(alsa_t, alsa_var_lock_t, file);
> +
> kernel_read_system_state(alsa_t)
>
> corecmd_exec_bin(alsa_t)
>
> >
> > On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.c.roberts@gmail
> > .com> wrote:
> > > Do you see any "avc: denied" messages in dmesg/syslog? If so send
> > > them.
> > >
> > > On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@uci.edu>
> > > wrote:
> > > > Hi All,
> > > >
> > > > I am trying to run javac and java on my Raspbian while SELinux is
> > > > enabled. However, I keep getting "Segmentation fault", even when
> > > > I just run "javac" or "java". This happens in enforcing mode, but
> > > > it doesn't happen with "gcc". I am wondering why, because both
> > > > are in /usr/bin directory and both binaries have the same
> > > > context.
> > > >
> > > > Can somebody please help?
> > > >
> > > > Thank you so much!
> > > >
> > > > Regards,
> > > > Rahmadi
> > > >
> > > >
> > > > _______________________________________________
> > > > Selinux mailing list
> > > > Selinux@tycho.nsa.gov
> > > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > > > To get help, send an email containing "help" to Selinux-request@t
> > > > ycho.nsa.gov.
> >
> >
> >
> > --
> > Kind regards,
> > Rahmadi Trimananda
> >
> > Ph.D. student @ University of California, Irvine
> > "Stay hungry, stay foolish!" - Steve Jobs -
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho
> > .nsa.gov.
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
[-- Attachment #2: Type: text/html, Size: 11992 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2017-04-04 15:44 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-03 23:26 Running Java and JVM on SELinux Rahmadi Trimananda
2017-04-04 1:54 ` William Roberts
2017-04-04 2:12 ` Rahmadi Trimananda
2017-04-04 2:17 ` William Roberts
2017-04-04 2:35 ` Rahmadi Trimananda
2017-04-04 2:38 ` Rahmadi Trimananda
2017-04-04 2:52 ` Russell Coker
2017-04-04 4:34 ` Rahmadi Trimananda
2017-04-04 4:53 ` William Roberts
2017-04-04 5:43 ` Russell Coker
2017-04-04 6:32 ` Rahmadi Trimananda
2017-04-04 6:37 ` Rahmadi Trimananda
2017-04-04 6:54 ` Russell Coker
2017-04-04 2:57 ` William Roberts
2017-04-04 2:59 ` William Roberts
2017-04-04 14:47 ` Stephen Smalley
2017-04-04 15:44 ` Rahmadi Trimananda
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.