From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v346c36Q013933 for ; Tue, 4 Apr 2017 02:38:03 -0400 Received: by mail-wr0-f174.google.com with SMTP id k6so194688449wre.2 for ; Mon, 03 Apr 2017 23:38:01 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <201704041252.05196.russell@coker.com.au> <201704041543.24065.russell@coker.com.au> From: Rahmadi Trimananda Date: Mon, 3 Apr 2017 23:37:59 -0700 Message-ID: Subject: Re: Running Java and JVM on SELinux To: Russell Coker Cc: selinux@tycho.nsa.gov Content-Type: multipart/alternative; boundary=001a114423d85acd95054c5184d3 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --001a114423d85acd95054c5184d3 Content-Type: text/plain; charset=UTF-8 It seems that I need execmem and execstack as well? Here's the output from audit2allow: require { type unconfined_t; class process { execstack execmem }; class memprotect mmap_zero; } #============= unconfined_t ============== #!!!! This avc is allowed in the current policy allow unconfined_t self:memprotect mmap_zero; #!!!! This avc can be allowed using the boolean 'allow_execstack' allow unconfined_t self:process { execstack execmem }; libs_legacy_use_shared_libs(unconfined_t) On Mon, Apr 3, 2017 at 11:32 PM, Rahmadi Trimananda wrote: > Alright, I am getting a different error this time after giving permission > to mmap_zero. This is after running java or javac in enforcing mode. > > Java HotSpot(TM) Client VM warning: INFO: os::commit_memory(0x740ab000, > 163840, 1) failed; error='Permission denied' (errno=13) > # > # There is insufficient memory for the Java Runtime Environment to > continue. > # Native memory allocation (mmap) failed to map 163840 bytes for > committing reserved memory. > # An error report file with more information is saved as: > # /home/iotuser/policy/debug/hs_err_pid2878.log > > On Mon, Apr 3, 2017 at 10:43 PM, Russell Coker > wrote: > >> On Tue, 4 Apr 2017 02:34:14 PM Rahmadi Trimananda wrote: >> > Umm, how's the easiest way to permit that one? Do I need to create a >> local >> > policy or can I just use a command line? Sorry I am really a newbie. :) >> >> Run "audit2allow -l -R < /var/log/audit/audit.log > local.te", that will >> generate the policy. >> >> policy_module(local,0.0.0) >> >> Edit local.te to remove allow lines that you don't want and also add the >> above >> as the first line. >> >> Create a symlink from the example Makefile (which is >> /usr/share/doc/selinux- >> policy-dev/examples/Makefile on Debian if you have the selinux-policy-dev >> package installed) to the current directory. Then run "make load" and >> your >> policy will be compiled and loaded. >> >> > I am using javac 1.8.0_65. It is the same version for the "java" >> program. >> > >> > java version "1.8.0_65" >> > Java(TM) SE Runtime Environment (build 1.8.0_65-b17) >> > Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode) >> >> I'm using openjdk which doesn't appear to require such access. >> >> $ java -version >> openjdk version "1.8.0_121" >> OpenJDK Runtime Environment (build 1.8.0_121-8u121-b13-4-b13) >> OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode) >> >> > On Mon, Apr 3, 2017 at 7:52 PM, Russell Coker >> wrote: >> > > On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote: >> > > > I have more error messages from /var/log/audit/audit.log if this is >> of >> > > >> > > any >> > > >> > > > use for you. And yeah, it works in permissive mode (sudo setenforce >> 0). >> > > > BTW, what do you mean by "run javac in strace"? >> > > > >> > > > iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | >> grep >> > > > javac >> > > > type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } >> for >> > > > >> > > > pid=1656 comm="javac" >> > > > >> > > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> > > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> > > > tclass=memprotect permissive=0 >> > > >> > > Try permitting that one and see if it changes things. What version of >> > > javac >> > > are you using? Is it an old version? >> > > >> > > Also when posting such things to the list please include the output of >> > > auditallow as well as the raw AVC messages whenever you send more than >> > > 2-3 entries. When your MUA wraps the lines the result isn't accepted >> by >> > > audit2allow and that makes it less convenient for us to process your >> > > messages >> > > (usually audit2allow output is more useful than reading raw AVC log >> > > entries). >> > > >> > > If there is only a single AVC message then we can all run audit2allow >> in >> > > our >> > > heads. ;) >> > > >> > > -- >> > > My Main Blog http://etbe.coker.com.au/ >> > > My Documents Blog http://doc.coker.com.au/ >> >> -- >> My Main Blog http://etbe.coker.com.au/ >> My Documents Blog http://doc.coker.com.au/ >> > > > > -- > Kind regards, > Rahmadi Trimananda > > Ph.D. student @ University of California, Irvine > "Stay hungry, stay foolish!" - Steve Jobs - > -- Kind regards, Rahmadi Trimananda Ph.D. student @ University of California, Irvine "Stay hungry, stay foolish!" - Steve Jobs - --001a114423d85acd95054c5184d3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
It seems that I need execmem and execstack as well? Here&#= 39;s the output from audit2allow:

require {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 type unconfined_t;
=C2=A0 =C2=A0 = =C2=A0 =C2=A0 class process { execstack execmem };
=C2=A0 =C2=A0 = =C2=A0 =C2=A0 class memprotect mmap_zero;
}

<= div>#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D unconfined_t =3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D

#!!!! This avc is allo= wed in the current policy
allow unconfined_t self:memprotect mmap= _zero;

#!!!! This avc can be allowed using the boo= lean 'allow_execstack'
allow unconfined_t self:process { = execstack execmem };
libs_legacy_use_shared_libs(unconfined_t)

On= Mon, Apr 3, 2017 at 11:32 PM, Rahmadi Trimananda <rtrimana@uci.edu>= wrote:
Alright, = I am getting a different error this time after giving permission to mmap_ze= ro. This is after running java or javac in enforcing mode.

Java HotSpot(TM) Client VM warning: INFO: os::commit_memory(0x740ab= 000, 163840, 1) failed; error=3D'Permission denied' (errno=3D13)
#
# There is insufficient memory for the Java Runtime Env= ironment to continue.
# Native memory allocation (mmap) failed to= map 163840 bytes for committing reserved memory.
# An error repo= rt file with more information is saved as:
# /home/iotuser/policy= /debug/hs_err_pid2878.log
=

On Mon, Apr 3, 2017 a= t 10:43 PM, Russell Coker <russell@coker.com.au> wrote:
On Tue, 4 Apr 2017 02:34:14 PM Rahma= di Trimananda wrote:
> Umm, how's the easiest way to permit that one? Do I need to create= a local
> policy or can I just use a command line? Sorry I am really a newbie. := )

Run "audit2allow -l -R < /var/log/audit/audit.log > local= .te", that will
generate the policy.

policy_module(local,0.0.0)

Edit local.te to remove allow lines that you don't want and also add th= e above
as the first line.

Create a symlink from the example Makefile (which is /usr/share/doc/selinux= -
policy-dev/examples/Makefile on Debian if you have the selinux-policy-dev package installed) to the current directory.=C2=A0 Then run "make load= " and your
policy will be compiled and loaded.

> I am using javac 1.8.0_65. It is the same version for the "java&q= uot; program.
>
> java version "1.8.0_65"
> Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
> Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode)

I'm using openjdk which doesn't appear to require such acces= s.

$ java -version
openjdk version "1.8.0_121"
OpenJDK Runtime Environment (build 1.8.0_121-8u121-b13-4-b13)
OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode)

> On Mon, Apr 3, 2017 at 7:52 PM, Russell Coker <russell@coker.com.au> wrote: > > On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote:
> > > I have more error messages from /var/log/audit/audit.log if = this is of
> >
> > any
> >
> > > use for you. And yeah, it works in permissive mode (sudo set= enforce 0).
> > > BTW, what do you mean by "run javac in strace"? > > >
> > > iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit= .log | grep
> > > javac
> > > type=3DAVC msg=3Daudit(1491260813.624:793): avc:=C2=A0 denie= d=C2=A0 { mmap_zero } for
> > >
> > >=C2=A0 pid=3D1656 comm=3D"javac"
> > >
> > > scontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0= :c0.c1023
> > > tcontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0= :c0.c1023
> > > tclass=3Dmemprotect permissive=3D0
> >
> > Try permitting that one and see if it changes things.=C2=A0 What = version of
> > javac
> > are you using?=C2=A0 Is it an old version?
> >
> > Also when posting such things to the list please include the outp= ut of
> > auditallow as well as the raw AVC messages whenever you send more= than
> > 2-3 entries.=C2=A0 When your MUA wraps the lines the result isn&#= 39;t accepted by
> > audit2allow and that makes it less convenient for us to process y= our
> > messages
> > (usually audit2allow output is more useful than reading raw AVC l= og
> > entries).
> >
> > If there is only a single AVC message then we can all run audit2a= llow in
> > our
> > heads.=C2=A0 ;)
> >
> > --
> > My Main Blog=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0http://etbe.coker.c= om.au/
> > My Documents Blog=C2=A0 =C2=A0 http://doc.coker.com.au/

--
My Main Blog=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0http://etbe.coker.com.au/=
My Documents Blog=C2=A0 =C2=A0 http://doc.coker.com.au/



<= /div>--
Kind regards,Rahmadi Trimananda

Ph.D. student @ University of= California, Irvine
"Stay hungry, stay foolish!" - Stev= e Jobs -



--
Ki= nd regards,
Rahmadi Trimananda

Ph.D. student @= University of California, Irvine
"Stay hungry, stay foolish= !" - Steve Jobs -
--001a114423d85acd95054c5184d3--