Alright, I am getting a different error this time after giving permission to mmap_zero. This is after running java or javac in enforcing mode. Java HotSpot(TM) Client VM warning: INFO: os::commit_memory(0x740ab000, 163840, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (mmap) failed to map 163840 bytes for committing reserved memory. # An error report file with more information is saved as: # /home/iotuser/policy/debug/hs_err_pid2878.log On Mon, Apr 3, 2017 at 10:43 PM, Russell Coker wrote: > On Tue, 4 Apr 2017 02:34:14 PM Rahmadi Trimananda wrote: > > Umm, how's the easiest way to permit that one? Do I need to create a > local > > policy or can I just use a command line? Sorry I am really a newbie. :) > > Run "audit2allow -l -R < /var/log/audit/audit.log > local.te", that will > generate the policy. > > policy_module(local,0.0.0) > > Edit local.te to remove allow lines that you don't want and also add the > above > as the first line. > > Create a symlink from the example Makefile (which is > /usr/share/doc/selinux- > policy-dev/examples/Makefile on Debian if you have the selinux-policy-dev > package installed) to the current directory. Then run "make load" and your > policy will be compiled and loaded. > > > I am using javac 1.8.0_65. It is the same version for the "java" program. > > > > java version "1.8.0_65" > > Java(TM) SE Runtime Environment (build 1.8.0_65-b17) > > Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode) > > I'm using openjdk which doesn't appear to require such access. > > $ java -version > openjdk version "1.8.0_121" > OpenJDK Runtime Environment (build 1.8.0_121-8u121-b13-4-b13) > OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode) > > > On Mon, Apr 3, 2017 at 7:52 PM, Russell Coker > wrote: > > > On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote: > > > > I have more error messages from /var/log/audit/audit.log if this is > of > > > > > > any > > > > > > > use for you. And yeah, it works in permissive mode (sudo setenforce > 0). > > > > BTW, what do you mean by "run javac in strace"? > > > > > > > > iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | > grep > > > > javac > > > > type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } > for > > > > > > > > pid=1656 comm="javac" > > > > > > > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > tclass=memprotect permissive=0 > > > > > > Try permitting that one and see if it changes things. What version of > > > javac > > > are you using? Is it an old version? > > > > > > Also when posting such things to the list please include the output of > > > auditallow as well as the raw AVC messages whenever you send more than > > > 2-3 entries. When your MUA wraps the lines the result isn't accepted > by > > > audit2allow and that makes it less convenient for us to process your > > > messages > > > (usually audit2allow output is more useful than reading raw AVC log > > > entries). > > > > > > If there is only a single AVC message then we can all run audit2allow > in > > > our > > > heads. ;) > > > > > > -- > > > My Main Blog http://etbe.coker.com.au/ > > > My Documents Blog http://doc.coker.com.au/ > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > -- Kind regards, Rahmadi Trimananda Ph.D. student @ University of California, Irvine "Stay hungry, stay foolish!" - Steve Jobs -