I have more error messages from /var/log/audit/audit.log if this is of any
use for you. And yeah, it works in permissive mode (sudo setenforce 0).
BTW, what do you mean by "run javac in strace"?
iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
javac
type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
pid=1656 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491260813.624:793): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b8c548 a1=b92cc8 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1656 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491260813.634:794): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1656
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491261632.611:875): avc: denied { mmap_zero } for
pid=1759 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491261632.611:875): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b47a68 a1=bca488 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1759 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491261632.621:876): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1759
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491262641.248:924): avc: denied { mmap_zero } for
pid=1792 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491262641.248:924): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=a3ede8 a1=b88d68 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1792 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491262641.248:925): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1792
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491263457.665:1069): avc: denied { mmap_zero } for
pid=1945 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491263457.665:1069): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b975e8 a1=b8b708 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1945 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491263457.665:1070): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1945
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491263668.304:1140): avc: denied { mmap_zero } for
pid=1977 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491263668.304:1140): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=b89d88 a1=b48ac8 a2=ae2408 a3=9c663500
items=0 ppid=989 pid=1977 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491263668.304:1141): auid=1001 uid=1001 gid=1001
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac" sig=11
type=AVC msg=audit(1491273121.724:1264): avc: denied { mmap_zero } for
pid=2176 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=1
type=SYSCALL msg=audit(1491273121.724:1264): arch=40000028 syscall=11
per=800000 success=yes exit=0 a0=fd27c8 a1=f44a68 a2=fb4408 a3=55428f00
items=0 ppid=2125 pid=2176 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1491273121.724:1264): proctitle="javac"
type=AVC msg=audit(1491273200.654:1273): avc: denied { mmap_zero } for
pid=2190 comm="javac"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect permissive=0
type=SYSCALL msg=audit(1491273200.654:1273): arch=40000028 syscall=11
per=800000 success=no exit=-13 a0=1019f28 a1=1020668 a2=fb4408 a3=55428f00
items=0 ppid=2125 pid=2190 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1491273200.654:1274): auid=1001 uid=1001 gid=1001
ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2190
comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin javac" sig=11
On Mon, Apr 3, 2017 at 7:17 PM, William Roberts <[email protected]>
wrote:
>
>
> On Apr 3, 2017 19:12, "Rahmadi Trimananda" <[email protected]> wrote:
>
> This is the result of "dmesg | grep avc". Please let me know if you need
> more information about my system (RaspberryPi 2 running Raspbian Jessie).
>
> [ 2.275229] audit: type=1400 audit(2.249:3): avc: denied { associate
> } for pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
> [ 2.577155] audit: type=1400 audit(2.549:4): avc: denied { wake_alarm
> } for pid=1 comm="systemd" capability=35
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
> [ 2.601211] audit: type=1400 audit(2.569:5): avc: denied { execstack
> } for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.601321] audit: type=1400 audit(2.569:6): avc: denied { execmem }
> for pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
> [ 2.605393] audit: type=1400 audit(2.579:7): avc: denied { execmod }
> for pid=95 comm="systemd-fstab-g"
> path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
> [ 3.201440] audit: type=1400 audit(3.169:8): avc: denied { execstack
> } for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.201499] audit: type=1400 audit(3.169:9): avc: denied { execmem }
> for pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
> [ 3.217575] audit: type=1400 audit(3.189:10): avc: denied { execstack
> } for pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0
> tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
> [ 5.291711] audit: type=1400 audit(1491249900.889:59): avc: denied {
> mmap_zero } for pid=243 comm="alsactl"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
> permissive=1
> [ 5.304205] audit: type=1400 audit(1491249900.909:60): avc: denied {
> execstack } for pid=243 comm="alsactl"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.304582] audit: type=1400 audit(1491249900.909:61): avc: denied {
> execmem } for pid=243 comm="alsactl"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
> permissive=1
> [ 5.306197] audit: type=1400 audit(1491249900.909:62): avc: denied {
> use } for pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts"
> ino=3 scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
> [ 5.355105] audit: type=1400 audit(1491249900.959:63): avc: denied {
> execmod } for pid=243 comm="alsactl"
> path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
> [ 5.357519] audit: type=1400 audit(1491249900.959:64): avc: denied {
> write } for pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.357705] audit: type=1400 audit(1491249900.959:65): avc: denied {
> add_name } for pid=243 comm="alsactl" name="asound.state.lock"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
> [ 5.358083] audit: type=1400 audit(1491249900.959:66): avc: denied {
> create } for pid=243 comm="alsactl" name="asound.state.lock"
> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358671] audit: type=1400 audit(1491249900.959:67): avc: denied {
> read write open } for pid=243 comm="alsactl"
> path="/run/lock/asound.state.lock"
> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
> [ 5.358893] audit: type=1400 audit(1491249900.959:68): avc: denied {
> getattr } for pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>
>
>
> I don't see anything that would prevent running javac offhand, perhaps
> others more versed in the desktop side can help tomorrow morning.
>
> Make sure you run javac so we can see any avc messages generated for it.
> Also run javac in strace and see where it's dying. Does this work in
> permissive mode? Ie sudo setenforce 0?
>
>
> On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <[email protected]>
> wrote:
>
>> Do you see any "avc: denied" messages in dmesg/syslog? If so send them.
>>
>> On Apr 3, 2017 16:28, "Rahmadi Trimananda" <[email protected]> wrote:
>>
>>> Hi All,
>>>
>>> I am trying to run javac and java on my Raspbian while SELinux is
>>> enabled. However, I keep getting "Segmentation fault", even when I just run
>>> "javac" or "java". This happens in enforcing mode, but it doesn't happen
>>> with "gcc". I am wondering why, because both are in /usr/bin directory and
>>> both binaries have the same context.
>>>
>>> Can somebody please help?
>>>
>>> Thank you so much!
>>>
>>> Regards,
>>> Rahmadi
>>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> [email protected]
>>> To unsubscribe, send email to [email protected].
>>> To get help, send an email containing "help" to
>>> [email protected].
>>>
>>
>
>
> --
> Kind regards,
> Rahmadi Trimananda
>
> Ph.D. student @ University of California, Irvine
> "Stay hungry, stay foolish!" - Steve Jobs -
>
>
>
--
Kind regards,
Rahmadi Trimananda
Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
_______________________________________________
Selinux mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to [email protected].
