Re: Running Java and JVM on SELinux

Rahmadi Trimananda Mon, 03 Apr 2017 19:39:10 -0700

More info about javac.. according to some blogs/forums, javac/java has to
be of type textrel_shlib_t, and I can see that it has the right type.


iotuser@raspberrypi:~/policy $ ls
/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac -Z
system_u:object_r:textrel_shlib_t:SystemLow
/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac

On Mon, Apr 3, 2017 at 7:35 PM, Rahmadi Trimananda <[email protected]> wrote:

> I have more error messages from /var/log/audit/audit.log if this is of any
> use for you. And yeah, it works in permissive mode (sudo setenforce 0).
> BTW, what do you mean by "run javac in strace"?
>
> iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
> javac
> type=AVC msg=audit(1491260813.624:793): avc:  denied  { mmap_zero } for
>  pid=1656 comm="javac" 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491260813.624:793): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=b8c548 a1=b92cc8 a2=ae2408 a3=9c663500
> items=0 ppid=989 pid=1656 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491260813.634:794): auid=1001 uid=1001 gid=1001
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1656
> comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> sig=11
> type=AVC msg=audit(1491261632.611:875): avc:  denied  { mmap_zero } for
>  pid=1759 comm="javac" 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491261632.611:875): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=b47a68 a1=bca488 a2=ae2408 a3=9c663500
> items=0 ppid=989 pid=1759 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491261632.621:876): auid=1001 uid=1001 gid=1001
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1759
> comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> sig=11
> type=AVC msg=audit(1491262641.248:924): avc:  denied  { mmap_zero } for
>  pid=1792 comm="javac" 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491262641.248:924): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=a3ede8 a1=b88d68 a2=ae2408 a3=9c663500
> items=0 ppid=989 pid=1792 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491262641.248:925): auid=1001 uid=1001 gid=1001
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1792
> comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> sig=11
> type=AVC msg=audit(1491263457.665:1069): avc:  denied  { mmap_zero } for
>  pid=1945 comm="javac" 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491263457.665:1069): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=b975e8 a1=b8b708 a2=ae2408 a3=9c663500
> items=0 ppid=989 pid=1945 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491263457.665:1070): auid=1001 uid=1001
> gid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> pid=1945 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> sig=11
> type=AVC msg=audit(1491263668.304:1140): avc:  denied  { mmap_zero } for
>  pid=1977 comm="javac" 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491263668.304:1140): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=b89d88 a1=b48ac8 a2=ae2408 a3=9c663500
> items=0 ppid=989 pid=1977 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=3 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491263668.304:1141): auid=1001 uid=1001
> gid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> pid=1977 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> sig=11
> type=AVC msg=audit(1491273121.724:1264): avc:  denied  { mmap_zero } for
>  pid=2176 comm="javac" 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=1
> type=SYSCALL msg=audit(1491273121.724:1264): arch=40000028 syscall=11
> per=800000 success=yes exit=0 a0=fd27c8 a1=f44a68 a2=fb4408 a3=55428f00
> items=0 ppid=2125 pid=2176 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=PROCTITLE msg=audit(1491273121.724:1264): proctitle="javac"
> type=AVC msg=audit(1491273200.654:1273): avc:  denied  { mmap_zero } for
>  pid=2190 comm="javac" 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect permissive=0
> type=SYSCALL msg=audit(1491273200.654:1273): arch=40000028 syscall=11
> per=800000 success=no exit=-13 a0=1019f28 a1=1020668 a2=fb4408 a3=55428f00
> items=0 ppid=2125 pid=2190 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=11 comm="javac"
> exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin/javac"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_ABEND msg=audit(1491273200.654:1274): auid=1001 uid=1001
> gid=1001 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> pid=2190 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin
> javac" sig=11
>
> On Mon, Apr 3, 2017 at 7:17 PM, William Roberts <[email protected]>
> wrote:
>
>>
>>
>> On Apr 3, 2017 19:12, "Rahmadi Trimananda" <[email protected]> wrote:
>>
>> This is the result of "dmesg | grep avc". Please let me know if you need
>> more information about my system (RaspberryPi 2 running Raspbian Jessie).
>>
>> [    2.275229] audit: type=1400 audit(2.249:3): avc:  denied  { associate
>> } for  pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0
>> tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
>> [    2.577155] audit: type=1400 audit(2.549:4): avc:  denied  {
>> wake_alarm } for  pid=1 comm="systemd" capability=35
>>  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0
>> tclass=capability2 permissive=1
>> [    2.601211] audit: type=1400 audit(2.569:5): avc:  denied  { execstack
>> } for  pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
>> [    2.601321] audit: type=1400 audit(2.569:6): avc:  denied  { execmem }
>> for  pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
>> [    2.605393] audit: type=1400 audit(2.579:7): avc:  denied  { execmod }
>> for  pid=95 comm="systemd-fstab-g" 
>> path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
>> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
>> [    3.201440] audit: type=1400 audit(3.169:8): avc:  denied  { execstack
>> } for  pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
>> [    3.201499] audit: type=1400 audit(3.169:9): avc:  denied  { execmem }
>> for  pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
>> [    3.217575] audit: type=1400 audit(3.189:10): avc:  denied  {
>> execstack } for  pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0
>> tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
>> [    5.291711] audit: type=1400 audit(1491249900.889:59): avc:  denied  {
>> mmap_zero } for  pid=243 comm="alsactl" 
>> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect
>> permissive=1
>> [    5.304205] audit: type=1400 audit(1491249900.909:60): avc:  denied  {
>> execstack } for  pid=243 comm="alsactl" 
>> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
>> permissive=1
>> [    5.304582] audit: type=1400 audit(1491249900.909:61): avc:  denied  {
>> execmem } for  pid=243 comm="alsactl" 
>> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process
>> permissive=1
>> [    5.306197] audit: type=1400 audit(1491249900.909:62): avc:  denied  {
>> use } for  pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts"
>> ino=3 scontext=system_u:system_r:syslogd_t:s0
>> tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
>> [    5.355105] audit: type=1400 audit(1491249900.959:63): avc:  denied  {
>> execmod } for  pid=243 comm="alsactl" 
>> path="/usr/lib/arm-linux-gnueabihf/libarmmem.so"
>> dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
>> [    5.357519] audit: type=1400 audit(1491249900.959:64): avc:  denied  {
>> write } for  pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104
>> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
>> [    5.357705] audit: type=1400 audit(1491249900.959:65): avc:  denied  {
>> add_name } for  pid=243 comm="alsactl" name="asound.state.lock"
>> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
>> [    5.358083] audit: type=1400 audit(1491249900.959:66): avc:  denied  {
>> create } for  pid=243 comm="alsactl" name="asound.state.lock"
>> scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>> [    5.358671] audit: type=1400 audit(1491249900.959:67): avc:  denied  {
>> read write open } for  pid=243 comm="alsactl" 
>> path="/run/lock/asound.state.lock"
>> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>> [    5.358893] audit: type=1400 audit(1491249900.959:68): avc:  denied  {
>> getattr } for  pid=243 comm="alsactl" path="/run/lock/asound.state.lock"
>> dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
>>
>>
>>
>> I don't see anything that would prevent running javac offhand, perhaps
>> others more versed in the desktop side can help tomorrow morning.
>>
>> Make sure you run javac so we can see any avc messages generated for it.
>> Also run javac in strace and see where it's dying. Does this work in
>> permissive mode? Ie sudo setenforce 0?
>>
>>
>> On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <[email protected]
>> > wrote:
>>
>>> Do you see any "avc: denied" messages in dmesg/syslog? If so send them.
>>>
>>> On Apr 3, 2017 16:28, "Rahmadi Trimananda" <[email protected]> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am trying to run javac and java on my Raspbian while SELinux is
>>>> enabled. However, I keep getting "Segmentation fault", even when I just run
>>>> "javac" or "java". This happens in enforcing mode, but it doesn't happen
>>>> with "gcc". I am wondering why, because both are in /usr/bin directory and
>>>> both binaries have the same context.
>>>>
>>>> Can somebody please help?
>>>>
>>>> Thank you so much!
>>>>
>>>> Regards,
>>>> Rahmadi
>>>>
>>>>
>>>> _______________________________________________
>>>> Selinux mailing list
>>>> [email protected]
>>>> To unsubscribe, send email to [email protected].
>>>> To get help, send an email containing "help" to
>>>> [email protected].
>>>>
>>>
>>
>>
>> --
>> Kind regards,
>> Rahmadi Trimananda
>>
>> Ph.D. student @ University of California, Irvine
>> "Stay hungry, stay foolish!" - Steve Jobs -
>>
>>
>>
>
>
> --
> Kind regards,
> Rahmadi Trimananda
>
> Ph.D. student @ University of California, Irvine
> "Stay hungry, stay foolish!" - Steve Jobs -
>



-- 
Kind regards,
Rahmadi Trimananda

Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -

_______________________________________________
Selinux mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to [email protected].

Re: Running Java and JVM on SELinux

Reply via email to