On 5/17/06, Paul Howarth <paul(a)city-fan.org> wrote:
On Wed, 2006-05-17 at 18:21 -0700, Tom London wrote:
> I'm getting execmem AVCs with latest policy and with SUN Java:
> type=AVC msg=audit(1147912677.425:256): avc: denied { execmem } for
> pid=10059 comm="java" scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1147912677.425:256): arch=40000003 syscall=192
> per=400000 success=no exit=-1082810368 a0=bf75a000 a1=3000 a2=7 a3=32
> items=0 pid=10059 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="java"
> exe="/usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java"
> subj=user_u:system_r:unconfined_t:s0
>
> Is it appropriate to label as unconfined_exemem_t?
I think /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java* should be
java_exec_t:
# semanage fcontext -l | grep java_exec
/usr/bin/gcj-dbtool regular file
system_u:object_r:java_exec_t:s0
/usr/(.*/)?bin/java.* regular file
system_u:object_r:java_exec_t:s0
/opt/(.*/)?bin/java([^/]*)? regular file
system_u:object_r:java_exec_t:s0
/usr/lib(.*/)?bin/java([^/]*)? regular file
system_u:object_r:java_exec_t:s0
/usr/bin/gij regular file
system_u:object_r:java_exec_t:s0
Unfortunately restorecon is leaving these as bin_t here, for reasons I
can't fathom.
# rpm -q policycoreutils selinux-policy-targeted
policycoreutils-1.30.8-1.fc5
selinux-policy-targeted-2.2.38-1.fc5
Paul.
OK.... How about this (notice the last entry). Doesn't that
'override'
the previous java_exec_t entry?
tom
[root@localhost ~]# semanage fcontext -l | grep java
/usr/bin/gcj-dbtool regular file
system_u:object_r:java_exec_t:s0
/usr/(.*/)?bin/java.* regular file
system_u:object_r:java_exec_t:s0
/opt/(.*/)?bin/java([^/]*)? regular file
system_u:object_r:java_exec_t:s0
/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* regular file
system_u:object_r:shlib_t:s0
/usr/lib(.*/)?bin/java([^/]*)? regular file
system_u:object_r:java_exec_t:s0
/usr/bin/gij regular file
system_u:object_r:java_exec_t:s0
/emul/ia32-linux/usr(/.*)?/java/.*\.jsa regular file
system_u:object_r:shlib_t:s0
/usr/(.*/)?java/.*\.jsa regular file
system_u:object_r:shlib_t:s0
/emul/ia32-linux/usr(/.*)?/java/.*\.jar regular file
system_u:object_r:shlib_t:s0
/usr/lib/jvm/java.*/bin directory
system_u:object_r:bin_t:s0
/usr/(.*/)?java/.*\.so(\.[^/]*)* regular file
system_u:object_r:textrel_shlib_t:s0
/usr/(.*/)?java/.*\.jar regular file
system_u:object_r:shlib_t:s0
/usr/lib/jvm/java.*/bin/.* all files
system_u:object_r:bin_t:s0
--
Tom London