Hi,
I tried running some Java apps on Fedora Core 4 with SELinux enabled and they can't connect to network. The symptoms are strange (at least for me, I'm new to SELinux): 1) I use TARGETED policy - I thought it shouldn't restrict applications unless they were explicitly listed? 2) I tried setting SELINUX to PERMISSIVE - the apps still couldn't use network. 3) The apps are blocked silently - no info in syslog, regardless of SELINUX mode.
All non-Java apps can use the network. All non-network related Java functions seem to work just fine. I tried 2 versions of Sun JRE.
Am I doing something wrong or is it a bug? Can I use my Java software without totally disabling SELinux?
Regards,
Igor Wawrzyniak
Igor Wawrzyniak wrote:
Hi,
I tried running some Java apps on Fedora Core 4 with SELinux enabled and they can't connect to network. The symptoms are strange (at least for me, I'm new to SELinux):
- I use TARGETED policy - I thought it shouldn't restrict applications unless
they were explicitly listed? 2) I tried setting SELINUX to PERMISSIVE - the apps still couldn't use network. 3) The apps are blocked silently - no info in syslog, regardless of SELINUX mode.
All non-Java apps can use the network. All non-network related Java functions seem to work just fine. I tried 2 versions of Sun JRE.
Am I doing something wrong or is it a bug? Can I use my Java software without totally disabling SELinux?
Regards,
Igor Wawrzyniak
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
which java app? when it still does not work in permissive mode than it isn't an selinux issue. might be a firewall/nat problem which ports are this apps trying to use?
- I tried setting SELINUX to PERMISSIVE - the apps still couldn't use
network.
So what evidence do you have that the problem is caused by SELinux at all?
- The apps are blocked silently - no info in syslog, regardless of SELINUX
mode.
It sounds like SElinux is not the problem.
Permissive mode should not cause any SELinux-related failures unless your applications are directly integrated with SELinux (in which case they should check if selinux is enabled manually).
Have you tried if the problem occurs with selinux=disabled? Beware that you might need to relabel the filesystem afterwards if you try that.
On Thursday 21 July 2005 11:28, Ivan Gyurdiev wrote:
- I tried setting SELINUX to PERMISSIVE - the apps still couldn't use
network.
So what evidence do you have that the problem is caused by SELinux at all?
Everything works when I disable SELinux.
Have you tried if the problem occurs with selinux=disabled?
Of course - I tried all 3 options. Doesn't work with permissive and enforcing, works with disabled.
Igor Wawrzyniak
On Thu, 2005-07-21 at 11:40 +0100, Igor Wawrzyniak wrote:
On Thursday 21 July 2005 11:28, Ivan Gyurdiev wrote:
- I tried setting SELINUX to PERMISSIVE - the apps still couldn't use
network.
So what evidence do you have that the problem is caused by SELinux at all?
Everything works when I disable SELinux.
Are the application you're testing open-sourced? If so, which applications...
Have you tested with a free JRE, such as gij.
Have you tried if the problem occurs with selinux=disabled?
Of course - I tried all 3 options. Doesn't work with permissive and enforcing, works with disabled.
Sounds like a possible kernel bug. Which kernel is this? Did the problem begin to occur on a kernel upgrade or a policy upgrade, or a library upgrade?
Are you absolutely sure you tested permissive mode (enforcing=0)? What does /usr/sbin/getenforce say? Try /usr/sbin/setenforce 0.
On Thursday 21 July 2005 11:50, Ivan Gyurdiev wrote:
Are the application you're testing open-sourced? If so, which applications...
Unfortunately, it's a commercial product. I tried some other Java software and it seems to work. Strange...
Have you tested with a free JRE, such as gij.
It doesn't run with gij.
Sounds like a possible kernel bug. Which kernel is this?
I tried 2 standard Fedora kernels: kernel-2.6.11-1.1369_FC4 kernel-2.6.12-1.1398_FC4
Other related software: libselinux-1.23.10-2 selinux-policy-targeted-1.25.2-4
Did the problem begin to occur on a kernel upgrade or a policy upgrade, or a library upgrade?
I only tried it a few days ago, there was no policy or library update since then. Should I try older versions of kernel/library/policy/all of them?
Are you absolutely sure you tested permissive mode (enforcing=0)? What does /usr/sbin/getenforce say?
[root@dhcp-46 ~]# /usr/sbin/getenforce Permissive
Try /usr/sbin/setenforce 0.
Tried - nothing changed.
Igor Wawrzyniak
Sounds like a possible kernel bug. Which kernel is this?
I tried 2 standard Fedora kernels: kernel-2.6.11-1.1369_FC4 kernel-2.6.12-1.1398_FC4
Other related software: libselinux-1.23.10-2 selinux-policy-targeted-1.25.2-4
Did the problem begin to occur on a kernel upgrade or a policy upgrade, or a library upgrade?
I only tried it a few days ago, there was no policy or library update since then. Should I try older versions of kernel/library/policy/all of them?
Did you try it multiple times... are you sure there's a correlation between enforcing status and app working/not working?
On Thursday 21 July 2005 13:19, Ivan Gyurdiev wrote:
Did you try it multiple times... are you sure there's a correlation between enforcing status and app working/not working?
I did. Every time I reboot with selinux disabled, it works, everytime it's enabled - it doesn't.
I also tried the app with the newest JRE from Sun - and it works even in enforcing mode. The deeper I dig into it, the stranger it gets.
Looks like the bug is only triggered by a very specific software combination, probably it would be hard to reproduce for anyone else. How can I got more information? Any way to look into kernel internals?
Igor Wawrzyniak
On Thu, 2005-07-21 at 14:05 +0100, Igor Wawrzyniak wrote:
I did. Every time I reboot with selinux disabled, it works, everytime it's enabled - it doesn't.
I also tried the app with the newest JRE from Sun - and it works even in enforcing mode. The deeper I dig into it, the stranger it gets.
Looks like the bug is only triggered by a very specific software combination, probably it would be hard to reproduce for anyone else. How can I got more information? Any way to look into kernel internals?
Can you run it under strace and reproduce the failure there, and then bugzilla it and attach the strace output to the bugzilla report?
selinux@lists.fedoraproject.org
-
dragoran -
Igor Wawrzyniak -
Ivan Gyurdiev -
Ivan Gyurdiev -
Stephen Smalley