[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Disable for java?



On Fri, 2006-05-05 at 08:31 -0700, Fred Harris wrote:
> Thanks for replying. 
> 
> Bruno, I tried doing what you said, but had to use 
> setsebool -P allow_execmem true ('true' instead of 'on')
> 
> is that the same thing?  I think it was already enabled anyway. 
> The problem I'm getting is with message logging, not with
> enabling.
> 
> Paul, the messages I'm getting are the following.  
> >>>
> May  4 16:50:32 bd1 kernel: audit(1146786631.723:22): avc:  granted
> { execmem } for  pid=2159 comm="java"
> scontext=root:system_r:initrc_t:s0 tcontext=root:system_r:initrc_t:s0
> tclass=process
> <<<


$ rpm -q --changelog selinux-policy-targeted
* Fri Apr 21 2006 Dan Walsh <dwalsh redhat com> 2.2.34-3.fc5
- Bump for fc5
...
...
...
* Mon Apr 03 2006 Dan Walsh <dwalsh redhat com> 2.2.29-2
- Add mono dbus support
- Lots of file_context fixes for textrel_shlib_t in FC5
- Turn off execmem auditallow since they are filling log files

This one appears to be exactly the problem you are seeing, so it should
be fixed on an up to date system.


> Why would installing in other than /opt make a difference?  I used to
> install in
> /usr/java, but Fedora says that /opt is where you should install a
> comprehensive
> package like the JDK.

It should work under /opt but, depending on how it got installed there,
you might need to set file contexts manually. Installing using the
JPackage rpms means that rpm gets to install it, and since rpm is an
selinux-aware tool, it can set the correct file contexts for you,
provided the policy includes the correct file contexts (which I think it
does).

> How do you update to the latest policy for SELinux?  I yumed to the
> latest Kernel.  I can't find a package for SELinux, though.

Well, what do you currently have?

I have these versions:
$ rpm -qa selinux\*
selinux-policy-targeted-2.2.34-3.fc5
selinux-policy-2.2.34-3.fc5

If that's not what you have, try this:
# yum update selinux\*

> I think I'm not getting some very basic stuff about working with
> SELinux.  It's pretty  confusing to me.  I've searched most of the
> FAQs and explanations
> I can find on Google.  Is there a simple, good link that explains it
> all?

http://fedoraproject.org/wiki/SELinux is a good starting point I think.

> For instance I have this basic question about whether or not you can
> turn off
> monitoring for a specific application like java_home/bin/java.  It
> seems to me that  something like that would be absolutely necessary
> while apps get up to speed with SELinux.

It shouldn't be necessary at all really if the policy is working
correctly.

Most of the daemons protected in the targeted policy have a
"disable_trans" boolean that effectively turns off SELinux protection
for them. However, for Java processes the problem is a bit different
since it's the memory protection that causes issues, and that applies
across the board rather than to specific daemon domains.

Paul.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]