[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: unconfined_execmem_t for /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java ?



On 5/17/06, Paul Howarth <paul city-fan org> wrote:
On Wed, 2006-05-17 at 18:21 -0700, Tom London wrote:
> I'm getting execmem AVCs with latest policy and with SUN Java:
> type=AVC msg=audit(1147912677.425:256): avc:  denied  { execmem } for
> pid=10059 comm="java" scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1147912677.425:256): arch=40000003 syscall=192
> per=400000 success=no exit=-1082810368 a0=bf75a000 a1=3000 a2=7 a3=32
> items=0 pid=10059 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="java"
> exe="/usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java"
> subj=user_u:system_r:unconfined_t:s0
>
> Is it appropriate to label as unconfined_exemem_t?

I think /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java* should be
java_exec_t:

# semanage fcontext -l | grep java_exec
/usr/bin/gcj-dbtool                                regular file
system_u:object_r:java_exec_t:s0
/usr/(.*/)?bin/java.*                              regular file
system_u:object_r:java_exec_t:s0
/opt/(.*/)?bin/java([^/]*)?                        regular file
system_u:object_r:java_exec_t:s0
/usr/lib(.*/)?bin/java([^/]*)?                     regular file
system_u:object_r:java_exec_t:s0
/usr/bin/gij                                       regular file
system_u:object_r:java_exec_t:s0

Unfortunately restorecon is leaving these as bin_t here, for reasons I
can't fathom.

# rpm -q policycoreutils selinux-policy-targeted
policycoreutils-1.30.8-1.fc5
selinux-policy-targeted-2.2.38-1.fc5

Paul.
OK.... How about this (notice the last entry). Doesn't that 'override'
the previous java_exec_t entry?

tom

[root localhost ~]# semanage fcontext -l | grep java
/usr/bin/gcj-dbtool                                regular file
system_u:object_r:java_exec_t:s0
/usr/(.*/)?bin/java.*                              regular file
system_u:object_r:java_exec_t:s0
/opt/(.*/)?bin/java([^/]*)?                        regular file
system_u:object_r:java_exec_t:s0
/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)*   regular file
system_u:object_r:shlib_t:s0
/usr/lib(.*/)?bin/java([^/]*)?                     regular file
system_u:object_r:java_exec_t:s0
/usr/bin/gij                                       regular file
system_u:object_r:java_exec_t:s0
/emul/ia32-linux/usr(/.*)?/java/.*\.jsa            regular file
system_u:object_r:shlib_t:s0
/usr/(.*/)?java/.*\.jsa                            regular file
system_u:object_r:shlib_t:s0
/emul/ia32-linux/usr(/.*)?/java/.*\.jar            regular file
system_u:object_r:shlib_t:s0
/usr/lib/jvm/java.*/bin                            directory
system_u:object_r:bin_t:s0
/usr/(.*/)?java/.*\.so(\.[^/]*)*                   regular file
system_u:object_r:textrel_shlib_t:s0
/usr/(.*/)?java/.*\.jar                            regular file
system_u:object_r:shlib_t:s0
/usr/lib/jvm/java.*/bin/.*                         all files
system_u:object_r:bin_t:s0


--
Tom London


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]