unconfined_execmem_t for /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java ?

Paul Howarth paul at city-fan.org
Thu May 18 06:29:37 UTC 2006


On Wed, 2006-05-17 at 18:21 -0700, Tom London wrote:
> I'm getting execmem AVCs with latest policy and with SUN Java:
> type=AVC msg=audit(1147912677.425:256): avc:  denied  { execmem } for
> pid=10059 comm="java" scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1147912677.425:256): arch=40000003 syscall=192
> per=400000 success=no exit=-1082810368 a0=bf75a000 a1=3000 a2=7 a3=32
> items=0 pid=10059 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="java"
> exe="/usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java"
> subj=user_u:system_r:unconfined_t:s0
> 
> Is it appropriate to label as unconfined_exemem_t?

I think /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java* should be
java_exec_t:

# semanage fcontext -l | grep java_exec
/usr/bin/gcj-dbtool                                regular file
system_u:object_r:java_exec_t:s0
/usr/(.*/)?bin/java.*                              regular file
system_u:object_r:java_exec_t:s0
/opt/(.*/)?bin/java([^/]*)?                        regular file
system_u:object_r:java_exec_t:s0
/usr/lib(.*/)?bin/java([^/]*)?                     regular file
system_u:object_r:java_exec_t:s0
/usr/bin/gij                                       regular file
system_u:object_r:java_exec_t:s0

Unfortunately restorecon is leaving these as bin_t here, for reasons I
can't fathom.

# rpm -q policycoreutils selinux-policy-targeted
policycoreutils-1.30.8-1.fc5
selinux-policy-targeted-2.2.38-1.fc5

Paul.




More information about the fedora-selinux-list mailing list