unconfined_execmem_t for /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java ?

Tom London selinux at gmail.com
Thu May 18 16:15:42 UTC 2006 

On 5/17/06, Paul Howarth <paul at city-fan.org> wrote:
> On Wed, 2006-05-17 at 18:21 -0700, Tom London wrote:
> > I'm getting execmem AVCs with latest policy and with SUN Java:
> > type=AVC msg=audit(1147912677.425:256): avc:  denied  { execmem } for
> > pid=10059 comm="java" scontext=user_u:system_r:unconfined_t:s0
> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> > type=SYSCALL msg=audit(1147912677.425:256): arch=40000003 syscall=192
> > per=400000 success=no exit=-1082810368 a0=bf75a000 a1=3000 a2=7 a3=32
> > items=0 pid=10059 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=pts0 comm="java"
> > exe="/usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java"
> > subj=user_u:system_r:unconfined_t:s0
> >
> > Is it appropriate to label as unconfined_exemem_t?
>
> I think /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java* should be
> java_exec_t:
>
> # semanage fcontext -l | grep java_exec
> /usr/bin/gcj-dbtool                                regular file
> system_u:object_r:java_exec_t:s0
> /usr/(.*/)?bin/java.*                              regular file
> system_u:object_r:java_exec_t:s0
> /opt/(.*/)?bin/java([^/]*)?                        regular file
> system_u:object_r:java_exec_t:s0
> /usr/lib(.*/)?bin/java([^/]*)?                     regular file
> system_u:object_r:java_exec_t:s0
> /usr/bin/gij                                       regular file
> system_u:object_r:java_exec_t:s0
>
> Unfortunately restorecon is leaving these as bin_t here, for reasons I
> can't fathom.
>
> # rpm -q policycoreutils selinux-policy-targeted
> policycoreutils-1.30.8-1.fc5
> selinux-policy-targeted-2.2.38-1.fc5
>
> Paul.
OK.... How about this (notice the last entry). Doesn't that 'override'
the previous java_exec_t entry?

tom

[root at localhost ~]# semanage fcontext -l | grep java
/usr/bin/gcj-dbtool                                regular file
system_u:object_r:java_exec_t:s0
/usr/(.*/)?bin/java.*                              regular file
system_u:object_r:java_exec_t:s0
/opt/(.*/)?bin/java([^/]*)?                        regular file
system_u:object_r:java_exec_t:s0
/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)*   regular file
system_u:object_r:shlib_t:s0
/usr/lib(.*/)?bin/java([^/]*)?                     regular file
system_u:object_r:java_exec_t:s0
/usr/bin/gij                                       regular file
system_u:object_r:java_exec_t:s0
/emul/ia32-linux/usr(/.*)?/java/.*\.jsa            regular file
system_u:object_r:shlib_t:s0
/usr/(.*/)?java/.*\.jsa                            regular file
system_u:object_r:shlib_t:s0
/emul/ia32-linux/usr(/.*)?/java/.*\.jar            regular file
system_u:object_r:shlib_t:s0
/usr/lib/jvm/java.*/bin                            directory
system_u:object_r:bin_t:s0
/usr/(.*/)?java/.*\.so(\.[^/]*)*                   regular file
system_u:object_r:textrel_shlib_t:s0
/usr/(.*/)?java/.*\.jar                            regular file
system_u:object_r:shlib_t:s0
/usr/lib/jvm/java.*/bin/.*                         all files
system_u:object_r:bin_t:s0


-- 
Tom London

More information about the fedora-selinux-list mailing list