mindterm (java_t) AVCs
Daniel J Walsh
dwalsh at redhat.com
Fri Jul 20 15:19:00 UTC 2007
Ken YANG wrote:
> Tom London wrote:
>
>> Running latest rawhide, targeted enforcing:
>>
>> Running 'java -jar mindterm.jar' with mindterm-3.1.2 produced AVC.
>>
>> Putting in permissive mode and running, I get these:
>>
>> type=AVC msg=audit(1184596927.029:42): avc: denied { unix_read } for
>> pid=3208 comm="X" key=0
>> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:java_t:s0 tclass=shm
>> type=AVC msg=audit(1184596927.029:42): avc: denied { read } for
>> pid=3208 comm="X" key=0
>> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:java_t:s0 tclass=shm
>> type=SYSCALL msg=audit(1184596927.029:42): arch=40000003 syscall=117
>> success=yes exit=0 a0=15 a1=110017 a2=1000 a3=bfd97ef8 items=0
>> ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg"
>> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)
>> type=AVC msg=audit(1184596927.029:43): avc: denied { getattr
>> associate } for pid=3208 comm="X" key=0
>> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:java_t:s0 tclass=shm
>> type=SYSCALL msg=audit(1184596927.029:43): arch=40000003 syscall=117
>> success=yes exit=0 a0=18 a1=110017 a2=102 a3=0 items=0 ppid=3206
>> pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg"
>> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)
>> type=AVC msg=audit(1184596928.029:44): avc: denied { unix_write }
>> for pid=3208 comm="X" key=0
>> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:java_t:s0 tclass=shm
>> type=AVC msg=audit(1184596928.029:44): avc: denied { write } for
>> pid=3208 comm="X" key=0
>> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:java_t:s0 tclass=shm
>> type=SYSCALL msg=audit(1184596928.029:44): arch=40000003 syscall=117
>> success=yes exit=0 a0=15 a1=118017 a2=0 a3=bfd97ef8 items=0 ppid=3206
>> pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg"
>> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)
>>
>> or
>>
>> allow xdm_xserver_t java_t:shm { write unix_read getattr unix_write
>> associate read };
>>
>>
>> BTW, the app appears to run in enforcing mode, even with the AVC.
>> Here is the only enforcing AVC:
>>
>> type=AVC msg=audit(1184596881.529:40): avc: denied { unix_read } for
>> pid=3208 comm="X" key=0
>> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:java_t:s0 tclass=shm
>> type=SYSCALL msg=audit(1184596881.529:40): arch=40000003 syscall=117
>> success=no exit=-13 a0=15 a1=108017 a2=1000 a3=bfd97ef8 items=0
>> ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg"
>> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)
>>
>
> hi tom, i encounter similar problem in running eclipse, but it seemed
> that it's not a big question and is just about performance, you can
> ignore it, see details in:
>
> http://marc.info/?l=fedora-selinux-list&m=118424437816871&w=2
>
>
>
>> tom
>>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
Should be fixed in selinux-policy-3.0.3-2
More information about the fedora-selinux-list
mailing list