mindterm (java_t) AVCs

"Tom London" <selinux@xxxxxxxxx> · Mon, 16 Jul 2007 07:48:47 -0700

Running latest rawhide, targeted enforcing:

Running 'java -jar mindterm.jar' with mindterm-3.1.2 produced AVC.

Putting in permissive mode and running, I get these:

type=AVC msg=audit(1184596927.029:42): avc:  denied  { unix_read } for
pid=3208 comm="X" key=0
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:java_t:s0 tclass=shm
type=AVC msg=audit(1184596927.029:42): avc:  denied  { read } for
pid=3208 comm="X" key=0
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:java_t:s0 tclass=shm
type=SYSCALL msg=audit(1184596927.029:42): arch=40000003 syscall=117
success=yes exit=0 a0=15 a1=110017 a2=1000 a3=bfd97ef8 items=0
ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg"
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1184596927.029:43): avc:  denied  { getattr
associate } for  pid=3208 comm="X" key=0
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:java_t:s0 tclass=shm
type=SYSCALL msg=audit(1184596927.029:43): arch=40000003 syscall=117
success=yes exit=0 a0=18 a1=110017 a2=102 a3=0 items=0 ppid=3206
pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg"
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1184596928.029:44): avc:  denied  { unix_write }
for  pid=3208 comm="X" key=0
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:java_t:s0 tclass=shm
type=AVC msg=audit(1184596928.029:44): avc:  denied  { write } for
pid=3208 comm="X" key=0
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:java_t:s0 tclass=shm
type=SYSCALL msg=audit(1184596928.029:44): arch=40000003 syscall=117
success=yes exit=0 a0=15 a1=118017 a2=0 a3=bfd97ef8 items=0 ppid=3206
pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg"
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)

or

allow xdm_xserver_t java_t:shm { write unix_read getattr unix_write
associate read };

BTW, the app appears to run in enforcing mode, even with the AVC.
Here is the only enforcing AVC:

type=AVC msg=audit(1184596881.529:40): avc:  denied  { unix_read } for
pid=3208 comm="X" key=0
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:java_t:s0 tclass=shm
type=SYSCALL msg=audit(1184596881.529:40): arch=40000003 syscall=117
success=no exit=-13 a0=15 a1=108017 a2=1000 a3=bfd97ef8 items=0
ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg"
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)

tom
--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list