Re: Running Java and JVM on SELinux

Rahmadi Trimananda <rtrimana@xxxxxxx> · Mon, 3 Apr 2017 19:12:31 -0700

This is the result of "dmesg | grep avc". Please let me know if you need more information about my system (RaspberryPi 2 running Raspbian Jessie).
[    2.275229] audit: type=1400 audit(2.249:3): avc:  denied  { associate } for  pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
[    2.577155] audit: type=1400 audit(2.549:4): avc:  denied  { wake_alarm } for  pid=1 comm="systemd" capability=35  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
[    2.601211] audit: type=1400 audit(2.569:5): avc:  denied  { execstack } for  pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
[    2.601321] audit: type=1400 audit(2.569:6): avc:  denied  { execmem } for  pid=95 comm="systemd-fstab-g" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
[    2.605393] audit: type=1400 audit(2.579:7): avc:  denied  { execmod } for  pid=95 comm="systemd-fstab-g" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so" dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
[    3.201440] audit: type=1400 audit(3.169:8): avc:  denied  { execstack } for  pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
[    3.201499] audit: type=1400 audit(3.169:9): avc:  denied  { execmem } for  pid=107 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=1
[    3.217575] audit: type=1400 audit(3.189:10): avc:  denied  { execstack } for  pid=108 comm="kmod" scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process permissive=1
[    5.291711] audit: type=1400 audit(1491249900.889:59): avc:  denied  { mmap_zero } for  pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=memprotect permissive=1
[    5.304205] audit: type=1400 audit(1491249900.909:60): avc:  denied  { execstack } for  pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process permissive=1
[    5.304582] audit: type=1400 audit(1491249900.909:61): avc:  denied  { execmem } for  pid=243 comm="alsactl" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tclass=process permissive=1
[    5.306197] audit: type=1400 audit(1491249900.909:62): avc:  denied  { use } for  pid=120 comm="systemd-journal" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=fd permissive=1
[    5.355105] audit: type=1400 audit(1491249900.959:63): avc:  denied  { execmod } for  pid=243 comm="alsactl" path="/usr/lib/arm-linux-gnueabihf/libarmmem.so" dev="mmcblk0p2" ino=144391 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
[    5.357519] audit: type=1400 audit(1491249900.959:64): avc:  denied  { write } for  pid=243 comm="alsactl" name="/" dev="tmpfs" ino=5104 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
[    5.357705] audit: type=1400 audit(1491249900.959:65): avc:  denied  { add_name } for  pid=243 comm="alsactl" name="asound.state.lock" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
[    5.358083] audit: type=1400 audit(1491249900.959:66): avc:  denied  { create } for  pid=243 comm="alsactl" name="asound.state.lock" scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
[    5.358671] audit: type=1400 audit(1491249900.959:67): avc:  denied  { read write open } for  pid=243 comm="alsactl" path="/run/lock/asound.state.lock" dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
[    5.358893] audit: type=1400 audit(1491249900.959:68): avc:  denied  { getattr } for  pid=243 comm="alsactl" path="/run/lock/asound.state.lock" dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1

On Mon, Apr 3, 2017 at 6:54 PM, William Roberts <bill.c.roberts@xxxxxxxxx> wrote:
Do you see any "avc: denied" messages in dmesg/syslog? If so send them.

On Apr 3, 2017 16:28, "Rahmadi Trimananda" <rtrimana@xxxxxxx> wrote:
Hi All,
I am trying to run javac and java on my Raspbian while SELinux is enabled. However, I keep getting "Segmentation fault", even when I just run "javac" or "java". This happens in enforcing mode, but it doesn't happen with "gcc". I am wondering why, because both are in /usr/bin directory and both binaries have the same context.

Can somebody please help?

Thank you so much!

Regards,
Rahmadi

_______________________________________________

Selinux mailing list

Selinux@xxxxxxxxxxxxx

To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.

To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.

-- 
Kind regards,Rahmadi Trimananda

Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.