On Tue, 4 Apr 2017 02:34:14 PM Rahmadi Trimananda wrote:
> Umm, how's the easiest way to permit that one? Do I need to create a local
> policy or can I just use a command line? Sorry I am really a newbie. :)
Run "audit2allow -l -R < /var/log/audit/audit.log > local.te", that will
generate the policy.
policy_module(local,0.0.0)
Edit local.te to remove allow lines that you don't want and also add the above
as the first line.
Create a symlink from the example Makefile (which is /usr/share/doc/selinux-
policy-dev/examples/Makefile on Debian if you have the selinux-policy-dev
package installed) to the current directory. Then run "make load" and your
policy will be compiled and loaded.
> I am using javac 1.8.0_65. It is the same version for the "java" program.
>
> java version "1.8.0_65"
> Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
> Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode)
I'm using openjdk which doesn't appear to require such access.
$ java -version
openjdk version "1.8.0_121"
OpenJDK Runtime Environment (build 1.8.0_121-8u121-b13-4-b13)
OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode)
> On Mon, Apr 3, 2017 at 7:52 PM, Russell Coker <russell@xxxxxxxxxxxx> wrote:
> > On Tue, 4 Apr 2017 12:35:47 PM Rahmadi Trimananda wrote:
> > > I have more error messages from /var/log/audit/audit.log if this is of
> >
> > any
> >
> > > use for you. And yeah, it works in permissive mode (sudo setenforce 0).
> > > BTW, what do you mean by "run javac in strace"?
> > >
> > > iotuser@raspberrypi:~/policy $ sudo cat /var/log/audit/audit.log | grep
> > > javac
> > > type=AVC msg=audit(1491260813.624:793): avc: denied { mmap_zero } for
> > >
> > > pid=1656 comm="javac"
> > >
> > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > tclass=memprotect permissive=0
> >
> > Try permitting that one and see if it changes things. What version of
> > javac
> > are you using? Is it an old version?
> >
> > Also when posting such things to the list please include the output of
> > auditallow as well as the raw AVC messages whenever you send more than
> > 2-3 entries. When your MUA wraps the lines the result isn't accepted by
> > audit2allow and that makes it less convenient for us to process your
> > messages
> > (usually audit2allow output is more useful than reading raw AVC log
> > entries).
> >
> > If there is only a single AVC message then we can all run audit2allow in
> > our
> > heads. ;)
> >
> > --
> > My Main Blog http://etbe.coker.com.au/
> > My Documents Blog http://doc.coker.com.au/
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
