Skip to main content

fedora 11 selinux and openjdk 7 b62 alert !

No replies
jsanza
Offline
Joined: 2009-06-26
Points: 0

Hello,

I got a selinux alert when i am trying to run java from openjdk 7 b62 installation..

libjvm.so text relocation ? why icetea 6.0 has no problem ?

------------- copy&paste selinux alert follows :

Summary:

SELinux is preventing java from loading
/home2/jdk1.7.0/jre/lib/i386/client/libjvm.so which requires text relocation.

Detailed Description:

The java application attempted to load
/home2/jdk1.7.0/jre/lib/i386/client/libjvm.so which requires text relocation.
This is a potential security problem. Most libraries do not need this
permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/home2/jdk1.7.0/jre/lib/i386/client/libjvm.so to use relocation as a workaround,
until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /home2/jdk1.7.0/jre/lib/i386/client/libjvm.so to run correctly, you
can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/home2/jdk1.7.0/jre/lib/i386/client/libjvm.so'" You must also change the
default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t textrel_shlib_t
'/home2/jdk1.7.0/jre/lib/i386/client/libjvm.so'"

Fix Command:

chcon -t textrel_shlib_t '/home2/jdk1.7.0/jre/lib/i386/client/libjvm.so'

Additional Information:

Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:object_r:default_t:s0
Target Objects /home2/jdk1.7.0/jre/lib/i386/client/libjvm.so [
file ]
Source java
Source Path /home2/jdk1.7.0/bin/java
Port
Host darkstar
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.6.12-53.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execmod
Host Name darkstar
Platform Linux darkstar 2.6.29.5-191.fc11.i586 #1 SMP Tue
Jun 16 23:11:39 EDT 2009 i686 athlon
Alert Count 3
First Seen Tue 30 Jun 2009 11:04:07 PM CEST
Last Seen Tue 30 Jun 2009 11:22:59 PM CEST
Local ID 070ccb49-f3b3-446b-87a1-8e985e525f1c
Line Numbers

Raw Audit Messages

node=darkstar type=AVC msg=audit(1246396979.474:73): avc: denied { execmod } for pid=8333 comm="java" path="/home2/jdk1.7.0/jre/lib/i386/client/libjvm.so" dev=dm-0 ino=263915 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file

node=darkstar type=SYSCALL msg=audit(1246396979.474:73): arch=40000003 syscall=125 success=no exit=-13 a0=fb8000 a1=438000 a2=5 a3=bf94da00 items=0 ppid=8248 pid=8333 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts3 ses=1 comm="java" exe="/home2/jdk1.7.0/bin/java" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)