tags:

views:

197

answers:

2
+1  Q: 

SELinux Prevents Java from Running

Hi All,

I recently installed Sun Java on a system with a fairly basic SELinux install on it.

I'm running Debian Etch and installed the Sun Java package from the non-free package repository.

Here are the error notices that appear in the syslog when I run java -version.

`Feb 9 14:02:40 dev kernel: audit(1265742160.570:4107): avc: denied { execmem } for pid=9882 comm="java" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process

Feb 9 14:02:40 dev kernel: audit(1265742160.578:4108): avc: denied { execmem } for pid=9882 comm="java" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process`

I've googled around and it seems that I need to create an SELinux policy that permits Java to perform operations that violate the execmem constraints. Is this a correct assumption? If so, how should I get started?

Updates:

I looked for and found a targeted policy aimed at handling Java. I installed it using the following command:

$ sudo semodule -i /usr/share/selinux/refpolicy-targeted/java.pp

This did not help, however. I continue to see identical audit messages in the syslog.

A: 

SeLinux is one of the most annoying security systems ever created. It throws mostly false positives when trying to use your system. You can turn of enfocing, which will allow java to run, but it will still log "attacks" it finds (IE: false positives). 

sudo echo 0 >/selinux/enforce

Edit: It is also annoying to exploit writers, and I know this from first hand experience. SELinux can prevent your system from getting hacked, but it can also prevent you from getting work done. SELinux is best used on a production system.

Rook  2010-02-09 19:30:22
SELinux was produced by the NSA for serious security purposes. You figure from that how likely it is to be annoying in general.
David Thornley  2010-02-09 20:08:15
It's easier to do "setenforce 0" as root
Jason Axelson  2010-08-11 05:45:52
@Jason Axelson yeah and then its easier for my exploit to pop it's metasploit shell >:)
Rook  2010-08-11 06:04:22
A: 

This guide: http://etbe.coker.com.au/2006/12/08/se-linux-on-debian-in-5-minutes/ and dgrift on #selinux clued me in on the correct solution.

# semodule -i /usr/share/selinux/refpolicy-targeted/java.pp
# restorecon -r -v /usr

There is a targeted policy available for Java that has to be applied using semodule. Once the policy is applied, restorecon has to be used to apply the policy to the Java binaries.

jkndrkn  2010-02-09 20:05:56

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java