views:

197

answers:

2

Hi All,

I recently installed Sun Java on a system with a fairly basic SELinux install on it.

I'm running Debian Etch and installed the Sun Java package from the non-free package repository.

Here are the error notices that appear in the syslog when I run java -version.

`Feb 9 14:02:40 dev kernel: audit(1265742160.570:4107): avc: denied { execmem } for pid=9882 comm="java" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process

Feb 9 14:02:40 dev kernel: audit(1265742160.578:4108): avc: denied { execmem } for pid=9882 comm="java" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process`

I've googled around and it seems that I need to create an SELinux policy that permits Java to perform operations that violate the execmem constraints. Is this a correct assumption? If so, how should I get started?

Updates:

I looked for and found a targeted policy aimed at handling Java. I installed it using the following command:

$ sudo semodule -i /usr/share/selinux/refpolicy-targeted/java.pp

This did not help, however. I continue to see identical audit messages in the syslog.

A: 

SeLinux is one of the most annoying security systems ever created. It throws mostly false positives when trying to use your system. You can turn of enfocing, which will allow java to run, but it will still log "attacks" it finds (IE: false positives).

sudo echo 0 >/selinux/enforce

Edit: It is also annoying to exploit writers, and I know this from first hand experience. SELinux can prevent your system from getting hacked, but it can also prevent you from getting work done. SELinux is best used on a production system.

Rook
SELinux was produced by the NSA for serious security purposes. You figure from that how likely it is to be annoying in general.
David Thornley
It's easier to do "setenforce 0" as root
Jason Axelson
@Jason Axelson yeah and then its easier for my exploit to pop it's metasploit shell >:)
Rook
A: 

This guide: http://etbe.coker.com.au/2006/12/08/se-linux-on-debian-in-5-minutes/ and dgrift on #selinux clued me in on the correct solution.

# semodule -i /usr/share/selinux/refpolicy-targeted/java.pp
# restorecon -r -v /usr

There is a targeted policy available for Java that has to be applied using semodule. Once the policy is applied, restorecon has to be used to apply the policy to the Java binaries.

jkndrkn