Comments (4)
You need:
allow java_t self:process setcurrent;
allow java_t user_t:process dyntransition;
domain_dyntrans_type(java_t)
from refpolicy.
policy_module(demotrans, 1.0.0)
optional_policy(`
gen_require(`
type java_t;
type user_t;
type xdg_cache_t;
')
domain_dyntrans_type(java_t)
allow java_t self:process setcurrent;
allow java_t user_t:process dyntransition;
#RW jna so
xdg_manage_cache(java_t)
allow java_t xdg_cache_t:file { execute map };
#execute jna so
libs_exec_ldconfig(java_t)
seutil_libselinux_linked(java_t)
')
ausearch -i -a 3088
----
type=PROCTITLE msg=audit(07/19/2023 21:09:03.721:3088) : proctitle=/usr/lib/jvm/java-8-openjdk/bin/java -Dfile.encoding=UTF-8 -classpath /home/user_dev/eclipse-workspace-ide/bind-jna-selinux/targ
type=SYSCALL msg=audit(07/19/2023 21:09:03.721:3088) : arch=x86_64 syscall=write success=no exit=EPERM(Operation not permitted) a0=0xf a1=0x7fd8140944f0 a2=0x18 a3=0x0 items=0 ppid=777 pid=5598 auid=user_dev uid=user_dev gid=user_dev euid=user_dev suid=user_dev fsuid=user_dev egid=user_dev sgid=user_dev fsgid=user_dev tty=pts3 ses=5 comm=EEEE exe=/usr/lib/jvm/java-8-openjdk/jre/bin/java subj=user_u:user_r:java_t:s0 key=(null)
type=SELINUX_ERR msg=audit(07/19/2023 21:09:03.721:3088) : op=security_bounded_transition seresult=denied oldcontext=user_u:user_r:java_t:s0 newcontext=user_u:user_r:user_t:s0
from refpolicy.
What other solutions are there? i tried to run the program as root user
from refpolicy.
Probably a limitation of setcon(3) as mentioned in the man page:
Since Linux 2.6.28, setcon() is permitted for threads within a multi-threaded process if the new security context is bounded by the old security context, where the bounded relation is defined through typebounds statements in the policy and guarantees that the new security context has a subset of the permissions of the old security context.
BUT: You really should not use setcon(3), especially in a complex application like java; use for example a wrapper script with just exec $@
and model a type transition based on the file context of that wrapper. Dynamic transitions should really be the exception, e.g. for systemd after loading the initial policy.
from refpolicy.
Related Issues (20)
- chrome->nacl_helper: user_namespace HOT 2
- 2 questions HOT 1
- Need help with transitions HOT 1
- Container issues in enforcing mode on Debian 12 HOT 13
- Possible missing rule for ssh -> java HOT 2
- Debian 12.1 statd and mountd fail to start with fixed ports HOT 13
- Question: sudo HOT 5
- [Q] Permission cmd in class io_uring not defined in policy. HOT 3
- /root directory has no label specified HOT 4
- systemd v255 executor helper
- Information Disclosure vulnerability related to SSL Private Keys and CSR used by the HTTP daemon HOT 2
- Privileged container spc_t optional HOT 11
- Configuration warnings HOT 2
- Style guide link HOT 1
- use refpolicy in bare metal,login failed with out any avc log HOT 8
- type=SELINUX_ERR msg=audit(1719221013.068:95): op=security_compute_sid invalid_context="root:sysadm_r:myapp_t" scontext=root:sysadm_r:myapp_t tcontext=root:sysadm_r:myapp_t tclass=unix_dgram_socket HOT 1
- Question about the purpose of users HOT 2
- Possible revisions to sshd policy due to component separation HOT 2
- tigervnc moved configs to ~/.config/tigervnc HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from refpolicy.