Giter Club home page Giter Club logo

Comments (4)

pebenito avatar pebenito commented on June 9, 2024

You need:

allow java_t self:process setcurrent;
allow java_t user_t:process dyntransition;
domain_dyntrans_type(java_t)

from refpolicy.

freedom1b2830 avatar freedom1b2830 commented on June 9, 2024 
policy_module(demotrans, 1.0.0)

optional_policy(`
	gen_require(`
		type java_t;
		type user_t;
		type xdg_cache_t;
	')
	domain_dyntrans_type(java_t)
	allow java_t self:process setcurrent;
	allow java_t user_t:process dyntransition;
	
	#RW jna so
	xdg_manage_cache(java_t)
	allow java_t xdg_cache_t:file { execute map };
	#execute jna so
	libs_exec_ldconfig(java_t)
	
	seutil_libselinux_linked(java_t)
')

ausearch -i -a 3088
----
type=PROCTITLE msg=audit(07/19/2023 21:09:03.721:3088) : proctitle=/usr/lib/jvm/java-8-openjdk/bin/java -Dfile.encoding=UTF-8 -classpath /home/user_dev/eclipse-workspace-ide/bind-jna-selinux/targ 
type=SYSCALL msg=audit(07/19/2023 21:09:03.721:3088) : arch=x86_64 syscall=write success=no exit=EPERM(Operation not permitted) a0=0xf a1=0x7fd8140944f0 a2=0x18 a3=0x0 items=0 ppid=777 pid=5598 auid=user_dev uid=user_dev gid=user_dev euid=user_dev suid=user_dev fsuid=user_dev egid=user_dev sgid=user_dev fsgid=user_dev tty=pts3 ses=5 comm=EEEE exe=/usr/lib/jvm/java-8-openjdk/jre/bin/java subj=user_u:user_r:java_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(07/19/2023 21:09:03.721:3088) : op=security_bounded_transition seresult=denied oldcontext=user_u:user_r:java_t:s0 newcontext=user_u:user_r:user_t:s0

from refpolicy.

freedom1b2830 avatar freedom1b2830 commented on June 9, 2024

What other solutions are there? i tried to run the program as root user

from refpolicy.

cgzones avatar cgzones commented on June 9, 2024

Probably a limitation of setcon(3) as mentioned in the man page:

Since Linux 2.6.28, setcon() is permitted for threads within a multi-threaded process if the new security context is bounded by the old security context, where the bounded relation is defined through typebounds statements in the policy and guarantees that the new security context has a subset of the permissions of the old security context.

BUT: You really should not use setcon(3), especially in a complex application like java; use for example a wrapper script with just exec $@ and model a type transition based on the file context of that wrapper. Dynamic transitions should really be the exception, e.g. for systemd after loading the initial policy.

from refpolicy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.