Bug 826719
| Summary: | SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3/jre/bin/java from using the 'execmem' accesses on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Demus <daniel> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:13d2cbb965da3d825fa86a53f2be451a0fa90735b442687a1a520abaab7625a6 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-30 21:04:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The alert tells you what to do setsebool -P httpd_execmem 1 But I shouldn't need to do it, seeing as I haven't changed anything myself, n'est pas? So you did not setup apache? This is caused by java and we really want to allow it by default. You are saying you did not setup a java app to run within your apache environment? |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.7-1.fc16.x86_64 time: 2012-05-30T22:30:02 CEST description: :SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3/jre/bin/java from using the 'execmem' accesses on a process. : :***** Plugin catchall_boolean (89.3 confidence) suggests ******************* : :If you want to httpd_execmem :Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean.You can read 'httpd_selinux' man page for more details. :Do :setsebool -P httpd_execmem 1 : :***** Plugin catchall (11.6 confidence) suggests *************************** : :If you believe that java should be allowed execmem access on processes labeled httpd_t by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep java /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:httpd_t:s0 :Target Context system_u:system_r:httpd_t:s0 :Target Objects [ process ] :Source java :Source Path /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3/jre/bin/ja : va :Port <Unknown> :Host (removed) :Source RPM Packages java-1.7.0-openjdk-1.7.0.3-2.1.fc17.6.i686 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-125.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.7-1.fc16.x86_64 #1 SMP : Tue May 22 13:59:39 UTC 2012 x86_64 x86_64 :Alert Count 2 :First Seen 2012-05-30T21:28:17 CEST :Last Seen 2012-05-30T22:02:16 CEST :Local ID f9b77187-0f2e-4be7-8d31-2d9be8966c5d : :Raw Audit Messages :type=AVC msg=audit(1338408136.177:35): avc: denied { execmem } for pid=739 comm="java" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process : : :type=SYSCALL msg=audit(1338408136.177:35): arch=i386 syscall=lgetxattr success=no exit=EACCES a0=f3800000 a1=240000 a2=7 a3=32 items=0 ppid=1 pid=739 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3/jre/bin/java subj=system_u:system_r:httpd_t:s0 key=(null) : :Hash: java,httpd_t,httpd_t,process,execmem : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :