1393938 – RFC: ls -Z /usr/lib/jvm/jre-*-openjdk*/bin/java - java_exec_t vs bin_t - ps java process as xguest

Bug 1393938 - RFC: ls -Z /usr/lib/jvm/jre-*-openjdk*/bin/java - java_exec_t vs bin_t - ps java process as xguest

Summary: RFC: ls -Z /usr/lib/jvm/jre-*-openjdk*/bin/java - java_exec_t vs bin_t - ps j...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.8
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-10 16:43 UTC by Paulo Andrade
Modified:	2020-04-15 14:50 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-304.el6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-21 09:49:24 UTC
Target Upstream Version:

Attachments	(Terms of Use)
xguest-java.png (340.28 KB, image/png) 2016-11-11 13:53 UTC, Paulo Andrade	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0627	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-03-21 12:29:23 UTC

Description Paulo Andrade 2016-11-10 16:43:03 UTC

Login as xguest cannot read /proc from java processes on rhel6;
java processes are started by the xguest user.

  A possible workaround is:

# chcon -t bin_t $(readlink -f /usr/bin/java)

that will cause it to have the same type as rhel7 or rawhide,
and the xguest user will be able to read the /proc entry.

  Is the above workaround safe, valid? Is there a better
alternative?

Comment 1 Milos Malik 2016-11-10 17:11:42 UTC

$ id -Z
xguest_u:xguest_r:xguest_t:s0
$ java
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00000002fc8a0000, 1431699456, 0) failed; error='Cannot allocate memory' (errno=12)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 1431699456 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /tmp/jvm-131072/hs_error.log
$

After "semodule -DB" following SELinux denials appeared:
----
type=PATH msg=audit(11/10/2016 18:00:35.573:1850) : item=0 name=/proc/loadavg in
ode=4026532033 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system
_u:object_r:proc_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/10/2016 18:00:35.573:1850) :  cwd=/home/xguest 
type=SYSCALL msg=audit(11/10/2016 18:00:35.573:1850) : arch=x86_64 syscall=open 
success=no exit=-13(Permission denied) a0=0x7ffb6b7cd3e9 a1=O_RDONLY a2=0x3a a3=
0x0 items=1 ppid=114632 pid=128574 auid=xguest uid=xguest gid=xguest euid=xguest
 suid=xguest fsuid=xguest egid=xguest sgid=xguest fsgid=xguest tty=pts1 ses=87 c
omm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.99.x86_64/jre/bin/java subj=x
guest_u:xguest_r:xguest_java_t:s0 key=(null) 
type=AVC msg=audit(11/10/2016 18:00:35.573:1850) : avc:  denied  { read } for  p
id=128574 comm=java name=loadavg dev=proc ino=4026532033 scontext=xguest_u:xgues
t_r:xguest_java_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=PATH msg=audit(11/10/2016 18:00:35.573:1851) : item=0 name=/proc/meminfo in
ode=4026532034 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system
_u:object_r:proc_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/10/2016 18:00:35.573:1851) :  cwd=/home/xguest 
type=SYSCALL msg=audit(11/10/2016 18:00:35.573:1851) : arch=x86_64 syscall=open 
success=no exit=-13(Permission denied) a0=0x7ffb6b004f55 a1=O_RDONLY a2=0xf a3=0
x7ffb6c226b80 items=1 ppid=114632 pid=128574 auid=xguest uid=xguest gid=xguest e
uid=xguest suid=xguest fsuid=xguest egid=xguest sgid=xguest fsgid=xguest tty=pts
1 ses=87 comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.99.x86_64/jre/bin/j
ava subj=xguest_u:xguest_r:xguest_java_t:s0 key=(null) 
type=AVC msg=audit(11/10/2016 18:00:35.573:1851) : avc:  denied  { read } for  p
id=128574 comm=java name=meminfo dev=proc ino=4026532034 scontext=xguest_u:xgues
t_r:xguest_java_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=PATH msg=audit(11/10/2016 18:00:35.573:1852) : item=0 name=/proc/cpuinfo inode=4026532030 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/10/2016 18:00:35.573:1852) :  cwd=/home/xguest 
type=SYSCALL msg=audit(11/10/2016 18:00:35.573:1852) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ffb6b0053cf a1=O_RDONLY a2=0xf a3=0x202c736d7265202c items=1 ppid=114632 pid=128574 auid=xguest uid=xguest gid=xguest euid=xguest suid=xguest fsuid=xguest egid=xguest sgid=xguest fsgid=xguest tty=pts1 ses=87 comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.99.x86_64/jre/bin/java subj=xguest_u:xguest_r:xguest_java_t:s0 key=(null) 
type=AVC msg=audit(11/10/2016 18:00:35.573:1852) : avc:  denied  { read } for  pid=128574 comm=java name=cpuinfo dev=proc ino=4026532030 scontext=xguest_u:xguest_r:xguest_java_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----

The result of java command didn't change even if allow_java_execstack was enabled:

# setsebool allow_java_execstack on

Comment 2 Paulo Andrade 2016-11-10 17:50:08 UTC

  Just to avoid any confusion, I will describe below my test procedure:


  My test was on a rhel-6.8 x86_64 vm, with 1 cpu and 1 G of memory.

  Run in virt-manager, and after installing the xguest package, login
in gdb as guest user.

  Create this file:

$ cat Guest.hava
public class Guest {
  public void main(String[] args) {
    while (true) {
      try {
        Thread.sleep(1000);
        System.out.print('.');
      }
      catch (Exception e) {
      }
    }
  }
}

and as xguest, on a termimal run:
$ javac Guest.java

$ java -Xcomp Guest Guest.class


  The -Xcomp is supposed to force it to first compile to jit, so
would validate it is executing jit (exec mem).

  Without running, as root "chcon -t bin_t $(readlink -f /usr/bin/java)"
the xguest user will not have the java process in a command like:

$ ps x | grep java

this happens because stat("/proc/<pidof-java-process>") returns -1
and apparently errno is set to EACCES (I say apparently because
running under gdb, as xguest will cause gdb to crash if attempting
to read the errno value). No AVC is generated.

Comment 3 Paulo Andrade 2016-11-10 18:01:27 UTC

s/login in gdb/login in gdm/ :)

Comment 6 Milos Malik 2016-11-11 13:11:03 UTC

$ id -Z
xguest_u:xguest_r:xguest_t:s0
$ javac Guest.java
$ java -Xcomp Guest Guest.class
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00000002fc8a0000, 1431699456, 0) failed; error='Cannot allocate memory' (errno=12)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 1431699456 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /tmp/jvm-67191/hs_error.log
$ tail -n 20 /tmp/jvm-67191/hs_error.log
uname:Linux 2.6.32-671.el6.x86_64 #1 SMP Tue Nov 8 22:29:41 EST 2016 x86_64
libc:glibc 2.12 NPTL 2.12 
rlimit: STACK 10240k, CORE 0k, NPROC 3360, NOFILE 4096, AS infinity
load average:0.00 0.00 -nan

/proc/meminfo:


CPU:total 1 (1 cores per cpu, 1 threads per core) family 6 model 60 stepping 1, cmov, cx8, fxsr, mmx, sse, sse2, sse3, ssse3, sse4.1, sse4.2, popcnt, avx, avx2, aes, erms, tsc

/proc/cpuinfo:
  <Not Available>

Memory: 4k page, physical 18014398509481980k(257028k free), swap 1048572k(855980k free)

vm_info: OpenJDK 64-Bit Server VM (24.121-b00) for linux-amd64 JRE (1.7.0_121-b00), built on Nov  1 2016 00:42:28 by "mockbuild" with gcc 4.4.7 20120313 (Red Hat 4.4.7-17)

time: Fri Nov 11 14:05:25 2016
elapsed time: 0 seconds

It also corresponds with the strace output:
[pid 68017] open("/proc/loadavg", O_RDONLY) = -1 EACCES (Permission denied)
[pid 68017] open("/proc/meminfo", O_RDONLY) = -1 EACCES (Permission denied)
[pid 68017] open("/proc/cpuinfo", O_RDONLY) = -1 EACCES (Permission denied)

The AVCs become visible after:
# semodule -DB

Comment 7 Paulo Andrade 2016-11-11 13:52:02 UTC

(In reply to Milos Malik from comment #6)
> $ id -Z
> xguest_u:xguest_r:xguest_t:s0
> $ javac Guest.java
> $ java -Xcomp Guest Guest.class
> OpenJDK 64-Bit Server VM warning: INFO:
> os::commit_memory(0x00000002fc8a0000, 1431699456, 0) failed; error='Cannot
> allocate memory' (errno=12)

  Weird, looks like there is something bogus in your test
environment. Attaching screenshot of my test next...

Comment 8 Paulo Andrade 2016-11-11 13:53:54 UTC

Created attachment 1219797 [details]
xguest-java.png

  Just created a vm from rhel6.8 iso, installed xguest
package, and for testing used the Guest.java (that I
wrote for this test...)

Comment 9 Milos Malik 2016-11-11 13:56:47 UTC

Yes, the difference is:

# ls -lZ `readlink -f /usr/bin/java`
-rwxr-xr-x. root root system_u:object_r:java_exec_t:s0 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.121.x86_64/jre/bin/java
#

Comment 10 Milos Malik 2016-11-11 14:01:29 UTC

Now it works:

$ javac Guest.java 
$ java -Xcomp Guest Guest.class
........................................................................


# ps -efZ | grep Guest
xguest_u:xguest_r:xguest_t:s0   506        90307   88863  4 14:59 pts/0    00:00:00 java -Xcomp Guest Guest.class
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 90436 4374  0 15:00 pts/1 00:00:00 grep Guest
# ps -efZ | grep java
xguest_u:xguest_r:xguest_t:s0   506        90307   88863  3 14:59 pts/0    00:00:00 java -Xcomp Guest Guest.class
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 90477 4374  0 15:00 pts/1 00:00:00 grep java
#

Comment 11 Milos Malik 2016-11-11 14:03:46 UTC

But as you can see, the java process (comment#10) runs under xguest_t context instead of xguest_java_t (comment#1).

Comment 12 Paulo Andrade 2016-11-11 14:08:21 UTC

  The only difference from a plain install was that I did
run as root:

# chcon -t bin_t $(readlink -f /usr/bin/java)

so that the xguest user could list java processes on ps
output. And that is the reason of the RFC :), as the user
wants to be able to do things like $(pidof java), list
with ps, etc the java processes.

Comment 13 Lukas Vrabec 2016-11-14 13:04:33 UTC

Ok, 
What is state of this issue? Do we see any denials caused by SELinux?  
Could you attach them? 

Thanks.

Comment 14 Milos Malik 2016-11-14 13:09:55 UTC

SELinux denials are recorded in comment#1. If /usr/bin/java is labeled according to policy then comment#6 problems appear.

Comment 19 errata-xmlrpc 2017-03-21 09:49:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0627.html

Note You need to log in before you can comment on or make changes to this bug.