label jspawnhelper bin_t

jspawnhelper is executed when using java's ProcessBuilder.start () or Runtime.exec (). I'm seeing a denial for 'lib_t:file execute_no_trans' because jspawnhelper was labeled lib_t. bin_t seems to be more correct as this can be executed. https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/jspawnhelper/jspawnhelper.c Signed-off-by: Dave Sugar <[email protected]>
SELinuxProject · Dec 17, 2024 · 4ec0e06 · 4ec0e06
1 parent 63f0c51
commit 4ec0e06
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
@@ -210,6 +210,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/gnome-settings-daemon/.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gvfs/gvfs.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ipsec/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/jvm/java.*/lib/jspawnhelper	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/kde4/libexec/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/[^/]+/libexec/kf5/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mailman/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)