Possible missing rule for ssh -> java

[io7m]

Hello!

Apologies if this is not a bug. I'm not entirely clear on what constitutes a policy issue and what constitutes something that should just be fixed locally with audit2allow. I'm running on Debian Bookworm 12.1, and the policy version seems to be 2:2.20221101-9 according to dpkg.

If I have a confined user user_u logged in via SSH, they're unable to execute /usr/bin/java. The specific audit message is:

type=AVC msg=audit(1690449095.045:5358): avc:  denied  { use } for  pid=37681 comm="java" path="/dev/pts/2" dev="devpts" ino=5 scontext=user_u:user_r:java_t:s0 tcontext=system_u:system_r:sshd_t:s0 tclass=fd permissive=0

The suggested audit2allow rule is:

#============= java_t ==============
# src="java_t" tgt="sshd_t" class="fd", perms="use"
# comm="java" exe="" path=""
allow java_t sshd_t:fd use;

The use case here is a Jenkins agent; the Jenkins server logs into a machine over SSH and executes a Java agent that's then used to accept commands from the server to check out and build code.

[github-actions]

This issue has not had any recent activity. It will be closed in 7 days if it makes no further progress.

[github-actions]

Closing stale PR.