Bug 147646
Summary: | Java plugin denials | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> |
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-02-20 12:49:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ivan Gyurdiev
2005-02-10 00:40:50 UTC
Did today's policy relabel java correctly? selinux-policy-strict-1.21.11-3 Yeah I saw it relabel. It changed everything from javap to javac to java in several directories. What are the consequences of this for running other java programs, or compiling java programs, or doing javap? ============ But see, the curious thing is - java runs under user_t. I had not noticed this before since I wasn't paying attention - thought it looked liked user_mozilla_t, but now I see this isn't so. Given that, it's not surprising I still get denials, because the transition is from mozilla_t to java_t, not from user_t to java_t. I get a pair of those every time I start firefox. audit(1108055774.690:0): avc: denied { execute } for pid=12018 comm=java path=/etc/ld.so.cache dev=dm-0 ino=665563 scontext=user_u:user_r:user_t tcontext=root:object_r:ld_so_cache_t tclass=file audit(1108055774.692:0): avc: denied { execmod } for pid=12018 comm=java path=/lib/libc-2.3.4.so dev=dm-0 ino=113726 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t tclass=file Ok closing this bug, since it contains inaccurate information. Java does transition properly - the denials above are for something else. I do get all kinds of other denials with the user_mozilla_java_t type, but I can send patches for those. |