Bug 147646
| Summary: | Java plugin denials | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> |
| Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-02-20 12:49:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Did today's policy relabel java correctly? selinux-policy-strict-1.21.11-3 Yeah I saw it relabel. It changed everything from javap to javac to java
in several directories. What are the consequences of this for running
other java programs, or compiling java programs, or doing javap?
============
But see, the curious thing is - java runs under user_t.
I had not noticed this before since I wasn't paying attention - thought
it looked liked user_mozilla_t, but now I see this isn't so.
Given that, it's not surprising I still get denials, because
the transition is from mozilla_t to java_t, not from user_t to java_t.
I get a pair of those every time I start firefox.
audit(1108055774.690:0): avc: denied { execute } for pid=12018 comm=java
path=/etc/ld.so.cache dev=dm-0 ino=665563 scontext=user_u:user_r:user_t
tcontext=root:object_r:ld_so_cache_t tclass=file
audit(1108055774.692:0): avc: denied { execmod } for pid=12018 comm=java
path=/lib/libc-2.3.4.so dev=dm-0 ino=113726 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:shlib_t tclass=file
Ok closing this bug, since it contains inaccurate information. Java does transition properly - the denials above are for something else. I do get all kinds of other denials with the user_mozilla_java_t type, but I can send patches for those. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041228 Firefox/1.0 Fedora/1.0-8 Description of problem: Filing bug to keep track of this issue: ======================================== I still get Java denials because I don't think you're labeling the right thing. On my system I have /usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/bin/java /usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/jre/bin/java /usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/jre/bin/java_vm /usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/jre/bin/javaws Those are provided by the jpackage java SRPM. I don't know if this is intentional or not, but the regexp covers only the last two, and I still get denials: audit(1107901873.079:0): avc: denied { execute } for pid=5779 comm=java path=/etc/ld.so.cache dev=dm-0 ino=667980 scontext=user_u:user_r:user_t tcontext=root:object_r:ld_so_cache_t tclass=file audit(1107901873.080:0): avc: denied { execmod } for pid=5779 comm=java path=/lib/libc-2.3.4.so dev=dm-0 ino=113702 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t tclass=file audit(1107901873.080:0): avc: denied { execmod } for pid=5779 comm=java path=/lib/ld-2.3.4.so dev=dm-0 ino=113630 scontext=user_u:user_r:user_t tcontext=system_u:object_r:ld_so_t tclass=file audit(1107901873.653:0): avc: denied { execute } for pid=5779 comm=java path=/usr/lib/locale/locale-archive dev=dm-0 ino=1029913 scontext=user_u:user_r:user_t tcontext=system_u:object_r:locale_t tclass=file Version-Release number of selected component (if applicable): selinux-policy-strict-1.21.11-2 How reproducible: Didn't try Steps to Reproduce: Additional info: