Bug 316041
| Summary: | SELinux alert when browsing to an applet page | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Thomas Fitzsimmons <fitzsim> | ||||||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||||||
| Severity: | low | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | rawhide | CC: | aph, dwalsh, mcepl, xgl-maint | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | 3.0.8-24.fc8 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2007-11-29 20:56:29 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 214051 [details] stdout/stderr of firefox trying to reproduce the bug with http://www4.passur.com/bos.html We are not sure, whether this is a java problem or selinux problem, but if it really means, that SELinux wants to deny something to xorg server, than it is probably a problem of policy, because (according to ajax) "pretty much anything an xdm_xserver_t process wants to do ought to be allowed by the policy". Moreover, when trying to reproduce the bug with Rawhide (in kvm-guest), it didn't work. Apparently not because of selinux -- see attached. BTW, the very same URL works for me without a problem with F7 and java-1.7.0-icedtea-plugin-1.7.0.0-0.14.b18.snapshot.fc8 (In reply to comment #1) > Created an attachment (id=214051) [edit] > stdout/stderr of firefox trying to reproduce the bug with > http://www4.passur.com/bos.html > > We are not sure, whether this is a java problem or selinux problem, but if it > really means, that SELinux wants to deny something to xorg server, than it is > probably a problem of policy, because (according to ajax) "pretty much anything > an xdm_xserver_t process wants to do ought to be allowed by the policy". > > Moreover, when trying to reproduce the bug with Rawhide (in kvm-guest), it > didn't work. Apparently not because of selinux -- see attached. You'll see this error running any applet that accesses timezone data. It is currently being addressed: https://bugzilla.redhat.com/show_bug.cgi?id=314211 In the meantime, browsing to the example URL I gave should reproduce the SELinux alert: http://thisiscool.com/ > BTW, the very > same URL works for me without a problem with F7 and > java-1.7.0-icedtea-plugin-1.7.0.0-0.14.b18.snapshot.fc8 You mean http://www4.passur.com/bos.html in reference to the user.zoneinfo.dir issue? Or http://thisiscool.com/ in reference to the SELinux issue? Fixed in selinux-policy-3.0.8-17.fc8 Created attachment 228741 [details]
output of setroubleshooter
Actually, this may really has absolutely nothing to do with java -- I got the
same problem with SELinux just when starting pup.
Created attachment 228751 [details]
/var/log/audit/audit.log
Fixed in selinux-policy-3.0.8-24.fc8 Fixed in Fedora 8. |
I'm seeing this alert on Rawhide, when loading any applet in Firefox through java-1.7.0-icedtea-plugin: Summary SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "use" to /SYSV00000000 (deleted) (java_t). Detailed Description SELinux denied access requested by /usr/bin/Xorg. It is not expected that this access is required by /usr/bin/Xorg and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_xserver_t:SystemLow- SystemHigh Target Context system_u:system_r:java_t Target Objects /SYSV00000000 (deleted) [ fd ] Affected RPM Packages xorg-x11-server-Xorg-1.3.0.0-24.fc8 [application] Policy RPM selinux-policy-3.0.8-14.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.20-2925.9.fc7xen #1 SMP Tue May 22 08:53:03 EDT 2007 i686 i686 Alert Count 2 First Seen Tue 02 Oct 2007 02:29:38 PM EDT Last Seen Tue 02 Oct 2007 04:16:14 PM EDT Local ID 873e6377-72a0-459e-b4ff-9c2890c04b3e Line Numbers Raw Audit Messages avc: denied { use } for comm=X dev=tmpfs egid=0 euid=0 exe=/usr/bin/Xorg exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=SYSV00000000 path=2F535953563030303030303030202864656C6574656429 pid=2319 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=fd tcontext=system_u:system_r:java_t:s0 tty=tty7 uid=0 Steps to reproduce: On a Rawhide machine: 1. install java-1.7.0-icedtea-plugin 2. start Firefox 3. browse to any applet-containing web page, e.g.: http://thisiscool.com/