Bug 435824

Summary: ibm java plugin is blocked by selinux avc
Product: Red Hat Enterprise Linux 5 Reporter: John Poelstra <poelstra>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.2CC: ebenes, jjarvis
Target Milestone: beta   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0465 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 16:07:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Poelstra 2008-03-04 00:35:53 UTC 
Description of problem:

Cannot access java enabled websites because of selinux avc

Version-Release number of selected component (if applicable):
$ rpm -qa | grep java
java-1.5.0-ibm-1.5.0.5-1jpp.4.el5
java-1.5.0-ibm-plugin-1.5.0.5-1jpp.4.el5
java-1.4.2-gcj-compat-1.4.2.0-40jpp.112
java-1.4.2-ibm-1.4.2.9-1jpp.1.el5


How reproducible:
100%

Steps to Reproduce:
1. install java plugin
2. go to http://www.javatester.org/version.html
3. see avc in setroubleshoot
  
Actual results:


Expected results:


Additional info:


Summary:

SELinux is preventing firefox from loading
/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so which
requires text relocation.

Detailed Description:

The firefox application attempted to load
/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so to use
relocation as a workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust
/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so to run
correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t
'/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so'" You must
also change the default file context files on the system in order to preserve
them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so'"

The following command will allow this access:

chcon -t textrel_shlib_t
'/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so'

Additional Information:

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:java_exec_t
Target Objects                /usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjav
                              aplugin_ojigtk2.so [ file ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.0b3pre/firefox
Port                          <Unknown>
Host                          screamer
Source RPM Packages           firefox-3.0-0.beta2.11.el5
Target RPM Packages           java-1.5.0-ibm-plugin-1.5.0.5-1jpp.4.el5
Policy RPM                    selinux-policy-2.4.6-121.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     screamer
Platform                      Linux screamer 2.6.18-83.el5 #1 SMP Thu Feb 21
                              12:14:23 EST 2008 i686 i686
Alert Count                   6
First Seen                    Tue 26 Feb 2008 04:57:16 PM PST
Last Seen                     Mon 03 Mar 2008 04:24:50 PM PST
Local ID                      5ba30d96-04e4-49e8-931f-6c2ed9f1e7dc
Line Numbers                  

Raw Audit Messages            

host=screamer type=AVC msg=audit(1204590290.67:79): avc:  denied  { execmod }
for  pid=6812 comm="firefox"
path="/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so"
dev=hda2 ino=1912907 scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:java_exec_t:s0 tclass=file

host=screamer type=SYSCALL msg=audit(1204590290.67:79): arch=40000003
syscall=125 success=no exit=-13 a0=504000 a1=18000 a2=5 a3=bf8a28a0 items=0
ppid=6787 pid=6812 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox"
exe="/usr/lib/firefox-3.0b3pre/firefox" subj=user_u:system_r:unconfined_t:s0
key=(null)
Comment 1 John Poelstra 2008-03-04 00:37:55 UTC 
I believe the business justification, etc. is obvious here... the plug-in
doesn't work at all and should only require a simple change to the selinux policy
Comment 2 Thomas Fitzsimmons 2008-03-04 15:34:47 UTC 
Reassigning to Dan Walsh.
Comment 3 Daniel Walsh 2008-03-04 20:50:42 UTC 
Fixed in selinux-policy-2.4.6-124.el5
Comment 8 errata-xmlrpc 2008-05-21 16:07:22 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html