Bug 851969

Marko,
what does

# id -Z

localhost:~> id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
localhost:~>

ls -ldZ /home/testuser

I think you need to relabel this directory.

restorecon -R -v /home

# useradd testuser
# passwd testuser
Changing password for user testuser.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
# ls -dZ /home/testuser/
drwx------. testuser testuser unconfined_u:object_r:user_home_dir_t:s0 /home/testuser/
#

$ ssh -X testuser.122.55
testuser.122.55's password: 
/usr/bin/xauth:  creating new authority file /home/testuser/.Xauthority
[testuser@rhel64 ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[testuser@rhel64 ~]$ restorecon -Rv ~/
[testuser@rhel64 ~]$ rm -rf .icedtea
[testuser@rhel64 ~]$ firefox http://javatester.org/version.html
failed to create drawable
failed to create drawable
GConf Error: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information. (Details -  1: Failed to get connection to session: /bin/dbus-launch terminated abnormally without any error message)
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.1) (rhel-1.45.1.11.1.el6-i386)
OpenJDK Client VM (build 20.0-b12, mixed mode)
[testuser@rhel64 ~]$ restorecon -Rv ~/
restorecon reset /home/testuser/.icedtea context unconfined_u:object_r:user_home_dir_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/testuser/.icedtea/cache context unconfined_u:object_r:user_home_dir_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/testuser/.icedtea/cache/recently_used context unconfined_u:object_r:user_home_dir_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/testuser/.icedtea/security context unconfined_u:object_r:user_home_dir_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/testuser/.icedtea/security/trusted.jssecacerts context unconfined_u:object_r:user_home_dir_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/testuser/.icedtea/security/trusted.jssecerts context unconfined_u:object_r:user_home_dir_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/testuser/.icedtea/security/trusted.cacerts context unconfined_u:object_r:user_home_dir_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/testuser/.icedtea/security/trusted.clientcerts context unconfined_u:object_r:user_home_dir_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/testuser/.icedtea/security/trusted.certs context unconfined_u:object_r:user_home_dir_t:s0->unconfined_u:object_r:user_home_t:s0
[testuser@rhel64 ~]$

No matter how many times I repeat the last 3 commands,  ~/.icedtea directory is always created mislabelled.

(In reply to comment #4)
> ls -ldZ /home/testuser
> 
> I think you need to relabel this directory.
> 
> restorecon -R -v /home

As Milos noted, this doesn't help. But it turns out that when creating a new user and logging via GDM with the following steps

# restorecon -R /home
# useradd testuser
# passwd testuser
## GDM/GNOME login / logout as testuser

then restorecon -R -v /home/testuser reveals that in addition to .icedtea several other files are mislabelled as well, including files under .gnupg and .dbus.

This should be trivial to reproduce. Thanks.

Marko,
what does

# ps -efZ |grep restore

localhost:~> ps -efZ | grep '[r]estore'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 testuser 2792 2628
 0 10:50 ? 00:00:00 /usr/sbin/restorecond -u
localhost:~>

Well that would only be running if the user was logged in via gdm.  Since he is logging in via ssh, the files will be mislabeled until restorecond -u runs.  This is an issue we have fixed in RHEL7 with filename_translations, but really can not fix it on RHEL6.

(In reply to comment #9)
> Well that would only be running if the user was logged in via gdm.  Since he
> is logging in via ssh, the files will be mislabeled until restorecond -u
> runs.  This is an issue we have fixed in RHEL7 with filename_translations,
> but really can not fix it on RHEL6.

I didn't use SSH but a local login via GDM when I reported this.

Thanks.

Ok I am looking at this closer now,  I did not see that the content was labeled as userdom_home_dir_t rather then user_home_t.  What process is creating the .icetea directory?  Is this created via ssh -X command?

(In reply to comment #11)
> Ok I am looking at this closer now,  I did not see that the content was
> labeled as userdom_home_dir_t rather then user_home_t.  What process is
> creating the .icetea directory?  Is this created via ssh -X command?

No ssh used, see comment 0. When running "firefox http://javatester.org/version.html" firefox will start "java" to show the applet which in turn creates .icedtea if OpenJDK is in use. But as I noted in comment 6 this seems not to be limited to firefox/java, there are also quite a few mislabeled files after initial user login.

Thanks.

We are not able fix this issue in RHEL6. We have  restorecond for this. 

Milos, 
does it work for you if you don't use ssh?

When I log into my RHEL-6.4 machine and follow the scenario I see the same "restorecon reset" messages as Marko. /home/testuser/.icedtea/security is labelled user_home_dir_t instead of user_home_t.

Is restorecond running for your session?

(In reply to comment #15)
> Is restorecond running for your session?

ssh was not involved at all when this was reported originally, see comment 0 and comment 10. And as stated in comment 8 restorecond is running. Also see comment 6 and comment 12 - mislabeled files are not just under .icedtea but include files for example under .gpg and .dbus.

Thanks.