Bug 964417

Yes, the

setsebool unconfined_mozilla_plugin_transition 0

will work for you. Where is "abc" created?

Yes, command "setsebool unconfined_mozilla_plugin_transition 0"
helps me.
But it is not safe or is it?
I dont know :-)

Yes although did we determine if the file was being created in ~/ or ~/.java, which was mislabeled.

Turning off this boolean, basically says the plugins will run without SELinux protections.

restorecon -R -v ~/.java

Thanks to Miroslav Grepl and Daniel Walsh for help me! :-)
I do not like disabling SELinux or make exceptions (setbool).
I used this command:
sudo restorecon -R .icedtea/
For me helps me.
I apologize for the unnecessary opening theme. :-)
Fedora is the Best ;-)

(In reply to Daniel Walsh from comment #3)
> Yes although did we determine if the file was being created in ~/ or
> ~/.java, which was mislabeled.

Yeap, there was my question.

> Where is "abc" created?

from the previous command.

> 
> Turning off this boolean, basically says the plugins will run without
> SELinux protections.
> 
> restorecon -R -v ~/.java


But now we know that it was in the .icedtea/.

:-/ Bug is back.
Command sudo restorecon -R .icedtea/ not helps me.
command "setsebool unconfined_mozilla_plugin_transition 0" helps.
Java application is webcam software.
In .java folder is only one file:
.java/fonts/1.7.0_19/fcinfo-1-localhost.localdomain-RedHat-18-cs.properties 

Details:
SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from write access on the file /home/daniel/.icedtea/cache/recently_used.

*****  Plugin mozplugger (99.1 confidence) suggests  *************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests  ***************************

If you believe that java should be allowed write access on the recently_used file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/daniel/.icedtea/cache/recently_used [ file ]
Source                        java
Source Path                   /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jr
                              e/bin/java
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           java-1.7.0-openjdk-1.7.0.19-2.3.9.5.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-95.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.9.2-200.fc18.x86_64
                              #1 SMP Mon May 13 13:59:47 UTC 2013 x86_64 x86_64
Alert Count                   93
First Seen                    2013-05-18 11:59:28 CEST
Last Seen                     2013-05-21 12:56:07 CEST
Local ID                      4da3f851-2a6f-4832-a6a8-165a1dba306e

Raw Audit Messages
type=AVC msg=audit(1369133767.338:632): avc:  denied  { write } for  pid=7743 comm="java" name="recently_used" dev="dm-2" ino=21105647 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1369133767.338:632): arch=x86_64 syscall=open success=no exit=EACCES a0=13dc4c0 a1=241 a2=1b6 a3=2a items=0 ppid=1 pid=7743 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: java,mozilla_plugin_t,user_home_t,file,write

audit2allow

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t user_home_t:file write;

audit2allow -R
require {
	type mozilla_plugin_t;
}

#============= mozilla_plugin_t ==============
userdom_manage_user_home_content_files(mozilla_plugin_t)

Yes, because of

# matchpathcon /home/daniel/.icedtea
/home/daniel/.icedtea	unconfined_u:object_r:user_home_t:s


I found a bug in the policy.

You can fix it for now using

# chcon -R -t mozilla_home_t /home/daniel/.icedtea

If I run "setenforce 0" and use javaapplet in Web browser in /var/log/messages is this:
SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from getattr access on the file /home/daniel/abc.

*****  Plugin restorecon (57.3 confidence) suggests  *************************

If you want to fix the label. 
/home/daniel/abc default label should be user_home_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /home/daniel/abc

*****  Plugin mozplugger (43.1 confidence) suggests  *************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.06 confidence) suggests  ***************************

If you believe that java should be allowed getattr access on the abc file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                /home/daniel/abc [ file ]
Source                        java
Source Path                   /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jr
                              e/bin/java
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           java-1.7.0-openjdk-1.7.0.19-2.3.9.5.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-96.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.9.3-201.fc18.x86_64
                              #1 SMP Tue May 21 17:02:24 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-05-24 08:52:18 CEST
Last Seen                     2013-05-24 09:00:48 CEST
Local ID                      0df969c3-a859-49b7-b5b8-bd0dde1d0b34

Raw Audit Messages
type=AVC msg=audit(1369378848.852:617): avc:  denied  { getattr } for  pid=14626 comm="java" path="/home/daniel/abc" dev="dm-2" ino=20447285 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file


type=SYSCALL msg=audit(1369378848.852:617): arch=x86_64 syscall=fstat success=yes exit=0 a0=17 a1=7f4a751b3710 a2=7f4a751b3710 a3=4 items=0 ppid=7735 pid=14626 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: java,mozilla_plugin_t,user_home_dir_t,file,getattr

audit2allow

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t user_home_dir_t:file getattr;

audit2allow -R
require {
        type user_home_dir_t;
        type mozilla_plugin_t;
        class file getattr;
}

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t user_home_dir_t:file getattr;

Its look that target file is /home/daniel/abc, but this file dont exist :-/

Did it happen again?

Yes.
It looks as if openjdk wanted to create a file abc in / home / daniel.
(I found out when I turned off SELinux)
But no file is not created :-/
The only solution is:
setsebool unconfined_mozilla_plugin_transition 0

And any idea what is /home/daniel/abc file?

No idea :-(
Its look like this:
https://docs.google.com/file/d/0Bz2oc-gXNq_9c2xKbVQwQ09aYzg/edit?usp=sharing
If i run command:
setsebool unconfined_mozilla_plugin_transition 0
Camera works good:
https://docs.google.com/file/d/0Bz2oc-gXNq_9VWFwWDktemQyMVU/edit?usp=sharing

Does the camera app work if SELinux blocks the creation of the abc file?

Lots of java docs talk about creating abc file in examples according to google.

No.
If SELinux on, camera dont work.
If i run command: setenforce 0 or setsebool unconfined_mozilla_plugin_transition 0
Camera works.
Never file "abc" not created.
In /var/log/messages is always some records.
If i run command setenforce 0, in /var/log/messages:
May 30 10:20:43 localhost dbus-daemon[745]: dbus[745]: avc:  received setenforce notice (enforcing=0)
May 30 10:20:47 localhost dbus-daemon[745]: dbus[745]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
May 30 10:20:47 localhost dbus[745]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
May 30 10:20:48 localhost dbus[745]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
May 30 10:20:48 localhost dbus-daemon[745]: dbus[745]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
May 30 10:20:49 localhost setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from create access on the file abc. For complete SELinux messages. run sealert -l b0267308-2205-4ccd-97a0-9f3c1c74380f
May 30 10:20:49 localhost setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from create access on the file abc. For complete SELinux messages. run sealert -l b0267308-2205-4ccd-97a0-9f3c1c74380f
May 30 10:20:49 localhost setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from getattr access on the file /home/daniel/abc. For complete SELinux messages. run sealert -l 0df969c3-a859-49b7-b5b8-bd0dde1d0b34
May 30 10:20:50 localhost setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from unlink access on the file abc. For complete SELinux messages. run sealert -l adb3961b-ccdb-4497-842e-a33d1634aee9

============================== CUT =====================================
policy_module(mymozilla, 1.0)
gen_require(`
type mozilla_home_t;
type mozilla_plugin_t;
')
userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")

=========================================================================

Copy/paste the lines above into a file mymozilla.te then as root execute

make -f /usr/share/selinux/devel/Makefile
semodule -i mymozilla.pp

This should fix your problem.

4b449a1b96671e991441b2eea90c2a60612030e7 fixes this in git.

back ported.

This is also affecting f17, any chance of the fix being backported there?

Could you please open a new bug for F17. Thank you.

selinux-policy-3.11.1-98.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-98.fc18

Package selinux-policy-3.11.1-98.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-98.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11859/selinux-policy-3.11.1-98.fc18
then log in and leave karma (feedback).

Bug fixed, thanks.

selinux-policy-3.11.1-98.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.