Bug 964417
Summary: | SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64 | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dandim <dan.dim> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 18 | CC: | dominick.grift, dwalsh, jon.vanalten, mgrepl | |
Target Milestone: | --- | Keywords: | Reopened | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.11.1-98.fc18 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 976487 (view as bug list) | Environment: | ||
Last Closed: | 2013-07-25 00:37:05 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 976487 |
Description
Dandim
2013-05-18 11:03:15 UTC
Yes, the setsebool unconfined_mozilla_plugin_transition 0 will work for you. Where is "abc" created? Yes, command "setsebool unconfined_mozilla_plugin_transition 0" helps me. But it is not safe or is it? I dont know :-) Yes although did we determine if the file was being created in ~/ or ~/.java, which was mislabeled. Turning off this boolean, basically says the plugins will run without SELinux protections. restorecon -R -v ~/.java Thanks to Miroslav Grepl and Daniel Walsh for help me! :-) I do not like disabling SELinux or make exceptions (setbool). I used this command: sudo restorecon -R .icedtea/ For me helps me. I apologize for the unnecessary opening theme. :-) Fedora is the Best ;-) (In reply to Daniel Walsh from comment #3) > Yes although did we determine if the file was being created in ~/ or > ~/.java, which was mislabeled. Yeap, there was my question. > Where is "abc" created? from the previous command. > > Turning off this boolean, basically says the plugins will run without > SELinux protections. > > restorecon -R -v ~/.java But now we know that it was in the .icedtea/. :-/ Bug is back. Command sudo restorecon -R .icedtea/ not helps me. command "setsebool unconfined_mozilla_plugin_transition 0" helps. Java application is webcam software. In .java folder is only one file: .java/fonts/1.7.0_19/fcinfo-1-localhost.localdomain-RedHat-18-cs.properties Details: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from write access on the file /home/daniel/.icedtea/cache/recently_used. ***** Plugin mozplugger (99.1 confidence) suggests ************************* If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests *************************** If you believe that java should be allowed write access on the recently_used file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/daniel/.icedtea/cache/recently_used [ file ] Source java Source Path /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jr e/bin/java Port <Unknown> Host localhost.localdomain Source RPM Packages java-1.7.0-openjdk-1.7.0.19-2.3.9.5.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-95.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13 13:59:47 UTC 2013 x86_64 x86_64 Alert Count 93 First Seen 2013-05-18 11:59:28 CEST Last Seen 2013-05-21 12:56:07 CEST Local ID 4da3f851-2a6f-4832-a6a8-165a1dba306e Raw Audit Messages type=AVC msg=audit(1369133767.338:632): avc: denied { write } for pid=7743 comm="java" name="recently_used" dev="dm-2" ino=21105647 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1369133767.338:632): arch=x86_64 syscall=open success=no exit=EACCES a0=13dc4c0 a1=241 a2=1b6 a3=2a items=0 ppid=1 pid=7743 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: java,mozilla_plugin_t,user_home_t,file,write audit2allow #============= mozilla_plugin_t ============== allow mozilla_plugin_t user_home_t:file write; audit2allow -R require { type mozilla_plugin_t; } #============= mozilla_plugin_t ============== userdom_manage_user_home_content_files(mozilla_plugin_t) Yes, because of # matchpathcon /home/daniel/.icedtea /home/daniel/.icedtea unconfined_u:object_r:user_home_t:s I found a bug in the policy. You can fix it for now using # chcon -R -t mozilla_home_t /home/daniel/.icedtea If I run "setenforce 0" and use javaapplet in Web browser in /var/log/messages is this: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from getattr access on the file /home/daniel/abc. ***** Plugin restorecon (57.3 confidence) suggests ************************* If you want to fix the label. /home/daniel/abc default label should be user_home_t. Then you can run restorecon. Do # /sbin/restorecon -v /home/daniel/abc ***** Plugin mozplugger (43.1 confidence) suggests ************************* If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.06 confidence) suggests *************************** If you believe that java should be allowed getattr access on the abc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects /home/daniel/abc [ file ] Source java Source Path /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jr e/bin/java Port <Unknown> Host localhost.localdomain Source RPM Packages java-1.7.0-openjdk-1.7.0.19-2.3.9.5.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-96.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name localhost.localdomain Platform Linux localhost.localdomain 3.9.3-201.fc18.x86_64 #1 SMP Tue May 21 17:02:24 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-05-24 08:52:18 CEST Last Seen 2013-05-24 09:00:48 CEST Local ID 0df969c3-a859-49b7-b5b8-bd0dde1d0b34 Raw Audit Messages type=AVC msg=audit(1369378848.852:617): avc: denied { getattr } for pid=14626 comm="java" path="/home/daniel/abc" dev="dm-2" ino=20447285 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file type=SYSCALL msg=audit(1369378848.852:617): arch=x86_64 syscall=fstat success=yes exit=0 a0=17 a1=7f4a751b3710 a2=7f4a751b3710 a3=4 items=0 ppid=7735 pid=14626 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: java,mozilla_plugin_t,user_home_dir_t,file,getattr audit2allow #============= mozilla_plugin_t ============== allow mozilla_plugin_t user_home_dir_t:file getattr; audit2allow -R require { type user_home_dir_t; type mozilla_plugin_t; class file getattr; } #============= mozilla_plugin_t ============== allow mozilla_plugin_t user_home_dir_t:file getattr; Its look that target file is /home/daniel/abc, but this file dont exist :-/ Did it happen again? Yes. It looks as if openjdk wanted to create a file abc in / home / daniel. (I found out when I turned off SELinux) But no file is not created :-/ The only solution is: setsebool unconfined_mozilla_plugin_transition 0 And any idea what is /home/daniel/abc file? No idea :-( Its look like this: https://docs.google.com/file/d/0Bz2oc-gXNq_9c2xKbVQwQ09aYzg/edit?usp=sharing If i run command: setsebool unconfined_mozilla_plugin_transition 0 Camera works good: https://docs.google.com/file/d/0Bz2oc-gXNq_9VWFwWDktemQyMVU/edit?usp=sharing Does the camera app work if SELinux blocks the creation of the abc file? Lots of java docs talk about creating abc file in examples according to google. No. If SELinux on, camera dont work. If i run command: setenforce 0 or setsebool unconfined_mozilla_plugin_transition 0 Camera works. Never file "abc" not created. In /var/log/messages is always some records. If i run command setenforce 0, in /var/log/messages: May 30 10:20:43 localhost dbus-daemon[745]: dbus[745]: avc: received setenforce notice (enforcing=0) May 30 10:20:47 localhost dbus-daemon[745]: dbus[745]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) May 30 10:20:47 localhost dbus[745]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) May 30 10:20:48 localhost dbus[745]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' May 30 10:20:48 localhost dbus-daemon[745]: dbus[745]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' May 30 10:20:49 localhost setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from create access on the file abc. For complete SELinux messages. run sealert -l b0267308-2205-4ccd-97a0-9f3c1c74380f May 30 10:20:49 localhost setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from create access on the file abc. For complete SELinux messages. run sealert -l b0267308-2205-4ccd-97a0-9f3c1c74380f May 30 10:20:49 localhost setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from getattr access on the file /home/daniel/abc. For complete SELinux messages. run sealert -l 0df969c3-a859-49b7-b5b8-bd0dde1d0b34 May 30 10:20:50 localhost setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from unlink access on the file abc. For complete SELinux messages. run sealert -l adb3961b-ccdb-4497-842e-a33d1634aee9 ============================== CUT ===================================== policy_module(mymozilla, 1.0) gen_require(` type mozilla_home_t; type mozilla_plugin_t; ') userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc") ========================================================================= Copy/paste the lines above into a file mymozilla.te then as root execute make -f /usr/share/selinux/devel/Makefile semodule -i mymozilla.pp This should fix your problem. 4b449a1b96671e991441b2eea90c2a60612030e7 fixes this in git. back ported. This is also affecting f17, any chance of the fix being backported there? Could you please open a new bug for F17. Thank you. selinux-policy-3.11.1-98.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-98.fc18 Package selinux-policy-3.11.1-98.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-98.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-11859/selinux-policy-3.11.1-98.fc18 then log in and leave karma (feedback). Bug fixed, thanks. selinux-policy-3.11.1-98.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |