Bug 966419
Summary: | SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java from 'name_bind' accesses on the tcp_socket . | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | antonio montagnani <antonio.montagnani> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 18 | CC: | daniel2196, dbhole, dominick.grift, dwalsh, lvrabec, mgrepl |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:a9f2600f8124e018bc56316d1c087870ed1b1346491cbff861cfe3545d60c04c | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-10-25 12:10:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
antonio montagnani
2013-05-23 09:06:47 UTC
see also this bug (the two are connected) https://bugzilla.redhat.com/show_bug.cgi?id=966401 Try to execute # chcon -R -t mozilla_home_t /home/mgrepl/.icedtea Try to execute # chcon -R -t mozilla_home_t /home/<USERNAME>/.icedtea now the page works (not sure if connected to any update) - I didn't apply your suggestion. When I open a page I get the usual warning from java if I allow to proceed: I say yes and I get a message from Selinux: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java from write access on the file /home/antonio/.icedtea/cache/recently_used. Plugin: catchall you want to allow java to have write access on the recently_used fileIf si crede che java dovrebbe avere possibilità di accesso write sui recently_used file in modo predefinito. Si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Consentire questo accesso per il momento eseguendo: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp As I can see requested page I didn't apply your suggestion. if you upgrade to latest version in koji Selinux works fine I didn't try the version in koji, but experienced a nearly identical problem. The chcon command in comment 3 didn't work, but: # grep java /var/log/audit/audit.log | tail | audit2allow -M java-icedtea-fix # semodule -i java-icedtea-fix.pp worked fine. Problem encountered using fc17. selinux-policy-targeted.noarch 3.10.0-169.fc17 Is this fixed in any updates of selinux for fc17? FYI: # grep java audit.log | tail | audit2allow #============= mozilla_plugin_t ============== allow mozilla_plugin_t jboss_debug_port_t:tcp_socket name_bind; Hi, I'm wondering if this problem is related at all ? https://lists.fedoraproject.org/pipermail/users/2013-June/436161.html I'm afraid I don't know much about SELinux. What is the status of this bug exactly ? The alert told you what you could do. If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool unconfined_mozilla_plugin_transition 0 |