Bug 982292
Summary: | SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/bin/java from 'getattr' accesses on the file /usr/sbin/crond. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rune Fossdal <man.rune> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:bd9f0ea09a12641b0d8ca8e89f858cbed1673ba36977275abe53f34b79dae809 | ||
Fixed In Version: | selinux-policy-3.12.1-63.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-14 03:39:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rune Fossdal
2013-07-08 15:24:57 UTC
Did anything actually break or just this AVC get created. 923c607e9a23cc8652c906c07d95f0cbd9735f09 allows this in git, since there is little reason to block it. (In reply to Rune Fossdal from comment #0) > Description of problem: > I tried to log in to the Norwegian internet bank Sparebank1. It seems that > SELinux stops the Java Applet. > SELinux is preventing > /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/bin/java from 'getattr' > accesses on the file /usr/sbin/crond. > > ***** Plugin mozplugger (99.1 confidence) suggests > ************************* > > If you want to use the plugin package > Then you must turn off SELinux controls on the Firefox plugins. > Do > # setsebool unconfined_mozilla_plugin_transition 0 > > ***** Plugin catchall (1.81 confidence) suggests > *************************** > > If you believe that java should be allowed getattr access on the crond file > by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # grep java /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > > Additional Information: > Source Context > unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c > 0.c1023 > Target Context system_u:object_r:crond_exec_t:s0 > Target Objects /usr/sbin/crond [ file ] > Source java > Source Path > /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/ > bin/java > Port <Ukjent> > Host (removed) > Source RPM Packages java-1.7.0-openjdk-1.7.0.25-2.3.10.4.fc19.i686 > Target RPM Packages cronie-1.4.10-5.fc19.i686 > Policy RPM selinux-policy-3.12.1-59.fc19.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name (removed) > Platform Linux (removed) 3.9.9-301.fc19.i686 #1 SMP Thu > Jul > 4 15:35:21 UTC 2013 i686 i686 > Alert Count 8 > First Seen 2013-07-06 10:45:11 CEST > Last Seen 2013-07-08 17:09:45 CEST > Local ID 0783d385-6216-4814-a265-47971d537a98 > > Raw Audit Messages > type=AVC msg=audit(1373296185.584:500): avc: denied { getattr } for > pid=4626 comm="java" path="/usr/sbin/crond" dev="dm-1" ino=1976406 > scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:crond_exec_t:s0 tclass=file > > > type=SYSCALL msg=audit(1373296185.584:500): arch=i386 syscall=stat64 > success=no exit=EACCES a0=b2e53660 a1=b34b7d60 a2=497b6000 a3=b34b7d60 > items=0 ppid=4510 pid=4626 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=java > exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/bin/java > subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) > > Hash: java,mozilla_plugin_t,crond_exec_t,file,getattr > > Additional info: > reporter: libreport-2.1.5 > hashmarkername: setroubleshoot > kernel: 3.9.9-301.fc19.i686 > type: libreport Thanks for reply. I am a regular Linux and Fedora user but these things are unknown for me how to do. Can you explain in all the steps how to do this? Best regards Rune Fossdal Please update to the latest policy and see if it works. You can also disable the protection by executing # setsebool unconfined_mozilla_plugin_transition 0 As root. selinux-policy-3.12.1-63.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-63.fc19 Package selinux-policy-3.12.1-63.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-63.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-12762/selinux-policy-3.12.1-63.fc19 then log in and leave karma (feedback). (In reply to Fedora Update System from comment #5) > Package selinux-policy-3.12.1-63.fc19: > * should fix your issue, > * was pushed to the Fedora 19 testing repository, > * should be available at your local mirror within two days. > Update it with: > # su -c 'yum update --enablerepo=updates-testing > selinux-policy-3.12.1-63.fc19' > as soon as you are able to. > Please go to the following url: > https://admin.fedoraproject.org/updates/FEDORA-2013-12762/selinux-policy-3. > 12.1-63.fc19 > then log in and leave karma (feedback). Thank you for your help, this made it work! Best regards Rune Fossdal selinux-policy-3.12.1-63.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. (In reply to Rune Fossdal from comment #6) > (In reply to Fedora Update System from comment #5) > > Package selinux-policy-3.12.1-63.fc19: > > * should fix your issue, > > * was pushed to the Fedora 19 testing repository, > > * should be available at your local mirror within two days. > > Update it with: > > # su -c 'yum update --enablerepo=updates-testing > > selinux-policy-3.12.1-63.fc19' > > as soon as you are able to. > > Please go to the following url: > > https://admin.fedoraproject.org/updates/FEDORA-2013-12762/selinux-policy-3. > > 12.1-63.fc19 > > then log in and leave karma (feedback). > > Thank you for your help, this made it work! > Best regards > Rune Fossdal But now it doesn't work again. A grey field appears where the applet should load. Best regards Rune Fossdal |