Bug 982292

Did anything actually break or just this AVC get created.

923c607e9a23cc8652c906c07d95f0cbd9735f09 allows this in git, since there  is little reason to block it.

(In reply to Rune Fossdal from comment #0)
> Description of problem:
> I tried to log in to the Norwegian internet bank Sparebank1. It seems that
> SELinux stops the Java Applet.
> SELinux is preventing
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/bin/java from 'getattr'
> accesses on the file /usr/sbin/crond.
> 
> *****  Plugin mozplugger (99.1 confidence) suggests 
> *************************
> 
> If you want to use the plugin package
> Then you must turn off SELinux controls on the Firefox plugins.
> Do
> # setsebool unconfined_mozilla_plugin_transition 0
> 
> *****  Plugin catchall (1.81 confidence) suggests 
> ***************************
> 
> If you believe that java should be allowed getattr access on the crond file
> by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep java /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> Additional Information:
> Source Context               
> unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
>                               0.c1023
> Target Context                system_u:object_r:crond_exec_t:s0
> Target Objects                /usr/sbin/crond [ file ]
> Source                        java
> Source Path                  
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/
>                               bin/java
> Port                          <Ukjent>
> Host                          (removed)
> Source RPM Packages           java-1.7.0-openjdk-1.7.0.25-2.3.10.4.fc19.i686
> Target RPM Packages           cronie-1.4.10-5.fc19.i686
> Policy RPM                    selinux-policy-3.12.1-59.fc19.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     (removed)
> Platform                      Linux (removed) 3.9.9-301.fc19.i686 #1 SMP Thu
> Jul
>                               4 15:35:21 UTC 2013 i686 i686
> Alert Count                   8
> First Seen                    2013-07-06 10:45:11 CEST
> Last Seen                     2013-07-08 17:09:45 CEST
> Local ID                      0783d385-6216-4814-a265-47971d537a98
> 
> Raw Audit Messages
> type=AVC msg=audit(1373296185.584:500): avc:  denied  { getattr } for 
> pid=4626 comm="java" path="/usr/sbin/crond" dev="dm-1" ino=1976406
> scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:crond_exec_t:s0 tclass=file
> 
> 
> type=SYSCALL msg=audit(1373296185.584:500): arch=i386 syscall=stat64
> success=no exit=EACCES a0=b2e53660 a1=b34b7d60 a2=497b6000 a3=b34b7d60
> items=0 ppid=4510 pid=4626 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=java
> exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/bin/java
> subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
> 
> Hash: java,mozilla_plugin_t,crond_exec_t,file,getattr
> 
> Additional info:
> reporter:       libreport-2.1.5
> hashmarkername: setroubleshoot
> kernel:         3.9.9-301.fc19.i686
> type:           libreport

Thanks for reply.
I am a regular Linux and Fedora user but these things are unknown for me how to do. Can you explain in all the steps how to do this?
Best regards
Rune Fossdal

Please update to the latest policy and see if it works.

You can also disable the protection by executing

# setsebool unconfined_mozilla_plugin_transition 0

As root.

selinux-policy-3.12.1-63.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-63.fc19

Package selinux-policy-3.12.1-63.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-63.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-12762/selinux-policy-3.12.1-63.fc19
then log in and leave karma (feedback).

(In reply to Fedora Update System from comment #5)
> Package selinux-policy-3.12.1-63.fc19:
> * should fix your issue,
> * was pushed to the Fedora 19 testing repository,
> * should be available at your local mirror within two days.
> Update it with:
> # su -c 'yum update --enablerepo=updates-testing
> selinux-policy-3.12.1-63.fc19'
> as soon as you are able to.
> Please go to the following url:
> https://admin.fedoraproject.org/updates/FEDORA-2013-12762/selinux-policy-3.
> 12.1-63.fc19
> then log in and leave karma (feedback).

Thank you for your help, this made it work!
Best regards
Rune Fossdal

selinux-policy-3.12.1-63.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

(In reply to Rune Fossdal from comment #6)
> (In reply to Fedora Update System from comment #5)
> > Package selinux-policy-3.12.1-63.fc19:
> > * should fix your issue,
> > * was pushed to the Fedora 19 testing repository,
> > * should be available at your local mirror within two days.
> > Update it with:
> > # su -c 'yum update --enablerepo=updates-testing
> > selinux-policy-3.12.1-63.fc19'
> > as soon as you are able to.
> > Please go to the following url:
> > https://admin.fedoraproject.org/updates/FEDORA-2013-12762/selinux-policy-3.
> > 12.1-63.fc19
> > then log in and leave karma (feedback).
> 
> Thank you for your help, this made it work!
> Best regards
> Rune Fossdal

But now it doesn't work again. A grey field appears where the applet should load.
Best regards
Rune Fossdal