Description of problem: I don't know which component I should be reporting but It took me 3 semodule's to get my applet to run It's http://collabrium.cs3-inc.com:8300/correlator SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from create access on the file customize.jar.info.temp. SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from setattr access on the file customize.jar.info.temp SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from rename access on the file customize.jar.info.temp. I don't understand this stuff well enough to know what ought to be allowed or what java should be doing, but I don't think this applet is trying to do anything unusual or dangerous here, so I suspect that what the applet is trying to do should be allowed and it's either the policy or the java vm that should be adjusted.
Could you attach AVC msgs?
not quite sure what you want to see ... SETroubleShoot Details Window contents? SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from create access on the file customize.jar.info.temp. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that java should be allowed create access on the customize.jar.info.temp file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects customize.jar.info.temp [ file ] Source java Source Path /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jr e/bin/java Port <Unknown> Host number13.don-eve Source RPM Packages java-1.7.0-openjdk-1.7.0.25-2.3.12.1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-170.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name number13.don-eve Platform Linux number13.don-eve 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 x86_64 Alert Count 49 First Seen 2013-10-31 11:32:56 PDT Last Seen 2013-11-20 11:48:27 PST Local ID 51bd2258-b2c0-4998-ae47-7873de6f34ff Raw Audit Messages type=AVC msg=audit(1384976907.734:2502): avc: denied { create } for pid=13068 comm="java" name="customize.jar.info.temp" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1384976907.734:2502): arch=x86_64 syscall=open success=no exit=EACCES a0=7f76d01843e0 a1=c2 a2=1b6 a3=51 items=0 ppid=13010 pid=13068 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: java,mozilla_plugin_t,user_home_t,file,create audit2allow #============= mozilla_plugin_t ============== #!!!! This avc is allowed in the current policy allow mozilla_plugin_t user_home_t:file create; audit2allow -R #============= mozilla_plugin_t ============== #!!!! This avc is allowed in the current policy allow mozilla_plugin_t user_home_t:file create; Or /var/log/messages? There are a bunch like this: Nov 20 10:49:06 number13 setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from create access on the file de-grapher6.jar.info.temp. For complete SELinux messages. run sealert -l 51bd2258-b2c0-4998-ae47-7873de6f34ff Nov 20 10:49:06 number13 setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from create access on the file de-grapher6.jar.info. For complete SELinux messages. run sealert -l 51bd2258-b2c0-4998-ae47-7873de6f34ff Nov 20 10:49:06 number13 setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from create access on the file de-grapher6.jar.info.temp. For complete SELinux messages. run sealert -l 51bd2258-b2c0-4998-ae47-7873de6f34ff Nov 20 10:49:07 number13 setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from create access on the file de-grapher6.jar.info.temp. For complete SELinux messages. run sealert -l 51bd2258-b2c0-4998-ae47-7873de6f34ff Nov 20 10:49:07 number13 setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from create access on the file de-grapher6.jar.info.temp. For complete SELinux messages. run sealert -l 51bd2258-b2c0-4998-ae47-7873de6f34ff Nov 20 10:49:07 number13 setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from create access on the file de-grapher6.jar.info.temp. For complete SELinux messages. run sealert -l 51bd2258-b2c0-4998-ae47-7873de6f34ff Nov 20 10:49:07 number13 setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from create access on the file de-grapher6.jar.info. For complete SELinux messages. run sealert -l 51bd2258-b2c0-4998-ae47-7873de6f34ff Nov 20 10:49:07 number13 setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from create access on the file de-grapher6.jar.info.temp. For complete SELinux messages. run sealert -l 51bd2258-b2c0-4998-ae47-7873de6f34ff Then there are some things like this: Nov 20 11:52:30 number13 setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from setattr access on the file customize.jar.info.temp. For complete SELinux messages. run sealert -l 503b8035-3c45-4a4d-9d61-40511271b36a Nov 20 11:55:39 number13 kernel: [1171381.056365] SELinux: Permission wake_alarm in class capability2 not defined in policy. Nov 20 11:55:39 number13 kernel: [1171381.056370] SELinux: Permission block_suspend in class capability2 not defined in policy. Nov 20 11:55:39 number13 kernel: [1171381.056375] SELinux: Permission attach_queue in class tun_socket not defined in policy. Nov 20 11:55:39 number13 kernel: [1171381.056377] SELinux: the above unknown classes and permissions will be allowed Nov 20 11:55:41 number13 dbus[1263]: avc: received policyload notice (seqno=3) Nov 20 11:55:41 number13 dbus[873]: avc: received policyload notice (seqno=3) Nov 20 11:55:41 number13 dbus[873]: [system] Reloaded configuration Nov 20 11:55:41 number13 dbus-daemon[873]: dbus[873]: avc: received policyload notice (seqno=3) Nov 20 11:55:41 number13 dbus-daemon[873]: dbus[873]: [system] Reloaded configuration If you want something else tell me how to get it.
Do you know where customize.jar.info.temp is located?
never heard of it, but ... $ locate customize.jar.info /home/don/.icedtea/cache/165/http/collabrium.cs3-inc.com/customize.jar.info.temp /home/don/.icedtea/cache/166/http/collabrium.cs3-inc.com/customize.jar.info.temp /home/don/.icedtea/cache/167/http/collabrium.cs3-inc.com/customize.jar.info /home/don/.icedtea/cache/168/http/collabrium.cs3-inc.com/customize.jar.info
restorecon -R -v /home Should fix the labeling to eliminate this issue.
So you think that everyone who runs java should have to do this? Do they have to do it every time the restart the computer? I thought the object was to get the settings right so the do not have to do this.
Now that I look at man restorecon I gather that you think the defaults were right but I managed to change some selinux data somehow? I'm not aware of anything I did (other than react as suggested by setroubleshoot) that might have done that. Any idea how it might have happened or how to prevent it in other installations or in the future?
No I think somehow we got your homedir mislabeled during an update.