Bug 147646 - Java plugin denials
Summary: Java plugin denials
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict   
(Show other bugs)
Version: rawhide
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-02-10 00:40 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-02-20 12:49:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Ivan Gyurdiev 2005-02-10 00:40:50 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
Filing bug to keep track of this issue:

I still get Java denials because I don't think you're
labeling the right thing. On my system I have


Those are provided by the jpackage java SRPM.

I don't know if this is intentional or not, but the regexp covers
only the last two, and I still get denials:

audit(1107901873.079:0): avc:  denied  { execute } for  pid=5779
comm=java path=/etc/ld.so.cache dev=dm-0 ino=667980
scontext=user_u:user_r:user_t tcontext=root:object_r:ld_so_cache_t

audit(1107901873.080:0): avc:  denied  { execmod } for  pid=5779
comm=java path=/lib/libc-2.3.4.so dev=dm-0 ino=113702
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t

audit(1107901873.080:0): avc:  denied  { execmod } for  pid=5779
comm=java path=/lib/ld-2.3.4.so dev=dm-0 ino=113630
scontext=user_u:user_r:user_t tcontext=system_u:object_r:ld_so_t

audit(1107901873.653:0): avc:  denied  { execute } for  pid=5779
comm=java path=/usr/lib/locale/locale-archive dev=dm-0 ino=1029913
scontext=user_u:user_r:user_t tcontext=system_u:object_r:locale_t

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Steps to Reproduce:

Additional info:

Comment 1 Daniel Walsh 2005-02-10 14:59:06 UTC
Did today's policy relabel java correctly?


Comment 2 Ivan Gyurdiev 2005-02-10 17:20:56 UTC
Yeah I saw it relabel. It changed everything from javap to javac to java 
in several directories. What are the consequences of this for running
other java programs, or compiling java programs, or doing javap?


But see, the curious thing is - java runs under user_t.
I had not noticed this before since I wasn't paying attention - thought
it looked liked user_mozilla_t, but now I see this isn't so.
Given that, it's not surprising I still get denials, because 
the transition is from mozilla_t to java_t, not from user_t to java_t.

I get a pair of those every time I start firefox. 

audit(1108055774.690:0): avc:  denied  { execute } for  pid=12018 comm=java
path=/etc/ld.so.cache dev=dm-0 ino=665563 scontext=user_u:user_r:user_t
tcontext=root:object_r:ld_so_cache_t tclass=file

audit(1108055774.692:0): avc:  denied  { execmod } for  pid=12018 comm=java
path=/lib/libc-2.3.4.so dev=dm-0 ino=113726 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:shlib_t tclass=file

Comment 3 Ivan Gyurdiev 2005-02-20 12:49:16 UTC
Ok closing this bug, since it contains inaccurate information.
Java does transition properly - the denials above are for something else.

I do get all kinds of other denials with the user_mozilla_java_t type,
but I can send patches for those. 

Note You need to log in before you can comment on or make changes to this bug.