Bug 147646 - Java plugin denials
Java plugin denials
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-09 19:40 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-20 07:49:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2005-02-09 19:40:50 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
Filing bug to keep track of this issue:
========================================

I still get Java denials because I don't think you're
labeling the right thing. On my system I have

/usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/bin/java
/usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/jre/bin/java
/usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/jre/bin/java_vm
/usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/jre/bin/javaws

Those are provided by the jpackage java SRPM.

I don't know if this is intentional or not, but the regexp covers
only the last two, and I still get denials:

audit(1107901873.079:0): avc:  denied  { execute } for  pid=5779
comm=java path=/etc/ld.so.cache dev=dm-0 ino=667980
scontext=user_u:user_r:user_t tcontext=root:object_r:ld_so_cache_t
tclass=file

audit(1107901873.080:0): avc:  denied  { execmod } for  pid=5779
comm=java path=/lib/libc-2.3.4.so dev=dm-0 ino=113702
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file

audit(1107901873.080:0): avc:  denied  { execmod } for  pid=5779
comm=java path=/lib/ld-2.3.4.so dev=dm-0 ino=113630
scontext=user_u:user_r:user_t tcontext=system_u:object_r:ld_so_t
tclass=file

audit(1107901873.653:0): avc:  denied  { execute } for  pid=5779
comm=java path=/usr/lib/locale/locale-archive dev=dm-0 ino=1029913
scontext=user_u:user_r:user_t tcontext=system_u:object_r:locale_t
tclass=file



Version-Release number of selected component (if applicable):
selinux-policy-strict-1.21.11-2

How reproducible:
Didn't try

Steps to Reproduce:
  

Additional info:
Comment 1 Daniel Walsh 2005-02-10 09:59:06 EST
Did today's policy relabel java correctly?

selinux-policy-strict-1.21.11-3
Comment 2 Ivan Gyurdiev 2005-02-10 12:20:56 EST
Yeah I saw it relabel. It changed everything from javap to javac to java 
in several directories. What are the consequences of this for running
other java programs, or compiling java programs, or doing javap?

============

But see, the curious thing is - java runs under user_t.
I had not noticed this before since I wasn't paying attention - thought
it looked liked user_mozilla_t, but now I see this isn't so.
Given that, it's not surprising I still get denials, because 
the transition is from mozilla_t to java_t, not from user_t to java_t.

I get a pair of those every time I start firefox. 

audit(1108055774.690:0): avc:  denied  { execute } for  pid=12018 comm=java
path=/etc/ld.so.cache dev=dm-0 ino=665563 scontext=user_u:user_r:user_t
tcontext=root:object_r:ld_so_cache_t tclass=file

audit(1108055774.692:0): avc:  denied  { execmod } for  pid=12018 comm=java
path=/lib/libc-2.3.4.so dev=dm-0 ino=113726 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:shlib_t tclass=file
Comment 3 Ivan Gyurdiev 2005-02-20 07:49:16 EST
Ok closing this bug, since it contains inaccurate information.
Java does transition properly - the denials above are for something else.

I do get all kinds of other denials with the user_mozilla_java_t type,
but I can send patches for those. 


Note You need to log in before you can comment on or make changes to this bug.