Red Hat Bugzilla – Bug 147646
Java plugin denials
Last modified: 2007-11-30 17:11:00 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041228 Firefox/1.0 Fedora/1.0-8 Description of problem: Filing bug to keep track of this issue: ======================================== I still get Java denials because I don't think you're labeling the right thing. On my system I have /usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/bin/java /usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/jre/bin/java /usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/jre/bin/java_vm /usr/lib/jvm/java-1.5.0_01-sun-1.5.0_01/jre/bin/javaws Those are provided by the jpackage java SRPM. I don't know if this is intentional or not, but the regexp covers only the last two, and I still get denials: audit(1107901873.079:0): avc: denied { execute } for pid=5779 comm=java path=/etc/ld.so.cache dev=dm-0 ino=667980 scontext=user_u:user_r:user_t tcontext=root:object_r:ld_so_cache_t tclass=file audit(1107901873.080:0): avc: denied { execmod } for pid=5779 comm=java path=/lib/libc-2.3.4.so dev=dm-0 ino=113702 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t tclass=file audit(1107901873.080:0): avc: denied { execmod } for pid=5779 comm=java path=/lib/ld-2.3.4.so dev=dm-0 ino=113630 scontext=user_u:user_r:user_t tcontext=system_u:object_r:ld_so_t tclass=file audit(1107901873.653:0): avc: denied { execute } for pid=5779 comm=java path=/usr/lib/locale/locale-archive dev=dm-0 ino=1029913 scontext=user_u:user_r:user_t tcontext=system_u:object_r:locale_t tclass=file Version-Release number of selected component (if applicable): selinux-policy-strict-1.21.11-2 How reproducible: Didn't try Steps to Reproduce: Additional info:
Did today's policy relabel java correctly? selinux-policy-strict-1.21.11-3
Yeah I saw it relabel. It changed everything from javap to javac to java in several directories. What are the consequences of this for running other java programs, or compiling java programs, or doing javap? ============ But see, the curious thing is - java runs under user_t. I had not noticed this before since I wasn't paying attention - thought it looked liked user_mozilla_t, but now I see this isn't so. Given that, it's not surprising I still get denials, because the transition is from mozilla_t to java_t, not from user_t to java_t. I get a pair of those every time I start firefox. audit(1108055774.690:0): avc: denied { execute } for pid=12018 comm=java path=/etc/ld.so.cache dev=dm-0 ino=665563 scontext=user_u:user_r:user_t tcontext=root:object_r:ld_so_cache_t tclass=file audit(1108055774.692:0): avc: denied { execmod } for pid=12018 comm=java path=/lib/libc-2.3.4.so dev=dm-0 ino=113726 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t tclass=file
Ok closing this bug, since it contains inaccurate information. Java does transition properly - the denials above are for something else. I do get all kinds of other denials with the user_mozilla_java_t type, but I can send patches for those.