Bug 187442 - New selinux update breaks netbeans profiler and java 1.6.0 beta
New selinux update breaks netbeans profiler and java 1.6.0 beta
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-30 17:12 EST by Mario Torre
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 16:01:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Screenshot of netbeans error message (299.39 KB, image/png)
2006-03-30 17:12 EST, Mario Torre
no flags Details

  None (edit)
Description Mario Torre 2006-03-30 17:12:57 EST
Description of problem:
New selinux update breaks netbeans profiler and java 1.6.0 beta.

I'm not sure if the problem is in selinux-policy or no, but sure is selinux related.

On startup netbeans (with java 1.5.0_06) complains about an Unsatisfied Link (I
have attached a screen shot for this), the application seems to run fine (and
sun jvm also has no problem, afaik, but profiler support in netbeans is
disabled). /var/log/message is difficult to follow here, as netbeans produces a
lot of output, but this should be the relevant line:

Mar 30 23:59:40 nirvana kernel: audit(1143755980.603:711): avc:  denied  {
execmod } for  pid=2888 comm="java" name="libclient.so" dev=hda5 ino=297965
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file

The same apply when I try java 6 beta:

[root@nirvana neugens]# /opt/jdk1.6.0/bin/java -version
dl failure on line 685Error: failed /opt/jdk1.6.0/jre/lib/i386/client/libjvm.so,
because /opt/jdk1.6.0/jre/lib/i386/client/libjvm.so: cannot restore segment prot
after reloc: Permission denied

[root@nirvana neugens]# tail -f /var/log/messages
Mar 31 00:08:30 nirvana kernel: audit(1143756510.947:1027): avc:  denied  {
execmod } for  pid=3021 comm="java" name="libjvm.so" dev=hda5 ino=199223
scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:object_r:lib_t:s0 tclass=file

I'm not an expert of selinux, so I'm trying to understand policies to fix this
by myself. Anyway, when I turn off selinux everything goes well.

Please, note that everything was fine before the last update.

Version-Release number of selected component (if applicable):

[root@nirvana neugens]# rpm -qa|grep selinux
libselinux-python-1.30-1.fc5
libselinux-1.30-1.fc5
selinux-policy-2.2.25-2.fc5
libselinux-devel-1.30-1.fc5
selinux-policy-targeted-2.2.25-2.fc5


How reproducible:
Alaways

Steps to Reproduce:
1. just run netbeans with profiler (or java 6 beta)
2. 
3.
  
Actual results:
netbeans profiler is disabled, java 6 beta does not run at all

Expected results:
netbeans and java 6 beta should run without problems.

Additional info:
attached screenshot to see the error on netbeans, the error is a bit misleading,
as it refers to an unsatisfied link, but all files are where they should be.
Comment 1 Mario Torre 2006-03-30 17:12:58 EST
Created attachment 127078 [details]
Screenshot of netbeans error message
Comment 2 Mario Torre 2006-03-30 17:26:54 EST
I found a workaround, maybe of some help for others with this problem util a
suitable update is released (if any).

The workaround came from this site:

http://www.rsinc.com/services/techtip.asp?ttid=3092

Simply changing the security context for java 6 and netbeans profiler works (I
don't know if there are security implication here, but this is better than
totally disable selinux, I think):

chcon -t texrel_shlib_t /opt/jdk1.6.0/jre/lib/i386/client/*so
chcon -t texrel_shlib_t /opt/netbeans-5.0/profiler1/lib/deployed/jdk15/linux/*so
Comment 3 Gustavo Maciel Dias Vieira 2006-04-04 13:18:44 EDT
I'm experiencing the same problem here. I'm using the j2re package from Dag
(http://dag.wieers.com/apt/) and getting the following exception:

Exception in thread "main" java.lang.UnsatisfiedLinkError:
/usr/lib/jre/lib/i386/libawt.so: /usr/lib/jre/lib/i386/libawt.so: cannot restore
segment prot after reloc: Permission denied

Until I applied the recent selinux update, everything was working fine, so I
believe this is the same problem.
Comment 6 Daniel Walsh 2006-05-09 16:51:08 EDT
fixed in selinux-policy-2.2.38-2  in rawhide.  Will be updated in FC5 next week.

Comment 7 Daniel Walsh 2007-03-28 16:01:32 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.