Bug 187442 - New selinux update breaks netbeans profiler and java 1.6.0 beta
Summary: New selinux update breaks netbeans profiler and java 1.6.0 beta
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 5
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-30 22:12 UTC by Mario Torre
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 20:01:32 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Screenshot of netbeans error message (299.39 KB, image/png)
2006-03-30 22:12 UTC, Mario Torre
no flags Details

Description Mario Torre 2006-03-30 22:12:57 UTC
Description of problem:
New selinux update breaks netbeans profiler and java 1.6.0 beta.

I'm not sure if the problem is in selinux-policy or no, but sure is selinux related.

On startup netbeans (with java 1.5.0_06) complains about an Unsatisfied Link (I
have attached a screen shot for this), the application seems to run fine (and
sun jvm also has no problem, afaik, but profiler support in netbeans is
disabled). /var/log/message is difficult to follow here, as netbeans produces a
lot of output, but this should be the relevant line:

Mar 30 23:59:40 nirvana kernel: audit(1143755980.603:711): avc:  denied  {
execmod } for  pid=2888 comm="java" name="libclient.so" dev=hda5 ino=297965
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file

The same apply when I try java 6 beta:

[root@nirvana neugens]# /opt/jdk1.6.0/bin/java -version
dl failure on line 685Error: failed /opt/jdk1.6.0/jre/lib/i386/client/libjvm.so,
because /opt/jdk1.6.0/jre/lib/i386/client/libjvm.so: cannot restore segment prot
after reloc: Permission denied

[root@nirvana neugens]# tail -f /var/log/messages
Mar 31 00:08:30 nirvana kernel: audit(1143756510.947:1027): avc:  denied  {
execmod } for  pid=3021 comm="java" name="libjvm.so" dev=hda5 ino=199223
scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:object_r:lib_t:s0 tclass=file

I'm not an expert of selinux, so I'm trying to understand policies to fix this
by myself. Anyway, when I turn off selinux everything goes well.

Please, note that everything was fine before the last update.

Version-Release number of selected component (if applicable):

[root@nirvana neugens]# rpm -qa|grep selinux
libselinux-python-1.30-1.fc5
libselinux-1.30-1.fc5
selinux-policy-2.2.25-2.fc5
libselinux-devel-1.30-1.fc5
selinux-policy-targeted-2.2.25-2.fc5


How reproducible:
Alaways

Steps to Reproduce:
1. just run netbeans with profiler (or java 6 beta)
2. 
3.
  
Actual results:
netbeans profiler is disabled, java 6 beta does not run at all

Expected results:
netbeans and java 6 beta should run without problems.

Additional info:
attached screenshot to see the error on netbeans, the error is a bit misleading,
as it refers to an unsatisfied link, but all files are where they should be.

Comment 1 Mario Torre 2006-03-30 22:12:58 UTC
Created attachment 127078 [details]
Screenshot of netbeans error message

Comment 2 Mario Torre 2006-03-30 22:26:54 UTC
I found a workaround, maybe of some help for others with this problem util a
suitable update is released (if any).

The workaround came from this site:

http://www.rsinc.com/services/techtip.asp?ttid=3092

Simply changing the security context for java 6 and netbeans profiler works (I
don't know if there are security implication here, but this is better than
totally disable selinux, I think):

chcon -t texrel_shlib_t /opt/jdk1.6.0/jre/lib/i386/client/*so
chcon -t texrel_shlib_t /opt/netbeans-5.0/profiler1/lib/deployed/jdk15/linux/*so


Comment 3 Gustavo Maciel Dias Vieira 2006-04-04 17:18:44 UTC
I'm experiencing the same problem here. I'm using the j2re package from Dag
(http://dag.wieers.com/apt/) and getting the following exception:

Exception in thread "main" java.lang.UnsatisfiedLinkError:
/usr/lib/jre/lib/i386/libawt.so: /usr/lib/jre/lib/i386/libawt.so: cannot restore
segment prot after reloc: Permission denied

Until I applied the recent selinux update, everything was working fine, so I
believe this is the same problem.


Comment 6 Daniel Walsh 2006-05-09 20:51:08 UTC
fixed in selinux-policy-2.2.38-2  in rawhide.  Will be updated in FC5 next week.



Comment 7 Daniel Walsh 2007-03-28 20:01:32 UTC
Closing bugs



Note You need to log in before you can comment on or make changes to this bug.