Bug 316041 - SELinux alert when browsing to an applet page
SELinux alert when browsing to an applet page
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-02 16:24 EDT by Thomas Fitzsimmons
Modified: 2007-11-30 17:12 EST (History)
3 users (show)

See Also:
Fixed In Version: 3.0.8-24.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-29 15:56:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
stdout/stderr of firefox trying to reproduce the bug with http://www4.passur.com/bos.html (12.81 KB, text/plain)
2007-10-02 17:21 EDT, Matěj Cepl
no flags Details
output of setroubleshooter (2.28 KB, text/plain)
2007-10-16 09:42 EDT, Matěj Cepl
no flags Details
/var/log/audit/audit.log (1.09 MB, text/plain)
2007-10-16 09:48 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Thomas Fitzsimmons 2007-10-02 16:24:36 EDT
I'm seeing this alert on Rawhide, when loading any applet in Firefox through
java-1.7.0-icedtea-plugin:

Summary
    SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "use" to /SYSV00000000
    (deleted) (java_t).

Detailed Description
    SELinux denied access requested by /usr/bin/Xorg. It is not expected that
    this access is required by /usr/bin/Xorg and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:xdm_xserver_t:SystemLow-
                              SystemHigh
Target Context                system_u:system_r:java_t
Target Objects                /SYSV00000000 (deleted) [ fd ]
Affected RPM Packages         xorg-x11-server-Xorg-1.3.0.0-24.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-14.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.20-2925.9.fc7xen
                              #1 SMP Tue May 22 08:53:03 EDT 2007 i686 i686
Alert Count                   2
First Seen                    Tue 02 Oct 2007 02:29:38 PM EDT
Last Seen                     Tue 02 Oct 2007 04:16:14 PM EDT
Local ID                      873e6377-72a0-459e-b4ff-9c2890c04b3e
Line Numbers                  

Raw Audit Messages            

avc: denied { use } for comm=X dev=tmpfs egid=0 euid=0 exe=/usr/bin/Xorg
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=SYSV00000000
path=2F535953563030303030303030202864656C6574656429 pid=2319
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=fd
tcontext=system_u:system_r:java_t:s0 tty=tty7 uid=0

Steps to reproduce:

On a Rawhide machine:

1. install java-1.7.0-icedtea-plugin
2. start Firefox
3. browse to any applet-containing web page, e.g.: http://thisiscool.com/
Comment 1 Matěj Cepl 2007-10-02 17:21:03 EDT
Created attachment 214051 [details]
stdout/stderr of firefox trying to reproduce the bug with http://www4.passur.com/bos.html

We are not sure, whether this is a java problem or selinux problem, but if it
really means, that SELinux wants to deny something to xorg server, than it is
probably a problem of policy, because (according to ajax) "pretty much anything
an xdm_xserver_t process wants to do ought to be allowed by the policy".

Moreover, when trying to reproduce the bug with Rawhide (in kvm-guest), it
didn't work. Apparently not because of selinux -- see attached. BTW, the very
same URL works for me without a problem with F7 and
java-1.7.0-icedtea-plugin-1.7.0.0-0.14.b18.snapshot.fc8
Comment 2 Thomas Fitzsimmons 2007-10-02 17:36:54 EDT
(In reply to comment #1)
> Created an attachment (id=214051) [edit]
> stdout/stderr of firefox trying to reproduce the bug with
> http://www4.passur.com/bos.html
> 
> We are not sure, whether this is a java problem or selinux problem, but if it
> really means, that SELinux wants to deny something to xorg server, than it is
> probably a problem of policy, because (according to ajax) "pretty much anything
> an xdm_xserver_t process wants to do ought to be allowed by the policy".
> 
> Moreover, when trying to reproduce the bug with Rawhide (in kvm-guest), it
> didn't work. Apparently not because of selinux -- see attached.

You'll see this error running any applet that accesses timezone data.  It is
currently being addressed:

https://bugzilla.redhat.com/show_bug.cgi?id=314211

In the meantime, browsing to the example URL I gave should reproduce the SELinux
alert:

http://thisiscool.com/

> BTW, the very
> same URL works for me without a problem with F7 and
> java-1.7.0-icedtea-plugin-1.7.0.0-0.14.b18.snapshot.fc8

You mean http://www4.passur.com/bos.html in reference to the user.zoneinfo.dir
issue?  Or http://thisiscool.com/ in reference to the SELinux issue?
Comment 3 Daniel Walsh 2007-10-03 12:13:23 EDT
Fixed in selinux-policy-3.0.8-17.fc8
Comment 4 Matěj Cepl 2007-10-16 09:42:28 EDT
Created attachment 228741 [details]
output of setroubleshooter

Actually, this may really has absolutely nothing to do with java -- I got the
same problem with SELinux just when starting pup.
Comment 5 Matěj Cepl 2007-10-16 09:48:13 EDT
Created attachment 228751 [details]
/var/log/audit/audit.log
Comment 6 Daniel Walsh 2007-10-17 00:00:34 EDT
Fixed in selinux-policy-3.0.8-24.fc8
Comment 7 Thomas Fitzsimmons 2007-11-29 15:56:29 EST
Fixed in Fedora 8.

Note You need to log in before you can comment on or make changes to this bug.