Bug 435824 - ibm java plugin is blocked by selinux avc
Summary: ibm java plugin is blocked by selinux avc
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 5.2
Hardware: i386 Linux
Target Milestone: beta
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2008-03-04 00:35 UTC by John Poelstra
Modified: 2008-05-21 16:07 UTC (History)
2 users (show)

Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 16:07:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0465 normal SHIPPED_LIVE selinux-policy bug fix update 2008-05-20 14:36:31 UTC

Description John Poelstra 2008-03-04 00:35:53 UTC
Description of problem:

Cannot access java enabled websites because of selinux avc

Version-Release number of selected component (if applicable):
$ rpm -qa | grep java

How reproducible:

Steps to Reproduce:
1. install java plugin
2. go to http://www.javatester.org/version.html
3. see avc in setroubleshoot
Actual results:

Expected results:

Additional info:


SELinux is preventing firefox from loading
/usr/lib/jvm/java-1.5.0-ibm- which
requires text relocation.

Detailed Description:

The firefox application attempted to load
/usr/lib/jvm/java-1.5.0-ibm- which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/jvm/java-1.5.0-ibm- to use
relocation as a workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust
/usr/lib/jvm/java-1.5.0-ibm- to run
correctly, you can change the file context to textrel_shlib_t. "chcon -t
'/usr/lib/jvm/java-1.5.0-ibm-'" You must
also change the default file context files on the system in order to preserve
them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t

The following command will allow this access:

chcon -t textrel_shlib_t

Additional Information:

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:java_exec_t
Target Objects                /usr/lib/jvm/java-1.5.0-ibm-
                              aplugin_ojigtk2.so [ file ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.0b3pre/firefox
Port                          <Unknown>
Host                          screamer
Source RPM Packages           firefox-3.0-0.beta2.11.el5
Target RPM Packages           java-1.5.0-ibm-plugin-
Policy RPM                    selinux-policy-2.4.6-121.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     screamer
Platform                      Linux screamer 2.6.18-83.el5 #1 SMP Thu Feb 21
                              12:14:23 EST 2008 i686 i686
Alert Count                   6
First Seen                    Tue 26 Feb 2008 04:57:16 PM PST
Last Seen                     Mon 03 Mar 2008 04:24:50 PM PST
Local ID                      5ba30d96-04e4-49e8-931f-6c2ed9f1e7dc
Line Numbers                  

Raw Audit Messages            

host=screamer type=AVC msg=audit(1204590290.67:79): avc:  denied  { execmod }
for  pid=6812 comm="firefox"
dev=hda2 ino=1912907 scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:java_exec_t:s0 tclass=file

host=screamer type=SYSCALL msg=audit(1204590290.67:79): arch=40000003
syscall=125 success=no exit=-13 a0=504000 a1=18000 a2=5 a3=bf8a28a0 items=0
ppid=6787 pid=6812 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox"
exe="/usr/lib/firefox-3.0b3pre/firefox" subj=user_u:system_r:unconfined_t:s0

Comment 1 John Poelstra 2008-03-04 00:37:55 UTC
I believe the business justification, etc. is obvious here... the plug-in
doesn't work at all and should only require a simple change to the selinux policy

Comment 2 Thomas Fitzsimmons 2008-03-04 15:34:47 UTC
Reassigning to Dan Walsh.

Comment 3 Daniel Walsh 2008-03-04 20:50:42 UTC
Fixed in selinux-policy-2.4.6-124.el5	

Comment 8 errata-xmlrpc 2008-05-21 16:07:22 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.