Bug 435824 - ibm java plugin is blocked by selinux avc
ibm java plugin is blocked by selinux avc
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.2
i386 Linux
low Severity low
: beta
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-03 19:35 EST by John Poelstra
Modified: 2008-05-21 12:07 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:07:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Poelstra 2008-03-03 19:35:53 EST
Description of problem:

Cannot access java enabled websites because of selinux avc

Version-Release number of selected component (if applicable):
$ rpm -qa | grep java
java-1.5.0-ibm-1.5.0.5-1jpp.4.el5
java-1.5.0-ibm-plugin-1.5.0.5-1jpp.4.el5
java-1.4.2-gcj-compat-1.4.2.0-40jpp.112
java-1.4.2-ibm-1.4.2.9-1jpp.1.el5


How reproducible:
100%

Steps to Reproduce:
1. install java plugin
2. go to http://www.javatester.org/version.html
3. see avc in setroubleshoot
  
Actual results:


Expected results:


Additional info:


Summary:

SELinux is preventing firefox from loading
/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so which
requires text relocation.

Detailed Description:

The firefox application attempted to load
/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so to use
relocation as a workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust
/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so to run
correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t
'/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so'" You must
also change the default file context files on the system in order to preserve
them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so'"

The following command will allow this access:

chcon -t textrel_shlib_t
'/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so'

Additional Information:

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:java_exec_t
Target Objects                /usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjav
                              aplugin_ojigtk2.so [ file ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.0b3pre/firefox
Port                          <Unknown>
Host                          screamer
Source RPM Packages           firefox-3.0-0.beta2.11.el5
Target RPM Packages           java-1.5.0-ibm-plugin-1.5.0.5-1jpp.4.el5
Policy RPM                    selinux-policy-2.4.6-121.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     screamer
Platform                      Linux screamer 2.6.18-83.el5 #1 SMP Thu Feb 21
                              12:14:23 EST 2008 i686 i686
Alert Count                   6
First Seen                    Tue 26 Feb 2008 04:57:16 PM PST
Last Seen                     Mon 03 Mar 2008 04:24:50 PM PST
Local ID                      5ba30d96-04e4-49e8-931f-6c2ed9f1e7dc
Line Numbers                  

Raw Audit Messages            

host=screamer type=AVC msg=audit(1204590290.67:79): avc:  denied  { execmod }
for  pid=6812 comm="firefox"
path="/usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/libjavaplugin_ojigtk2.so"
dev=hda2 ino=1912907 scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:java_exec_t:s0 tclass=file

host=screamer type=SYSCALL msg=audit(1204590290.67:79): arch=40000003
syscall=125 success=no exit=-13 a0=504000 a1=18000 a2=5 a3=bf8a28a0 items=0
ppid=6787 pid=6812 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox"
exe="/usr/lib/firefox-3.0b3pre/firefox" subj=user_u:system_r:unconfined_t:s0
key=(null)
Comment 1 John Poelstra 2008-03-03 19:37:55 EST
I believe the business justification, etc. is obvious here... the plug-in
doesn't work at all and should only require a simple change to the selinux policy
Comment 2 Thomas Fitzsimmons 2008-03-04 10:34:47 EST
Reassigning to Dan Walsh.
Comment 3 Daniel Walsh 2008-03-04 15:50:42 EST
Fixed in selinux-policy-2.4.6-124.el5	
Comment 8 errata-xmlrpc 2008-05-21 12:07:22 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.