Description of problem: eclipse doesnt start because xace doesnt allow it #============= dgrift_java_t ============== allow dgrift_java_t client_xevent_t:x_synthetic_event { receive send }; allow dgrift_java_t focus_xevent_t:x_event receive; allow dgrift_java_t info_xproperty_t:x_property read; allow dgrift_java_t input_xevent_t:x_event receive; allow dgrift_java_t manage_xevent_t:x_event receive; allow dgrift_java_t manage_xevent_t:x_synthetic_event { receive send }; allow dgrift_java_t output_xext_t:x_extension { query use }; allow dgrift_java_t property_xevent_t:x_event receive; allow dgrift_java_t rootwindow_t:x_colormap use; allow dgrift_java_t rootwindow_t:x_drawable { hide setattr show read blend create manage send add_child write receive remove_child override destroy set_property }; allow dgrift_java_t self:x_cursor { read destroy create use setattr }; allow dgrift_java_t self:x_gc { destroy create use setattr }; allow dgrift_java_t shmem_xext_t:x_extension { query use }; allow dgrift_java_t std_xext_t:x_extension use; allow dgrift_java_t xdm_xproperty_t:x_property read; allow dgrift_java_t xext_t:x_extension { query use }; allow dgrift_java_t xproperty_t:x_property { read write create }; allow dgrift_java_t xselection_t:x_selection getattr; allow dgrift_java_t xserver_t:x_device { setfocus getattr getfocus use setattr }; allow dgrift_java_t xserver_t:x_resource { read write }; allow dgrift_java_t xserver_t:x_server grab; allow dgrift_java_t rootwindow_t:x_drawable { get_property getattr }; allow dgrift_java_t std_xext_t:x_extension query; Version-Release number of selected component (if applicable): selinux-policy-3.6.9-1.fc11.noarch selinux-policy-targeted-3.6.9-1.fc11.noarch How reproducible: start eclipse for a confined domain
Are other java apps affected by this?
Yes, i believe so. There were some more permissions it needed (might even be more later) allow dgrift_java_t client_xevent_t:x_synthetic_event { receive send }; allow dgrift_java_t focus_xevent_t:x_event receive; allow dgrift_java_t info_xproperty_t:x_property read; allow dgrift_java_t input_xevent_t:x_event receive; allow dgrift_java_t manage_xevent_t:x_event receive; allow dgrift_java_t manage_xevent_t:x_synthetic_event { receive send }; allow dgrift_java_t output_xext_t:x_extension { query use }; allow dgrift_java_t property_xevent_t:x_event receive; allow dgrift_java_t rootwindow_t:x_colormap use; allow dgrift_java_t rootwindow_t:x_drawable { hide setattr show read blend create manage send add_child write receive remove_child override destroy set_property }; allow dgrift_java_t self:x_cursor { read destroy create use setattr }; allow dgrift_java_t self:x_gc { destroy create use setattr }; allow dgrift_java_t shmem_xext_t:x_extension { query use }; allow dgrift_java_t std_xext_t:x_extension use; allow dgrift_java_t xdm_xproperty_t:x_property read; allow dgrift_java_t xext_t:x_extension { query use }; allow dgrift_java_t xproperty_t:x_property { read write create destroy }; allow dgrift_java_t xselection_t:x_selection getattr; allow dgrift_java_t xserver_t:x_device { setfocus grab bell getattr getfocus use setattr }; allow dgrift_java_t xserver_t:x_resource { read write }; allow dgrift_java_t xserver_t:x_server grab; allow dgrift_java_t rootwindow_t:x_drawable { get_property getattr list_child }; allow dgrift_java_t std_xext_t:x_extension query; allow dgrift_java_t clipboard_xselection_t:x_selection { read getattr setattr }; allow dgrift_java_t input_xevent_t:x_synthetic_event receive;
Should this be an F-11 blocker?
This fixes it for me: optional_policy(` xserver_common_app(dgrift_java_t) xserver_read_xdm_pid(dgrift_java_t) xserver_stream_connect(dgrift_java_t) ') Stolen from pulseaudio policy ;)
Fixed in selinux-policy-3.6.9-2.fc11.noarch
This issue is still not resolved i believe: sh-4.0# rpm -qa | grep selinux-policy selinux-policy-3.6.9-2.fc11.noarch selinux-policy-targeted-3.6.9-2.fc11.noarch [dgrift@notebook1 Desktop]$ eclipse -pluginCustomization /tmp/noWelcomeScreen.ini CompilerOracle: exclude org/eclipse/core/internal/dtree/DataTreeNode.forwardDeltaWith CompilerOracle: exclude org/eclipse/jdt/internal/compiler/lookup/ParameterizedMethodBinding.<init> CompilerOracle: exclude org/eclipse/cdt/internal/core/dom/parser/cpp/semantics/CPPTemplates.instantiateTemplate CompilerOracle: exclude org/eclipse/cdt/internal/core/pdom/dom/cpp/PDOMCPPLinkage.addBinding CompilerOracle: exclude org/python/pydev/editor/codecompletion/revisited/PythonPathHelper.isValidSourceFile CompilerOracle: exclude org/python/pydev/ui/filetypes/FileTypesPreferencesPage.getDottedValidSourceFiles Gdk-ERROR **: The program '.' received an X Window System error. This probably reflects a bug in the program. The error was 'BadAccess (attempt to access private resource denied)'. (Details: serial 2 error_code 10 request_code 55 minor_code 0) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the --sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) aborting... sh-4.0# ausearch -m user_avc -ts recent | audit2allow -R require { type std_xext_t; type dgrift_java_t; type rootwindow_t; class x_extension query; class x_drawable { get_property getattr }; } #============= dgrift_java_t ============== allow dgrift_java_t rootwindow_t:x_drawable { get_property getattr }; allow dgrift_java_t std_xext_t:x_extension query; (that is in enforcing mode)
Please attach the AVC messages. It looks like allow dgrift_java_t std_xext_t:x_extension query; should have been in policy.
type=SYSCALL msg=audit(1237223915.188:430): arch=c000003e syscall=1 success=no exit=2051882968 a0=3 a1=7fff42ff25b0 a2=1 a3=0 items=0 ppid=11838 pid=12722 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=dgrift:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=USER_AVC msg=audit(1237223920.060:432): user pid=2676 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 msg='avc: denied { query } for request=X11:QueryExtension comm=/usr/bin/java extension=BIG-REQUESTS scontext=dgrift:dgrift_r:dgrift_java_t:s0-s0:c0.c1023 tcontext=system_u:object_r:std_xext_t:s0 tclass=x_extension : exe=2F7573722F62696E2F586F7267202864656C6574656429 (sauid=0, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1237223920.061:433): user pid=2676 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 msg='avc: denied { getattr } for request=X11:CreateGC comm=/usr/bin/java resid=13c restype=WINDOW scontext=dgrift:dgrift_r:dgrift_java_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rootwindow_t:s0 tclass=x_drawable : exe=2F7573722F62696E2F586F7267202864656C6574656429 (sauid=0, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1237223920.062:434): user pid=2676 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 msg='avc: denied { get_property } for request=X11:GetProperty comm=/usr/bin/java resid=13c restype=WINDOW scontext=dgrift:dgrift_r:dgrift_java_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rootwindow_t:s0 tclass=x_drawable : exe=2F7573722F62696E2F586F7267202864656C6574656429 (sauid=0, hostname=?, addr=?, terminal=?)' type=ANOM_ABEND msg=audit(1237223920.063:435): auid=501 uid=501 gid=503 ses=1 subj=dgrift:dgrift_r:dgrift_java_t:s0-s0:c0.c1023 pid=12738 comm="java" sig=5
ignore. works fine...