Bug 490164 - eclipse and xace permissions
eclipse and xace permissions
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-13 12:16 EDT by Dominick Grift
Modified: 2009-03-16 14:27 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-16 10:57:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dominick Grift 2009-03-13 12:16:33 EDT
Description of problem:

eclipse doesnt start because xace doesnt allow it

#============= dgrift_java_t ==============
allow dgrift_java_t client_xevent_t:x_synthetic_event { receive send };
allow dgrift_java_t focus_xevent_t:x_event receive;
allow dgrift_java_t info_xproperty_t:x_property read;
allow dgrift_java_t input_xevent_t:x_event receive;
allow dgrift_java_t manage_xevent_t:x_event receive;
allow dgrift_java_t manage_xevent_t:x_synthetic_event { receive send };
allow dgrift_java_t output_xext_t:x_extension { query use };
allow dgrift_java_t property_xevent_t:x_event receive;
allow dgrift_java_t rootwindow_t:x_colormap use;
allow dgrift_java_t rootwindow_t:x_drawable { hide setattr show read blend create manage send add_child write receive remove_child override destroy set_property };
allow dgrift_java_t self:x_cursor { read destroy create use setattr };
allow dgrift_java_t self:x_gc { destroy create use setattr };
allow dgrift_java_t shmem_xext_t:x_extension { query use };
allow dgrift_java_t std_xext_t:x_extension use;
allow dgrift_java_t xdm_xproperty_t:x_property read;
allow dgrift_java_t xext_t:x_extension { query use };
allow dgrift_java_t xproperty_t:x_property { read write create };
allow dgrift_java_t xselection_t:x_selection getattr;
allow dgrift_java_t xserver_t:x_device { setfocus getattr getfocus use setattr };
allow dgrift_java_t xserver_t:x_resource { read write };
allow dgrift_java_t xserver_t:x_server grab;
allow dgrift_java_t rootwindow_t:x_drawable { get_property getattr };
allow dgrift_java_t std_xext_t:x_extension query;

Version-Release number of selected component (if applicable):
selinux-policy-3.6.9-1.fc11.noarch
selinux-policy-targeted-3.6.9-1.fc11.noarch

How reproducible:
start eclipse for a confined domain
Comment 1 Andrew Overholt 2009-03-13 14:41:12 EDT
Are other java apps affected by this?
Comment 2 Dominick Grift 2009-03-13 14:53:47 EDT
Yes, i believe so.

There were some more permissions it needed (might even be more later)

allow dgrift_java_t client_xevent_t:x_synthetic_event { receive send };
allow dgrift_java_t focus_xevent_t:x_event receive;
allow dgrift_java_t info_xproperty_t:x_property read;
allow dgrift_java_t input_xevent_t:x_event receive;
allow dgrift_java_t manage_xevent_t:x_event receive;
allow dgrift_java_t manage_xevent_t:x_synthetic_event { receive send };
allow dgrift_java_t output_xext_t:x_extension { query use };
allow dgrift_java_t property_xevent_t:x_event receive;
allow dgrift_java_t rootwindow_t:x_colormap use;
allow dgrift_java_t rootwindow_t:x_drawable { hide setattr show read blend create manage send add_child write receive remove_child override destroy set_property };
allow dgrift_java_t self:x_cursor { read destroy create use setattr };
allow dgrift_java_t self:x_gc { destroy create use setattr };
allow dgrift_java_t shmem_xext_t:x_extension { query use };
allow dgrift_java_t std_xext_t:x_extension use;
allow dgrift_java_t xdm_xproperty_t:x_property read;
allow dgrift_java_t xext_t:x_extension { query use };
allow dgrift_java_t xproperty_t:x_property { read write create destroy };
allow dgrift_java_t xselection_t:x_selection getattr;
allow dgrift_java_t xserver_t:x_device { setfocus grab bell getattr getfocus use setattr };
allow dgrift_java_t xserver_t:x_resource { read write };
allow dgrift_java_t xserver_t:x_server grab;
allow dgrift_java_t rootwindow_t:x_drawable { get_property getattr list_child };
allow dgrift_java_t std_xext_t:x_extension query;
allow dgrift_java_t clipboard_xselection_t:x_selection { read getattr setattr };
allow dgrift_java_t input_xevent_t:x_synthetic_event receive;
Comment 3 Andrew Overholt 2009-03-13 14:59:32 EDT
Should this be an F-11 blocker?
Comment 4 Dominick Grift 2009-03-15 16:09:10 EDT
This fixes it for me:

optional_policy(`
        xserver_common_app(dgrift_java_t)
        xserver_read_xdm_pid(dgrift_java_t)
        xserver_stream_connect(dgrift_java_t)
')

Stolen from pulseaudio policy ;)
Comment 5 Daniel Walsh 2009-03-16 10:57:44 EDT
Fixed in selinux-policy-3.6.9-2.fc11.noarch
Comment 6 Dominick Grift 2009-03-16 13:20:27 EDT
This issue is still not resolved i believe:

 sh-4.0# rpm -qa | grep selinux-policy
selinux-policy-3.6.9-2.fc11.noarch
selinux-policy-targeted-3.6.9-2.fc11.noarch

[dgrift@notebook1 Desktop]$ eclipse -pluginCustomization /tmp/noWelcomeScreen.ini
CompilerOracle: exclude org/eclipse/core/internal/dtree/DataTreeNode.forwardDeltaWith
CompilerOracle: exclude org/eclipse/jdt/internal/compiler/lookup/ParameterizedMethodBinding.<init>
CompilerOracle: exclude org/eclipse/cdt/internal/core/dom/parser/cpp/semantics/CPPTemplates.instantiateTemplate
CompilerOracle: exclude org/eclipse/cdt/internal/core/pdom/dom/cpp/PDOMCPPLinkage.addBinding
CompilerOracle: exclude org/python/pydev/editor/codecompletion/revisited/PythonPathHelper.isValidSourceFile
CompilerOracle: exclude org/python/pydev/ui/filetypes/FileTypesPreferencesPage.getDottedValidSourceFiles

Gdk-ERROR **: The program '.' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAccess (attempt to access private resource denied)'.
  (Details: serial 2 error_code 10 request_code 55 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)
aborting...

sh-4.0# ausearch -m user_avc -ts recent | audit2allow -R

require {
	type std_xext_t;
	type dgrift_java_t;
	type rootwindow_t;
	class x_extension query;
	class x_drawable { get_property getattr };
}

#============= dgrift_java_t ==============
allow dgrift_java_t rootwindow_t:x_drawable { get_property getattr };
allow dgrift_java_t std_xext_t:x_extension query;

(that is in enforcing mode)
Comment 7 Daniel Walsh 2009-03-16 13:45:14 EDT
Please attach the AVC messages. It looks like allow dgrift_java_t std_xext_t:x_extension query; should have been in policy.
Comment 8 Dominick Grift 2009-03-16 13:56:06 EDT
type=SYSCALL msg=audit(1237223915.188:430): arch=c000003e syscall=1 success=no exit=2051882968 a0=3 a1=7fff42ff25b0 a2=1 a3=0 items=0 ppid=11838 pid=12722 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=dgrift:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=USER_AVC msg=audit(1237223920.060:432): user pid=2676 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 msg='avc:  denied  { query } for request=X11:QueryExtension comm=/usr/bin/java extension=BIG-REQUESTS scontext=dgrift:dgrift_r:dgrift_java_t:s0-s0:c0.c1023 tcontext=system_u:object_r:std_xext_t:s0 tclass=x_extension : exe=2F7573722F62696E2F586F7267202864656C6574656429 (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1237223920.061:433): user pid=2676 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 msg='avc:  denied  { getattr } for request=X11:CreateGC comm=/usr/bin/java resid=13c restype=WINDOW scontext=dgrift:dgrift_r:dgrift_java_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rootwindow_t:s0 tclass=x_drawable : exe=2F7573722F62696E2F586F7267202864656C6574656429 (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1237223920.062:434): user pid=2676 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 msg='avc:  denied  { get_property } for request=X11:GetProperty comm=/usr/bin/java resid=13c restype=WINDOW scontext=dgrift:dgrift_r:dgrift_java_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rootwindow_t:s0 tclass=x_drawable : exe=2F7573722F62696E2F586F7267202864656C6574656429 (sauid=0, hostname=?, addr=?, terminal=?)'
type=ANOM_ABEND msg=audit(1237223920.063:435): auid=501 uid=501 gid=503 ses=1 subj=dgrift:dgrift_r:dgrift_java_t:s0-s0:c0.c1023 pid=12738 comm="java" sig=5
Comment 9 Dominick Grift 2009-03-16 14:27:56 EDT
ignore. works fine...

Note You need to log in before you can comment on or make changes to this bug.