Bug 814957 - SELinux is preventing /bin/chmod from 'setattr' accesses on the fichier /etc/profile.d/java.sh.
SELinux is preventing /bin/chmod from 'setattr' accesses on the fichier /etc/...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-04-21 11:50 EDT by Olivier LEVILLAIN
Modified: 2012-06-30 04:01 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-29 17:54:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Olivier LEVILLAIN 2012-04-21 11:50:01 EDT
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.2-1.fc16.x86_64
reason:         SELinux is preventing /bin/chmod from 'setattr' accesses on the fichier /etc/profile.d/java.sh.
time:           sam. 21 avril 2012 17:42:05 CEST

:SELinux is preventing /bin/chmod from 'setattr' accesses on the fichier /etc/profile.d/java.sh.
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If you believe that chmod should be allowed setattr access on the java.sh file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep chmod /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:bin_t:s0
:Target Objects                /etc/profile.d/java.sh [ file ]
:Source                        chmod
:Source Path                   /bin/chmod
:Port                          <Inconnu>
:Host                          (removed)
:Source RPM Packages           coreutils-8.12-7.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.2-1.fc16.x86_64 #1 SMP Sat Apr 14
:                              00:31:23 UTC 2012 x86_64 x86_64
:Alert Count                   3
:First Seen                    mar. 17 avril 2012 19:55:58 CEST
:Last Seen                     sam. 21 avril 2012 17:27:15 CEST
:Local ID                      0a874f90-8fa1-4f3e-9f94-9ac58caeb3b0
:Raw Audit Messages
:type=AVC msg=audit(1335022035.295:39): avc:  denied  { setattr } for  pid=1132 comm="chmod" name="java.sh" dev="sda8" ino=162633 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:bin_t:s0 tclass=file
:type=SYSCALL msg=audit(1335022035.295:39): arch=x86_64 syscall=fchmodat success=no exit=EACCES a0=ffffffffffffff9c a1=17fa0f0 a2=1ed a3=0 items=0 ppid=1119 pid=1132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chmod exe=/bin/chmod subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
:Hash: chmod,xdm_t,bin_t,file,setattr
:#============= xdm_t ==============
:allow xdm_t bin_t:file setattr;
:audit2allow -R
:#============= xdm_t ==============
:allow xdm_t bin_t:file setattr;
Comment 1 Daniel Walsh 2012-04-22 07:56:16 EDT
What is java.sh trying to do?  It is not a good idea to allow a login program to change the permissions on a binary.
Comment 2 Olivier LEVILLAIN 2012-04-22 14:39:39 EDT
The /etc/profile.d/java.sh is created by the java 7 install as far as I can tell..

It's content is a bit weird:
export JAVA_HOME="/usr/java/jdk1.7.0_03"
export PATH="$PATH:$JAVA_HOME/bin"
chmod +x /etc/profile.d/java.sh

So it changes itself its permission (whereas its permission is already:
-rwxr-xr-x. 1 root root 138  9 avril 20:15 /etc/profile.d/java.sh).

To cancel the error, I will remove this last line but then where should we create a bug for the java installer?
Comment 3 Daniel Walsh 2012-04-23 10:14:44 EDT
Yes, Is this a java you downloaded or does this happen in the java fedora ships?
Comment 4 Deepak Bhole 2012-06-29 12:43:53 EDT
Hi Dan,

/usr/java/jdk1.7.0_03 is not created by java-1.7.0-openjdk but that is where the Oracle JDK would get installed. Since the Oracle JDK is 3rd party, there isn't anything that can be done on the OpenJDK package side.

I am not sure if we add policies for such 3rd party applications therefore I am switching the component to selinux-policy so that you can make the call.
Comment 5 Daniel Walsh 2012-06-29 17:54:38 EDT
Olivier can you open a bug with Oracle to not do this in a /etc/profile.d script.
Comment 6 Olivier LEVILLAIN 2012-06-30 04:01:12 EDT
Ok Daniel, 
I'll do it. Thanks for your support and, next time, I'll think twice before installing a 3rd party software from internet when yum provides it out of the box O:-)

Note You need to log in before you can comment on or make changes to this bug.