libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.3.2-1.fc16.x86_64 reason: SELinux is preventing /bin/chmod from 'setattr' accesses on the fichier /etc/profile.d/java.sh. time: sam. 21 avril 2012 17:42:05 CEST description: :SELinux is preventing /bin/chmod from 'setattr' accesses on the fichier /etc/profile.d/java.sh. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that chmod should be allowed setattr access on the java.sh file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep chmod /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 :Target Context unconfined_u:object_r:bin_t:s0 :Target Objects /etc/profile.d/java.sh [ file ] :Source chmod :Source Path /bin/chmod :Port <Inconnu> :Host (removed) :Source RPM Packages coreutils-8.12-7.fc16.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-80.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.2-1.fc16.x86_64 #1 SMP Sat Apr 14 : 00:31:23 UTC 2012 x86_64 x86_64 :Alert Count 3 :First Seen mar. 17 avril 2012 19:55:58 CEST :Last Seen sam. 21 avril 2012 17:27:15 CEST :Local ID 0a874f90-8fa1-4f3e-9f94-9ac58caeb3b0 : :Raw Audit Messages :type=AVC msg=audit(1335022035.295:39): avc: denied { setattr } for pid=1132 comm="chmod" name="java.sh" dev="sda8" ino=162633 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:bin_t:s0 tclass=file : : :type=SYSCALL msg=audit(1335022035.295:39): arch=x86_64 syscall=fchmodat success=no exit=EACCES a0=ffffffffffffff9c a1=17fa0f0 a2=1ed a3=0 items=0 ppid=1119 pid=1132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chmod exe=/bin/chmod subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) : :Hash: chmod,xdm_t,bin_t,file,setattr : :audit2allow : :#============= xdm_t ============== :allow xdm_t bin_t:file setattr; : :audit2allow -R : :#============= xdm_t ============== :allow xdm_t bin_t:file setattr; :
What is java.sh trying to do? It is not a good idea to allow a login program to change the permissions on a binary.
The /etc/profile.d/java.sh is created by the java 7 install as far as I can tell.. It's content is a bit weird: export JAVA_HOME="/usr/java/jdk1.7.0_03" export JAVA_PATH="$JAVA_HOME" export PATH="$PATH:$JAVA_HOME/bin" chmod +x /etc/profile.d/java.sh So it changes itself its permission (whereas its permission is already: -rwxr-xr-x. 1 root root 138 9 avril 20:15 /etc/profile.d/java.sh). To cancel the error, I will remove this last line but then where should we create a bug for the java installer?
Yes, Is this a java you downloaded or does this happen in the java fedora ships?
Hi Dan, /usr/java/jdk1.7.0_03 is not created by java-1.7.0-openjdk but that is where the Oracle JDK would get installed. Since the Oracle JDK is 3rd party, there isn't anything that can be done on the OpenJDK package side. I am not sure if we add policies for such 3rd party applications therefore I am switching the component to selinux-policy so that you can make the call.
Olivier can you open a bug with Oracle to not do this in a /etc/profile.d script.
Ok Daniel, I'll do it. Thanks for your support and, next time, I'll think twice before installing a 3rd party software from internet when yum provides it out of the box O:-)