Bug 830368 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre/bin/java from 'read' accesses on the directory hsperfdata_root.
Summary: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre/bin/...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1f802536edd01360349d01e4bb3...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-09 02:15 UTC by jimmy
Modified: 2012-10-17 08:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-10-17 08:56:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description jimmy 2012-06-09 02:15:02 UTC 
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.0-1.fc17.x86_64
time:           Fri 08 Jun 2012 08:24:27 PM CST

description:
:SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre/bin/java from 'read' accesses on the directory hsperfdata_root.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that java should be allowed read access on the hsperfdata_root directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep java /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:httpd_t:s0
:Target Context                system_u:object_r:initrc_tmp_t:s0
:Target Objects                hsperfdata_root [ dir ]
:Source                        java
:Source Path                   /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre
:                              /bin/java
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           java-1.7.0-openjdk-1.7.0.3-2.1.fc17.6.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3
:                              06:35:17 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    Fri 08 Jun 2012 05:34:18 AM CST
:Last Seen                     Fri 08 Jun 2012 08:22:15 PM CST
:Local ID                      813f7e65-be45-461f-a09e-b339208c38e4
:
:Raw Audit Messages
:type=AVC msg=audit(1339208535.246:84): avc:  denied  { read } for  pid=1109 comm="java" name="hsperfdata_root" dev="dm-1" ino=1966091 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1339208535.246:84): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f919c0055d0 a2=90800 a3=0 items=0 ppid=1 pid=1109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre/bin/java subj=system_u:system_r:httpd_t:s0 key=(null)
:
:Hash: java,httpd_t,initrc_tmp_t,dir,read
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Miroslav Grepl 2012-06-18 15:05:56 UTC 
Is there a deamon running as initrc_t?

# ps -eZ |grep initrc

Or do you know how hsperfdata_root is created?
Comment 2 Daniel Walsh 2012-06-18 20:26:15 UTC 
This looks like the hsperfdata_root directory was created with the wrong label on it, by an init script?
Note You need to log in before you can comment on or make changes to this bug.