Bug 830368 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre/bin/java from 'read' accesses on the directory hsperfdata_root.
SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre/bin/...
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:1f802536edd01360349d01e4bb3...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-08 22:15 EDT by jimmy
Modified: 2012-10-17 04:56 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-17 04:56:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jimmy 2012-06-08 22:15:02 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.0-1.fc17.x86_64
time:           Fri 08 Jun 2012 08:24:27 PM CST

description:
:SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre/bin/java from 'read' accesses on the directory hsperfdata_root.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that java should be allowed read access on the hsperfdata_root directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep java /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:httpd_t:s0
:Target Context                system_u:object_r:initrc_tmp_t:s0
:Target Objects                hsperfdata_root [ dir ]
:Source                        java
:Source Path                   /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre
:                              /bin/java
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           java-1.7.0-openjdk-1.7.0.3-2.1.fc17.6.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3
:                              06:35:17 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    Fri 08 Jun 2012 05:34:18 AM CST
:Last Seen                     Fri 08 Jun 2012 08:22:15 PM CST
:Local ID                      813f7e65-be45-461f-a09e-b339208c38e4
:
:Raw Audit Messages
:type=AVC msg=audit(1339208535.246:84): avc:  denied  { read } for  pid=1109 comm="java" name="hsperfdata_root" dev="dm-1" ino=1966091 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1339208535.246:84): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f919c0055d0 a2=90800 a3=0 items=0 ppid=1 pid=1109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre/bin/java subj=system_u:system_r:httpd_t:s0 key=(null)
:
:Hash: java,httpd_t,initrc_tmp_t,dir,read
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Miroslav Grepl 2012-06-18 11:05:56 EDT
Is there a deamon running as initrc_t?

# ps -eZ |grep initrc

Or do you know how hsperfdata_root is created?
Comment 2 Daniel Walsh 2012-06-18 16:26:15 EDT
This looks like the hsperfdata_root directory was created with the wrong label on it, by an init script?

Note You need to log in before you can comment on or make changes to this bug.