Bug 966419 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java from 'name_bind' accesses on the tcp_socket .
Summary: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java f...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:a9f2600f8124e018bc56316d1c0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-23 09:06 UTC by antonio montagnani
Modified: 2013-10-25 12:10 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-25 12:10:51 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description antonio montagnani 2013-05-23 09:06:47 UTC 
Description of problem:
opening a page with some java
SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java from 'name_bind' accesses on the tcp_socket .

*****  Plugin mozplugger (99.1 confidence) suggests  *************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests  ***************************

If si crede che java dovrebbe avere possibilità di accesso name_bind sui  tcp_socket in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per il momento eseguendo:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:jboss_debug_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        java
Source Path                   /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/j
                              ava
Port                          8787
Host                          (removed)
Source RPM Packages           java-1.7.0-openjdk-1.7.0.19-2.3.9.5.fc18.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-96.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.2-200.fc18.i686.PAE #1 SMP Mon
                              May 13 14:38:57 UTC 2013 i686 i686
Alert Count                   4
First Seen                    2013-05-23 10:52:58 CEST
Last Seen                     2013-05-23 10:57:02 CEST
Local ID                      2bcee1d2-ee4c-4af7-bd28-94c400e4b074

Raw Audit Messages
type=AVC msg=audit(1369299422.901:533): avc:  denied  { name_bind } for  pid=7743 comm="java" src=8787 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:jboss_debug_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1369299422.901:533): arch=i386 syscall=socketcall success=no exit=EACCES a0=2 a1=b699be90 a2=8b242000 a3=8929bc70 items=0 ppid=7731 pid=7743 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: java,mozilla_plugin_t,jboss_debug_port_t,tcp_socket,name_bind

audit2allow

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t jboss_debug_port_t:tcp_socket name_bind;

audit2allow -R
require {
	type mozilla_plugin_t;
}

#============= mozilla_plugin_t ==============
corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t)


Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.2-200.fc18.i686.PAE
type:           libreport
Comment 1 antonio montagnani 2013-05-23 09:10:34 UTC 
see also this bug (the two are connected)
https://bugzilla.redhat.com/show_bug.cgi?id=966401
Comment 2 Miroslav Grepl 2013-05-24 05:56:12 UTC 
Try to execute

# chcon -R -t mozilla_home_t /home/mgrepl/.icedtea
Comment 3 Miroslav Grepl 2013-05-24 05:57:00 UTC 
Try to execute

# chcon -R -t mozilla_home_t /home/<USERNAME>/.icedtea
Comment 4 antonio montagnani 2013-05-24 15:13:15 UTC 
now the page works (not sure if connected to any update) - I didn't apply your suggestion.

When I open a page I get the usual warning from java if I allow to proceed: I say yes and I get a message from Selinux:

SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java from write access on the file /home/antonio/.icedtea/cache/recently_used.

Plugin: catchall 
you want to allow java to have write access on the recently_used fileIf si crede che java dovrebbe avere possibilità di accesso write sui recently_used file in modo predefinito.
Si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Consentire questo accesso per il momento eseguendo:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

As I can see requested page I didn't apply your suggestion.
Comment 5 antonio montagnani 2013-05-24 15:24:53 UTC 
if you upgrade to latest version in koji Selinux works fine
Comment 6 Daniel Wang 2013-06-06 22:08:24 UTC 
I didn't try the version in koji, but experienced a nearly identical problem.
The chcon command in comment 3 didn't work, but:

# grep java  /var/log/audit/audit.log | tail | audit2allow -M java-icedtea-fix
# semodule -i java-icedtea-fix.pp

worked fine.

Problem encountered using fc17. selinux-policy-targeted.noarch 3.10.0-169.fc17

Is this fixed in any updates of selinux for fc17?
Comment 7 Daniel Wang 2013-06-06 22:10:05 UTC 
FYI:

# grep java  audit.log | tail | audit2allow


#============= mozilla_plugin_t ==============
allow mozilla_plugin_t jboss_debug_port_t:tcp_socket name_bind;
Comment 8 Adam Domurad 2013-06-10 18:55:11 UTC 
Hi, I'm wondering if this problem is related at all ?
https://lists.fedoraproject.org/pipermail/users/2013-June/436161.html
I'm afraid I don't know much about SELinux.

What is the status of this bug exactly ?
Comment 9 Daniel Walsh 2013-06-20 17:36:38 UTC 
The alert told you what you could do.

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool unconfined_mozilla_plugin_transition 0
Note You need to log in before you can comment on or make changes to this bug.