Description of problem: opening a page with some java SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java from 'name_bind' accesses on the tcp_socket . ***** Plugin mozplugger (99.1 confidence) suggests ************************* If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests *************************** If si crede che java dovrebbe avere possibilità di accesso name_bind sui tcp_socket in modo predefinito. Then si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Do consentire questo accesso per il momento eseguendo: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:jboss_debug_port_t:s0 Target Objects [ tcp_socket ] Source java Source Path /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/j ava Port 8787 Host (removed) Source RPM Packages java-1.7.0-openjdk-1.7.0.19-2.3.9.5.fc18.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-96.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.2-200.fc18.i686.PAE #1 SMP Mon May 13 14:38:57 UTC 2013 i686 i686 Alert Count 4 First Seen 2013-05-23 10:52:58 CEST Last Seen 2013-05-23 10:57:02 CEST Local ID 2bcee1d2-ee4c-4af7-bd28-94c400e4b074 Raw Audit Messages type=AVC msg=audit(1369299422.901:533): avc: denied { name_bind } for pid=7743 comm="java" src=8787 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:jboss_debug_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1369299422.901:533): arch=i386 syscall=socketcall success=no exit=EACCES a0=2 a1=b699be90 a2=8b242000 a3=8929bc70 items=0 ppid=7731 pid=7743 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: java,mozilla_plugin_t,jboss_debug_port_t,tcp_socket,name_bind audit2allow #============= mozilla_plugin_t ============== allow mozilla_plugin_t jboss_debug_port_t:tcp_socket name_bind; audit2allow -R require { type mozilla_plugin_t; } #============= mozilla_plugin_t ============== corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t) Additional info: hashmarkername: setroubleshoot kernel: 3.9.2-200.fc18.i686.PAE type: libreport
see also this bug (the two are connected) https://bugzilla.redhat.com/show_bug.cgi?id=966401
Try to execute # chcon -R -t mozilla_home_t /home/mgrepl/.icedtea
Try to execute # chcon -R -t mozilla_home_t /home/<USERNAME>/.icedtea
now the page works (not sure if connected to any update) - I didn't apply your suggestion. When I open a page I get the usual warning from java if I allow to proceed: I say yes and I get a message from Selinux: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java from write access on the file /home/antonio/.icedtea/cache/recently_used. Plugin: catchall you want to allow java to have write access on the recently_used fileIf si crede che java dovrebbe avere possibilità di accesso write sui recently_used file in modo predefinito. Si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Consentire questo accesso per il momento eseguendo: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp As I can see requested page I didn't apply your suggestion.
if you upgrade to latest version in koji Selinux works fine
I didn't try the version in koji, but experienced a nearly identical problem. The chcon command in comment 3 didn't work, but: # grep java /var/log/audit/audit.log | tail | audit2allow -M java-icedtea-fix # semodule -i java-icedtea-fix.pp worked fine. Problem encountered using fc17. selinux-policy-targeted.noarch 3.10.0-169.fc17 Is this fixed in any updates of selinux for fc17?
FYI: # grep java audit.log | tail | audit2allow #============= mozilla_plugin_t ============== allow mozilla_plugin_t jboss_debug_port_t:tcp_socket name_bind;
Hi, I'm wondering if this problem is related at all ? https://lists.fedoraproject.org/pipermail/users/2013-June/436161.html I'm afraid I don't know much about SELinux. What is the status of this bug exactly ?
The alert told you what you could do. If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool unconfined_mozilla_plugin_transition 0