Our IBM Java expenses system fails with SELinux. It attempts to store data in ~/.IBMERS/Expense-Report-Solutions which mozilla_plugin_t doesn't have permission to access. I could disable unconfined_mozilla_plugin_transition but I really don't want to; I'd like to fix this so that it *can* create ~/.IBMERS and use it. Or failing that, I could create ~/.IBMERS in advance and set its label to mozilla_plugin_rw_t... but that'll get overwritten by restorecon? And will it be inherited by files that get created in there? What is the best fix for this, please?
As usual, I'm missing something here... [root@dwoodhou-mobl3 dwoodhou]# semanage fcontext -l -C SELinux fcontext type Context /home/dwoodhou/\.IBMERS directory system_u:object_r:mozilla_plugin_rw_t:s0 /home/dwoodhou/\.IBMERS/.* all files system_u:object_r:mozilla_plugin_rw_t:s0 [root@dwoodhou-mobl3 dwoodhou]# ls -laRZ .IBMERS .IBMERS: drwxr-xr-x. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 . drwxr-xr-x. dwoodhou dwoodhou unconfined_u:object_r:user_home_dir_t:s0 .. drwxr-xr-x. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 Expense-Report-Solutions .IBMERS/Expense-Report-Solutions: drwxr-xr-x. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 . drwxr-xr-x. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 .. -rw-rw-r--. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 config.pro -rw-rw-r--. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 Exc.cab -rw-rw-r--. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 exc.html -rw-rw-r--. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 Exc.jar -rw-rw-r--. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 Exc.props -rw-rw-r--. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 lang.pro -rw-rw-r--. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 local.pro -rw-rw-r--. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 prefill.pro -rw-rw-r--. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 user.pro -rw-rw-r--. dwoodhou dwoodhou unconfined_u:object_r:mozilla_plugin_rw_t:s0 write.props [root@dwoodhou-mobl3 dwoodhou]# grep java /var/log/audit/audit.log | tail -6 type=AVC msg=audit(1372515899.189:1746): avc: denied { name_connect } for pid=27056 comm="java" dest=912 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1372515899.189:1746): arch=c000003e syscall=42 success=no exit=-13 a0=31 a1=7f8efca63880 a2=1c a3=2a0 items=0 ppid=26589 pid=27056 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=30 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1372515899.678:1747): avc: denied { name_connect } for pid=27056 comm="java" dest=912 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1372515899.678:1747): arch=c000003e syscall=42 success=no exit=-13 a0=32 a1=7f8efca63880 a2=1c a3=2b2 items=0 ppid=26589 pid=27056 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=30 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1372515900.017:1748): avc: denied { write } for pid=27056 comm="java" name="write.props" dev="vda3" ino=1839510 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mozilla_plugin_rw_t:s0 tclass=file type=SYSCALL msg=audit(1372515900.017:1748): arch=c000003e syscall=2 success=no exit=-13 a0=7f8edc002880 a1=241 a2=1b6 a3=522d65736e657078 items=0 ppid=26589 pid=27056 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=30 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
mozilla_home_t will be better labeling. # chcon -R -t mozilla_home_t /home/dwoodhou/.IBMERS + # setsebool -P mozilla_plugin_can_network_connect 1 commit b40b9a01a9a2c72815062d477724ee4ecbda1754 Author: Miroslav Grepl <mgrepl> Date: Mon Jul 1 12:46:37 2013 +0200 Add support for HOME_DIR/.IBMERS
Thanks. Will that survive relabelling, or do I need to update to an selinux policy containing your latest commit before I can expect that? Also, is there a way to allow the mozilla plugin to *create* ~/.IBMERS if it doesn't exist, for the general case? I'm working on provisioning Linux boxes for deployment to our users, and if I can make it "just work" rather than having to pre-create and pre-label the directory, that would be much nicer. Did I miss a way to use 'selabel fcontext' to apply a label to ~/.IBMERS for *all* home directories? We do *have* that support, but I couldn't see how to tweak those rules on the system itself.
https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?id=b40b9a0 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "IBMERS") s/IBMERS/.IBMERS/ ?
Ah, thanks. Fixed.
David, if you do matchpathcon ~/.IBMERS It will show you the default label. Once Miroslav pushes an update, it should survive a relabel. The chcon will not survive for now. Git now has grep IBM * mozilla.fc:HOME_DIR/.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) mozilla.if: userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS") Which should do the correct thing.
selinux-policy-3.12.1-59.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-59.fc19
Package selinux-policy-3.12.1-59.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-59.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-12373/selinux-policy-3.12.1-59.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-59.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
I don't appear to need the mozilla_plugin_can_network_connect setting. No idea why. It mostly just works out of the box with the updated policy. Thanks. However, *printing* from the expenses tool doesn't work: type=SELINUX_ERR msg=audit(1375288137.700:789): security_compute_sid: invalid context unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lpr_exec_t:s0 tclass=process type=SYSCALL msg=audit(1375288137.700:789): arch=c000003e syscall=59 success=yes exit=0 a0=7f8698032bc0 a1=7f869802cef0 a2=7f87440d4c10 a3=33 items=0 ppid=25776 pid=2495 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=1 tty=(none) comm="lpr" exe="/usr/bin/lpr.cups" subj=unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1375288137.704:790): security_compute_sid: invalid context unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SELINUX_ERR msg=audit(1375288137.704:790): security_compute_sid: invalid context unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1375288137.704:790): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=1 a2=0 a3=7fffc8c663e0 items=0 ppid=25776 pid=2495 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=1 tty=(none) comm="lpr" exe="/usr/bin/lpr.cups" subj=unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 key=(null)
The handling of roles in mozilla_plugin_t is broken. 7df86a643e29a1f581fc4c2f11bfee4a531b9f23 fixes this in git.
https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?id=7df86a64 doesn't seem to be the right place to look...
Added to F19. Will be a part of the next build.