Re: mozilla-1.7 startup, lib_t vs. shlib_t?

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Mon, 26 Jul 2004 13:45:41 -0400

Tom London wrote:

[running latest FC3T1 w/ mods from devel tree, strict/enforcing]

When starting up mozilla as normal user, I noticed the following avc's:

Jul 22 06:58:24 fedora kernel: audit(1090504704.981:0): avc:  denied  
{ execute } for  pid=3527 
path=/usr/java/j2sdk1.5.0/jre/lib/i386/client/libjvm.so dev=hda2 
ino=4279850 scontext=user_u:user_r:user_mozilla_t 
tcontext=system_u:object_r:lib_t tclass=file

Jul 22 06:58:34 fedora kernel: audit(1090504714.317:0): avc:  denied  
{ execute } for  pid=3517 
path=/usr/java/j2sdk1.5.0/jre/lib/i386/libjavaplugin_nscp.so dev=hda2 
ino=4279868 scontext=user_u:user_r:user_mozilla_t 
tcontext=system_u:object_r:lib_t tclass=file

Jul 22 06:59:06 fedora kernel: audit(1090504746.751:0): avc:  denied  
{ read } for  pid=3517 exe=/usr/lib/mozilla-1.7/mozilla-bin name=tmp 
dev=hda2 ino=4112506 scontext=user_u:user_r:user_mozilla_t 
tcontext=system_u:object_r:tmp_t tclass=lnk_file

The last of these describes an access to the link '/usr/tmp->../var/tmp'.
[I can't tell if this is 'breaking' anything, so I don't know if anything
needs to change here.  Help anyone?]

The first 2 denials appear to interfere with plugins.

Going into permissive mode identifies the following list of
'java library executes' from scontext=user_u:user_r:user_mozilla_t:
   /usr/java/j2sdk1.5.0/jre/lib/i386/client/libjvm.so
   /usr/java/j2sdk1.5.0/jre/lib/i386/libjavaplugin_nscp.so
   /usr/java/j2sdk1.5.0/jre/lib/i386/native_threads/libhpi.so
   /usr/java/j2sdk1.5.0/jre/lib/i386/libverify.so
   /usr/java/j2sdk1.5.0/jre/lib/i386/libjava.so
   /usr/java/j2sdk1.5.0/jre/lib/i386/libzip.so

I changed their contexts to 'system_u:object_r:shlib_t'
and plugins started working again.

The j2 entries in types.fc are:

/usr/java/j2.*/bin(/.*)?                system_u:object_r:bin_t

/usr/java/j2.*/jre/lib(64)?/i386(/.*)?  system_u:object_r:lib_t

/usr/java/j2.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- 
system_u:object_r:shlib_t

I admit to not really understanding what needs to be here.
Is it appropriate to change the second line to
/usr/java/j2.*/jre/lib(64)?/i386(/.*)?  system_u:object_r:shlib_t
or something more specific to 1.5.0?

How about

/usr/java/j2.*/jre/lib(64)?/i386(/.*)?[^/]*\.so(\.[^/]*)* -- 
system_u:object_r:shlib_t

tom

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list