Tom London wrote:
How about[running latest FC3T1 w/ mods from devel tree, strict/enforcing]
When starting up mozilla as normal user, I noticed the following avc's:
Jul 22 06:58:24 fedora kernel: audit(1090504704.981:0): avc: denied { execute } for pid=3527 path=/usr/java/j2sdk1.5.0/jre/lib/i386/client/libjvm.so dev=hda2 ino=4279850 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:lib_t tclass=file
Jul 22 06:58:34 fedora kernel: audit(1090504714.317:0): avc: denied { execute } for pid=3517 path=/usr/java/j2sdk1.5.0/jre/lib/i386/libjavaplugin_nscp.so dev=hda2 ino=4279868 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:lib_t tclass=file
Jul 22 06:59:06 fedora kernel: audit(1090504746.751:0): avc: denied { read } for pid=3517 exe=/usr/lib/mozilla-1.7/mozilla-bin name=tmp dev=hda2 ino=4112506 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:tmp_t tclass=lnk_file
The last of these describes an access to the link '/usr/tmp->../var/tmp'. [I can't tell if this is 'breaking' anything, so I don't know if anything needs to change here. Help anyone?]
The first 2 denials appear to interfere with plugins.
Going into permissive mode identifies the following list of 'java library executes' from scontext=user_u:user_r:user_mozilla_t: /usr/java/j2sdk1.5.0/jre/lib/i386/client/libjvm.so /usr/java/j2sdk1.5.0/jre/lib/i386/libjavaplugin_nscp.so /usr/java/j2sdk1.5.0/jre/lib/i386/native_threads/libhpi.so /usr/java/j2sdk1.5.0/jre/lib/i386/libverify.so /usr/java/j2sdk1.5.0/jre/lib/i386/libjava.so /usr/java/j2sdk1.5.0/jre/lib/i386/libzip.so
I changed their contexts to 'system_u:object_r:shlib_t' and plugins started working again.
The j2 entries in types.fc are:
/usr/java/j2.*/bin(/.*)? system_u:object_r:bin_t
/usr/java/j2.*/jre/lib(64)?/i386(/.*)? system_u:object_r:lib_t
/usr/java/j2.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
I admit to not really understanding what needs to be here. Is it appropriate to change the second line to /usr/java/j2.*/jre/lib(64)?/i386(/.*)? system_u:object_r:shlib_t or something more specific to 1.5.0?
/usr/java/j2.*/jre/lib(64)?/i386(/.*)?[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
tom
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list