Re: mozilla-1.7 startup, lib_t vs. shlib_t?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tom London wrote:

[running latest FC3T1 w/ mods from devel tree, strict/enforcing]

When starting up mozilla as normal user, I noticed the following avc's:

Jul 22 06:58:24 fedora kernel: audit(1090504704.981:0): avc: denied { execute } for pid=3527 path=/usr/java/j2sdk1.5.0/jre/lib/i386/client/libjvm.so dev=hda2 ino=4279850 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:lib_t tclass=file
Jul 22 06:58:34 fedora kernel: audit(1090504714.317:0): avc: denied { execute } for pid=3517 path=/usr/java/j2sdk1.5.0/jre/lib/i386/libjavaplugin_nscp.so dev=hda2 ino=4279868 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:lib_t tclass=file
Jul 22 06:59:06 fedora kernel: audit(1090504746.751:0): avc: denied { read } for pid=3517 exe=/usr/lib/mozilla-1.7/mozilla-bin name=tmp dev=hda2 ino=4112506 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:tmp_t tclass=lnk_file


The last of these describes an access to the link '/usr/tmp->../var/tmp'.
[I can't tell if this is 'breaking' anything, so I don't know if anything
needs to change here.  Help anyone?]

The first 2 denials appear to interfere with plugins.

Going into permissive mode identifies the following list of
'java library executes' from scontext=user_u:user_r:user_mozilla_t:
   /usr/java/j2sdk1.5.0/jre/lib/i386/client/libjvm.so
   /usr/java/j2sdk1.5.0/jre/lib/i386/libjavaplugin_nscp.so
   /usr/java/j2sdk1.5.0/jre/lib/i386/native_threads/libhpi.so
   /usr/java/j2sdk1.5.0/jre/lib/i386/libverify.so
   /usr/java/j2sdk1.5.0/jre/lib/i386/libjava.so
   /usr/java/j2sdk1.5.0/jre/lib/i386/libzip.so

I changed their contexts to 'system_u:object_r:shlib_t'
and plugins started working again.

The j2 entries in types.fc are:
/usr/java/j2.*/bin(/.*)? system_u:object_r:bin_t
/usr/java/j2.*/jre/lib(64)?/i386(/.*)? system_u:object_r:lib_t
/usr/java/j2.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t


I admit to not really understanding what needs to be here.
Is it appropriate to change the second line to
/usr/java/j2.*/jre/lib(64)?/i386(/.*)?  system_u:object_r:shlib_t
or something more specific to 1.5.0?

How about
/usr/java/j2.*/jre/lib(64)?/i386(/.*)?[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t


tom

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux