SELinux strict policy: selinux-policy-strict-sources-1.27.1-2.16 has a problem with the Sun Java Plugin to Firefox in this RPM: jre-1.5.0_06-fcs.i586.rpm I'm reasonably sure that the SELinux policy used to work with the Sun Java 1.4.2 plugin. As best I can judge, an earlier SELinux policy upgrade broke the functionality; the issue only came to light when I upgraded and tested the later Java 1.5 RPM on my workstation. FWIW, Java 1.4.2 also breaks without the fixup. As best I can judge, no extra tweaks of boolean settings - with the possible exception of disable_mozilla_trans itself - provide an alternative fixup. My current boolean settings which appear to be Browser/Java relevant: [root@workstation policy]# getsebool -a | egrep 'content|mozilla|java| exec' | grep -v httpd allow_execmem --> active allow_execmod --> active allow_execstack --> inactive allow_java_execstack --> inactive allow_mplayer_execstack --> inactive cdrecord_read_content --> active disable_mozilla_trans --> inactive mail_read_content --> active mozilla_read_content --> inactive read_untrusted_content --> active write_untrusted_content --> active [root@workstation policy]# Using the test page at "http://javatester.org";, I've tweaked my SELinux policy to stop it Firefox crashing when SELinux is enforcing. The fixup below allows the Firefox process itself to create this socket: /tmp/jpsock.150_06.<pidno> and then let the Java VM process talk to it: [root@workstation misc]# tail -20 localpolicy.te ... # Java Socket problem fixup type_transition user_mozilla_t tmp_t:sock_file user_untrusted_content_tmp_t; allow user_mozilla_t { user_untrusted_content_tmp_t }:sock_file { read setattr getattr write unlink create }; auditallow user_mozilla_t { user_untrusted_content_tmp_t }:sock_file { read setattr getattr write unlink create }; allow user_mozilla_javaplugin_t { user_untrusted_content_tmp_t }:sock_file { read getattr write }; auditallow user_mozilla_javaplugin_t { user_untrusted_content_tmp_t }:sock_file { read getattr write }; .... Presumably a more complete macro fix would change either mozilla_domain itself: define(`mozilla_domain', ... ######### Java plugin ifdef(`java.te', ` type_transition $1_mozilla_t tmp_t:sock_file $1_untrusted_content_tmp_t; allow $1_mozilla_t { $1_untrusted_content_tmp_t }:sock_file { create getattr setattr read write unlink }; allow $1_mozilla_javaplugin_t { $1_untrusted_content_tmp_t }:sock_file { getattr read write }; javaplugin_domain($1_mozilla, $1) ') dnl java.te ... or the javaplugin_domain macro itself with: define(`javaplugin_domain',` ... type_transition $1_t tmp_t:sock_file $2_untrusted_content_tmp_t; allow $1_t { $2_untrusted_content_tmp_t }:sock_file { create getattr setattr read write unlink }; allow $1_javaplugin_t { $2_untrusted_content_tmp_t }:sock_file { getattr read write }; ... Ted Firefox startup and Java related messages: Dec 23 15:24:19 workstation kernel: audit(1135351459.515:529): avc: granted { create } for pid=6022 comm="firefox-bin" name="jpsock.150_06.6022" scontext=user_u:user_r:user_mozilla_t tcontext=user_u:object_r:user_untrusted_content_tmp_t tclass=sock_file Dec 23 15:24:19 workstation kernel: audit(1135351459.515:530): avc: granted { setattr } for pid=6022 comm="firefox-bin" name="jpsock.150_06.6022" dev=hda10 ino=33 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:object_r:user_untrusted_content_tmp_t tclass=sock_file Dec 23 15:24:19 workstation kernel: audit(1135351459.551:531): avc: denied { execute } for pid=6042 comm="java_vm" name="classes.jsa" dev=hda6 ino=652990 scontext=user_u:user_r:user_mozilla_javaplugin_t tcontext=root:object_r:lib_t tclass=file Dec 23 15:24:20 workstation kernel: audit(1135351460.007:532): avc: denied { search } for pid=6042 comm="java_vm" name=".icons" dev=hda8 ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t tcontext=user_u:object_r:user_home_t tclass=dir Dec 23 15:24:20 workstation kernel: audit(1135351460.007:533): avc: denied { search } for pid=6042 comm="java_vm" name=".icons" dev=hda8 ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t tcontext=user_u:object_r:user_home_t tclass=dir Dec 23 15:24:20 workstation kernel: audit(1135351460.483:534): avc: granted { execmem } for pid=6022 comm="firefox-bin" scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_mozilla_t tclass=process Dec 23 15:24:20 workstation kernel: audit(1135351460.487:535): avc: granted { write } for pid=6042 comm="java_vm" name="jpsock.150_06.6022" dev=hda10 ino=33 scontext=user_u:user_r:user_mozilla_javaplugin_t tcontext=user_u:object_r:user_untrusted_content_tmp_t tclass=sock_file Dec 23 15:24:20 workstation kernel: audit(1135351460.655:536): avc: denied { search } for pid=6042 comm="java_vm" name=".icons" dev=hda8 ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t tcontext=user_u:object_r:user_home_t tclass=dir Dec 23 15:24:20 workstation kernel: audit(1135351460.655:537): avc: denied { search } for pid=6042 comm="java_vm" name=".icons" dev=hda8 ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t tcontext=user_u:object_r:user_home_t tclass=dir Dec 23 15:24:23 workstation kernel: audit(1135351463.767:538): avc: denied { listen } for pid=6064 comm="java_vm" scontext=user_u:user_r:user_mozilla_javaplugin_t tcontext=user_u:user_r:user_mozilla_javaplugin_t tclass=tcp_socket -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
