mozilla-1.7 startup, lib_t vs. shlib_t?

Daniel J Walsh dwalsh at redhat.com
Mon Jul 26 17:45:41 UTC 2004


Tom London wrote:

> [running latest FC3T1 w/ mods from devel tree, strict/enforcing]
>
> When starting up mozilla as normal user, I noticed the following avc's:
>
> Jul 22 06:58:24 fedora kernel: audit(1090504704.981:0): avc:  denied  
> { execute } for  pid=3527 
> path=/usr/java/j2sdk1.5.0/jre/lib/i386/client/libjvm.so dev=hda2 
> ino=4279850 scontext=user_u:user_r:user_mozilla_t 
> tcontext=system_u:object_r:lib_t tclass=file
> Jul 22 06:58:34 fedora kernel: audit(1090504714.317:0): avc:  denied  
> { execute } for  pid=3517 
> path=/usr/java/j2sdk1.5.0/jre/lib/i386/libjavaplugin_nscp.so dev=hda2 
> ino=4279868 scontext=user_u:user_r:user_mozilla_t 
> tcontext=system_u:object_r:lib_t tclass=file
> Jul 22 06:59:06 fedora kernel: audit(1090504746.751:0): avc:  denied  
> { read } for  pid=3517 exe=/usr/lib/mozilla-1.7/mozilla-bin name=tmp 
> dev=hda2 ino=4112506 scontext=user_u:user_r:user_mozilla_t 
> tcontext=system_u:object_r:tmp_t tclass=lnk_file
>
> The last of these describes an access to the link '/usr/tmp->../var/tmp'.
> [I can't tell if this is 'breaking' anything, so I don't know if anything
> needs to change here.  Help anyone?]
>
> The first 2 denials appear to interfere with plugins.
>
> Going into permissive mode identifies the following list of
> 'java library executes' from scontext=user_u:user_r:user_mozilla_t:
>    /usr/java/j2sdk1.5.0/jre/lib/i386/client/libjvm.so
>    /usr/java/j2sdk1.5.0/jre/lib/i386/libjavaplugin_nscp.so
>    /usr/java/j2sdk1.5.0/jre/lib/i386/native_threads/libhpi.so
>    /usr/java/j2sdk1.5.0/jre/lib/i386/libverify.so
>    /usr/java/j2sdk1.5.0/jre/lib/i386/libjava.so
>    /usr/java/j2sdk1.5.0/jre/lib/i386/libzip.so
>
> I changed their contexts to 'system_u:object_r:shlib_t'
> and plugins started working again.
>
> The j2 entries in types.fc are:
> /usr/java/j2.*/bin(/.*)?                system_u:object_r:bin_t
> /usr/java/j2.*/jre/lib(64)?/i386(/.*)?  system_u:object_r:lib_t
> /usr/java/j2.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- 
> system_u:object_r:shlib_t
>
> I admit to not really understanding what needs to be here.
> Is it appropriate to change the second line to
> /usr/java/j2.*/jre/lib(64)?/i386(/.*)?  system_u:object_r:shlib_t
> or something more specific to 1.5.0?
>
How about
/usr/java/j2.*/jre/lib(64)?/i386(/.*)?[^/]*\.so(\.[^/]*)* -- 
system_u:object_r:shlib_t

> tom
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list





More information about the selinux mailing list