mozilla-1.7 startup, lib_t vs. shlib_t?
Tom London
selinux at comcast.net
Thu Jul 22 17:20:12 UTC 2004
[running latest FC3T1 w/ mods from devel tree, strict/enforcing]
When starting up mozilla as normal user, I noticed the following avc's:
Jul 22 06:58:24 fedora kernel: audit(1090504704.981:0): avc: denied {
execute } for pid=3527
path=/usr/java/j2sdk1.5.0/jre/lib/i386/client/libjvm.so dev=hda2
ino=4279850 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:lib_t tclass=file
Jul 22 06:58:34 fedora kernel: audit(1090504714.317:0): avc: denied {
execute } for pid=3517
path=/usr/java/j2sdk1.5.0/jre/lib/i386/libjavaplugin_nscp.so dev=hda2
ino=4279868 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:lib_t tclass=file
Jul 22 06:59:06 fedora kernel: audit(1090504746.751:0): avc: denied {
read } for pid=3517 exe=/usr/lib/mozilla-1.7/mozilla-bin name=tmp
dev=hda2 ino=4112506 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file
The last of these describes an access to the link '/usr/tmp->../var/tmp'.
[I can't tell if this is 'breaking' anything, so I don't know if anything
needs to change here. Help anyone?]
The first 2 denials appear to interfere with plugins.
Going into permissive mode identifies the following list of
'java library executes' from scontext=user_u:user_r:user_mozilla_t:
/usr/java/j2sdk1.5.0/jre/lib/i386/client/libjvm.so
/usr/java/j2sdk1.5.0/jre/lib/i386/libjavaplugin_nscp.so
/usr/java/j2sdk1.5.0/jre/lib/i386/native_threads/libhpi.so
/usr/java/j2sdk1.5.0/jre/lib/i386/libverify.so
/usr/java/j2sdk1.5.0/jre/lib/i386/libjava.so
/usr/java/j2sdk1.5.0/jre/lib/i386/libzip.so
I changed their contexts to 'system_u:object_r:shlib_t'
and plugins started working again.
The j2 entries in types.fc are:
/usr/java/j2.*/bin(/.*)? system_u:object_r:bin_t
/usr/java/j2.*/jre/lib(64)?/i386(/.*)? system_u:object_r:lib_t
/usr/java/j2.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* --
system_u:object_r:shlib_t
I admit to not really understanding what needs to be here.
Is it appropriate to change the second line to
/usr/java/j2.*/jre/lib(64)?/i386(/.*)? system_u:object_r:shlib_t
or something more specific to 1.5.0?
tom
More information about the fedora-selinux-list
mailing list