Sun Java browser plugin fixup

Ted Rule ejtr at layer3.co.uk
Wed Dec 28 16:58:51 UTC 2005 

SELinux strict policy:

	selinux-policy-strict-sources-1.27.1-2.16

has a problem with the Sun Java Plugin to Firefox in this RPM:

	jre-1.5.0_06-fcs.i586.rpm

I'm reasonably sure that the SELinux policy used to work with the Sun
Java 1.4.2 plugin. As best I can judge, an earlier SELinux policy
upgrade broke the functionality; the issue only came to light when I
upgraded and tested the later Java 1.5 RPM on my workstation. FWIW, Java
1.4.2 also breaks without the fixup.

As best I can judge, no extra tweaks of boolean settings - with the
possible exception of disable_mozilla_trans itself - provide an
alternative fixup.

My current boolean settings which appear to be Browser/Java relevant:

[root at workstation policy]# getsebool -a | egrep 'content|mozilla|java|
exec' | grep -v httpd
allow_execmem --> active
allow_execmod --> active
allow_execstack --> inactive
allow_java_execstack --> inactive
allow_mplayer_execstack --> inactive
cdrecord_read_content --> active
disable_mozilla_trans --> inactive
mail_read_content --> active
mozilla_read_content --> inactive
read_untrusted_content --> active
write_untrusted_content --> active
[root at workstation policy]#

Using the test page at "http://javatester.org", I've tweaked my SELinux
policy to stop it Firefox crashing when SELinux is enforcing.

The fixup below allows the Firefox process itself to create this socket:

    /tmp/jpsock.150_06.<pidno>

and then let the Java VM process talk to it:

[root at workstation misc]# tail -20 localpolicy.te
...
# Java Socket problem fixup
type_transition user_mozilla_t tmp_t:sock_file
user_untrusted_content_tmp_t;
allow user_mozilla_t { user_untrusted_content_tmp_t }:sock_file { read
setattr getattr write unlink create };
auditallow user_mozilla_t { user_untrusted_content_tmp_t }:sock_file
{ read setattr getattr write unlink create };
allow user_mozilla_javaplugin_t
{ user_untrusted_content_tmp_t }:sock_file { read getattr write };
auditallow user_mozilla_javaplugin_t
{ user_untrusted_content_tmp_t }:sock_file { read getattr write };
....


Presumably a more complete macro fix would change either mozilla_domain
itself:

define(`mozilla_domain',
...
######### Java plugin
ifdef(`java.te', `
type_transition $1_mozilla_t tmp_t:sock_file $1_untrusted_content_tmp_t;
allow $1_mozilla_t { $1_untrusted_content_tmp_t }:sock_file
			{ create getattr setattr read write unlink };
allow $1_mozilla_javaplugin_t { $1_untrusted_content_tmp_t }:sock_file
			{ getattr read write };
javaplugin_domain($1_mozilla, $1)
') dnl java.te
...


or the javaplugin_domain macro itself with:

define(`javaplugin_domain',`
...
type_transition $1_t tmp_t:sock_file $2_untrusted_content_tmp_t;
allow $1_t { $2_untrusted_content_tmp_t }:sock_file
			{ create getattr setattr read write unlink };
allow $1_javaplugin_t { $2_untrusted_content_tmp_t }:sock_file
			{ getattr read write };
...



Ted



Firefox startup and Java related messages:

Dec 23 15:24:19 workstation kernel: audit(1135351459.515:529): avc:
granted  { create } for  pid=6022 comm="firefox-bin"
name="jpsock.150_06.6022" scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:object_r:user_untrusted_content_tmp_t tclass=sock_file
Dec 23 15:24:19 workstation kernel: audit(1135351459.515:530): avc:
granted  { setattr } for  pid=6022 comm="firefox-bin"
name="jpsock.150_06.6022" dev=hda10 ino=33
scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:object_r:user_untrusted_content_tmp_t tclass=sock_file
Dec 23 15:24:19 workstation kernel: audit(1135351459.551:531): avc:
denied  { execute } for  pid=6042 comm="java_vm" name="classes.jsa"
dev=hda6 ino=652990 scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=root:object_r:lib_t tclass=file
Dec 23 15:24:20 workstation kernel: audit(1135351460.007:532): avc:
denied  { search } for  pid=6042 comm="java_vm" name=".icons" dev=hda8
ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:object_r:user_home_t tclass=dir
Dec 23 15:24:20 workstation kernel: audit(1135351460.007:533): avc:
denied  { search } for  pid=6042 comm="java_vm" name=".icons" dev=hda8
ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:object_r:user_home_t tclass=dir
Dec 23 15:24:20 workstation kernel: audit(1135351460.483:534): avc:
granted  { execmem } for  pid=6022 comm="firefox-bin"
scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:user_r:user_mozilla_t tclass=process
Dec 23 15:24:20 workstation kernel: audit(1135351460.487:535): avc:
granted  { write } for  pid=6042 comm="java_vm"
name="jpsock.150_06.6022" dev=hda10 ino=33
scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:object_r:user_untrusted_content_tmp_t tclass=sock_file
Dec 23 15:24:20 workstation kernel: audit(1135351460.655:536): avc:
denied  { search } for  pid=6042 comm="java_vm" name=".icons" dev=hda8
ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:object_r:user_home_t tclass=dir
Dec 23 15:24:20 workstation kernel: audit(1135351460.655:537): avc:
denied  { search } for  pid=6042 comm="java_vm" name=".icons" dev=hda8
ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:object_r:user_home_t tclass=dir
Dec 23 15:24:23 workstation kernel: audit(1135351463.767:538): avc:
denied  { listen } for  pid=6064 comm="java_vm"
scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:user_r:user_mozilla_javaplugin_t tclass=tcp_socket



-- 
Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/

More information about the fedora-selinux-list mailing list