Troubleshooting Oracle Java 7 with Firefox
Solution 1:
I was experiencing the exact same problem running Ubuntu Precise. I'm running Proxmox on a server, and their java viewer requires Oracle java and does not work with icedtea. I installed the latest java 7 from http://www.webupd8.org, but could not get it to work with Firefox. I did discover that java did work in the Opera browser.
When I saw your message and saw the issue with permissions, I thought ahhah! apparmor. Sure enough the kern.log shows:
/var/log/kern.log
Aug 1 09:54:50 laptop kernel: [42653.495082] type=1400 audit(1375368890.811:81): apparmor="DENIED" operation="exec" parent=22495 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-7-oracle/jre/bin/java" pid=22507 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Aug 1 09:56:38 laptop kernel: [42761.283499] type=1400 audit(1375368998.599:82): apparmor="DENIED" operation="exec" parent=22812 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-7-oracle/jre/bin/java" pid=22824 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Aug 1 10:11:51 laptop kernel: [43674.436828] type=1400 audit(1375369911.752:83): apparmor="DENIED" operation="exec" parent=23255 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-7-oracle/jre/bin/java" pid=23267 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
I set apparmor to complain mode
sudo aa-complain /usr/bin/firefox
sudo service apparmor reload
and it started working
Then when I reset apparmor to enforce mode
sudo aa-enforce /usr/bin/firefox
sudo service apparmor reload
it unexpectedly continued to work. I suspect the apparmor reload cleared a cache file that wasn't getting cleared by the many reboots I've done while looking for the cause.
Addition: After playing around awhile, I found that processes started in complain mode, remain in complain mode even after the profile is switched to enforce mode.
Update the apparmor profile for firefox (or other browsers) in /etc/apparmor.d/abstractions/ubuntu-browsers.d/java
# Under Java plugin, add two lines:
/usr/lib/jvm/java-*-oracle/jre/bin/java{,_vm} cx -> browser_java,
/usr/lib/jvm/java-*-oracle/jre/lib/*/libnp*.so cx -> browser_java,
# before the lines:
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
/usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
# In the browser_java profile, add two lines:
/usr/lib/jvm/java-*-oracle/jre/bin/java{,_vm} ix,
/usr/lib/jvm/java-*-oracle/jre/lib/i386/client/classes.jsa m,
# before the lines:
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
/usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
Then restart apparmor:
sudo service apparmor restart
When testing, I found it was necessary to reload or restart apparmor after each profile change and then restart the browser. Several times I was fooled into thinking a change was working only to have it fail after a few hours. I'm still receiving a few apparmor messages when running the java browser test, but none seem to prevent it from working.