Troubleshooting Oracle Java 7 with Firefox

Solution 1:

I was experiencing the exact same problem running Ubuntu Precise. I'm running Proxmox on a server, and their java viewer requires Oracle java and does not work with icedtea. I installed the latest java 7 from http://www.webupd8.org, but could not get it to work with Firefox. I did discover that java did work in the Opera browser.

When I saw your message and saw the issue with permissions, I thought ahhah! apparmor. Sure enough the kern.log shows:

/var/log/kern.log

Aug  1 09:54:50 laptop kernel: [42653.495082] type=1400 audit(1375368890.811:81): apparmor="DENIED" operation="exec" parent=22495 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-7-oracle/jre/bin/java" pid=22507 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Aug  1 09:56:38 laptop kernel: [42761.283499] type=1400 audit(1375368998.599:82): apparmor="DENIED" operation="exec" parent=22812 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-7-oracle/jre/bin/java" pid=22824 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Aug  1 10:11:51 laptop kernel: [43674.436828] type=1400 audit(1375369911.752:83): apparmor="DENIED" operation="exec" parent=23255 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-7-oracle/jre/bin/java" pid=23267 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

I set apparmor to complain mode

sudo aa-complain /usr/bin/firefox
sudo service apparmor reload

and it started working

Then when I reset apparmor to enforce mode

sudo aa-enforce /usr/bin/firefox
sudo service apparmor reload

it unexpectedly continued to work. I suspect the apparmor reload cleared a cache file that wasn't getting cleared by the many reboots I've done while looking for the cause.

Addition: After playing around awhile, I found that processes started in complain mode, remain in complain mode even after the profile is switched to enforce mode.

Update the apparmor profile for firefox (or other browsers) in /etc/apparmor.d/abstractions/ubuntu-browsers.d/java

# Under Java plugin, add two lines:
  /usr/lib/jvm/java-*-oracle/jre/bin/java{,_vm} cx -> browser_java,
  /usr/lib/jvm/java-*-oracle/jre/lib/*/libnp*.so cx -> browser_java,
# before the lines:
  /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
  /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,

# In the browser_java profile, add two lines:
  /usr/lib/jvm/java-*-oracle/jre/bin/java{,_vm} ix,
  /usr/lib/jvm/java-*-oracle/jre/lib/i386/client/classes.jsa m,
# before the lines:
  /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
  /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,

Then restart apparmor:

sudo service apparmor restart

When testing, I found it was necessary to reload or restart apparmor after each profile change and then restart the browser. Several times I was fooled into thinking a change was working only to have it fail after a few hours. I'm still receiving a few apparmor messages when running the java browser test, but none seem to prevent it from working.