Bug 1249430
Summary: | ocf:heartbeat:tomcat resource agents failed in SELinux enforcing mode | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Naoya Hashimoto <nhashimo> | ||||
Component: | resource-agents | Assignee: | Oyvind Albrigtsen <oalbrigt> | ||||
Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.1 | CC: | agk, cluster-maint, jkortus, jruemker, lvrabec, mgrepl, mmalik, mnovacek, nhashimo, oalbrigt, plautrba, pvrabec, rik.theys, ssekidde, tlavigne | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | resource-agents-3.9.5-82.el7 | Doc Type: | Bug Fix | ||||
Doc Text: |
Cause: Tomcat failed to start from the resource agent when in SELinux enforced mode.
Consequence: Tomcat failed to start.
Fix: Use runuser instead of su when available.
Result: Tomcat starts fine in SELinux enforced mode.
|
Story Points: | --- | ||||
Clone Of: | 1234276 | ||||||
: | 1280319 1394293 (view as bug list) | Environment: | |||||
Last Closed: | 2016-11-03 23:58:04 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1280319, 1394293 | ||||||
Attachments: |
|
Description
Naoya Hashimoto
2015-08-03 00:08:19 UTC
Created attachment 1092682 [details]
Working patch
Tested and attached working patch from upstream. qaack: usual cluster tests should pass with selinux in enforcing mode for this agent Before: # rpm -q resource-agents resource-agents-3.9.5-54.el7_2.6.x86_64 # pcs resource enable Tomcat # tail -f /var/log/audit/audit.log ... type=USER_AUTH msg=audit(1450704996.027:124): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:authentication acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success' type=USER_ACCT msg=audit(1450704996.027:125): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:accounting acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success' type=USER_START msg=audit(1450704996.041:126): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:session_open acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success' type=CRED_ACQ msg=audit(1450704996.041:127): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success' type=CRED_DISP msg=audit(1450704996.122:128): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success' After: # rpm -q resource-agents resource-agents-3.9.5-61.el7.x86_64 # pcs resource enable Tomcat # tail -f /var/log/audit/audit.log ... type=USER_START msg=audit(1450946772.674:53): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:session_open acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=CRED_ACQ msg=audit(1450946772.674:54): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=CRED_DISP msg=audit(1450946772.741:55): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=USER_END msg=audit(1450946772.741:56): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:session_close acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' Tested and working patch for systemd to make it work with the latest Tomcat version: https://github.com/ClusterLabs/resource-agents/pull/846 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2174.html *** Bug 1383922 has been marked as a duplicate of this bug. *** |