Bug 1249430

Summary: ocf:heartbeat:tomcat resource agents failed in SELinux enforcing mode
Product: Red Hat Enterprise Linux 7 Reporter: Naoya Hashimoto <nhashimo>
Component: resource-agentsAssignee: Oyvind Albrigtsen <oalbrigt>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.1CC: agk, cluster-maint, jkortus, jruemker, lvrabec, mgrepl, mmalik, mnovacek, nhashimo, oalbrigt, plautrba, pvrabec, rik.theys, ssekidde, tlavigne
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: resource-agents-3.9.5-82.el7 Doc Type: Bug Fix
Doc Text:
Cause: Tomcat failed to start from the resource agent when in SELinux enforced mode. Consequence: Tomcat failed to start. Fix: Use runuser instead of su when available. Result: Tomcat starts fine in SELinux enforced mode.
 Story Points: ---
Clone Of: 1234276
: 1280319 1394293 (view as bug list) Environment:
Last Closed: 2016-11-03 23:58:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1280319, 1394293    
Attachments:
Description Flags
Working patch none

Description Naoya Hashimoto 2015-08-03 00:08:19 UTC 
+++ This bug was initially created as a clone of Bug #1234276 +++

Description of problem:
Tomcat resource agent (ocf:heartbeat:tomcat) never fails to run in SELiux enforcing mode because it uses su command. The cause of the issue and the workaround is the same as the bug #1234276, ocf:heartbeat:pgsql resource agent.

Version-Release number of selected component (if applicable):

 - OS: RHEL-7.1 (x86_64)
 - Kernel: 3.10.0-229.el7.x86_64
 - HA:
    corosync-2.3.4-4.el7_1.1.x86_64
    pacemaker-1.1.12-22.el7_1.2.x86_64,
    pcs-0.9.137-13.el7_1.2.x86_64
    resource-agents-3.9.5-40.el7
 - DB: postgresql-server-9.2.10-2.el7_1.x86_64

How reproducible:
100%


Steps to Reproduce:
* Enable SELinux and configure HA Cluster using RHHA Add-on, and install tomcat
* Run ocf:heartbeat:tomcat resource agent
Comment 4 Oyvind Albrigtsen 2015-11-11 12:31:18 UTC 
Created attachment 1092682 [details]
Working patch
Comment 5 Oyvind Albrigtsen 2015-11-11 12:32:06 UTC 
Tested and attached working patch from upstream.
Comment 6 michal novacek 2016-02-19 13:25:23 UTC 
qaack: usual cluster tests should pass with selinux in enforcing mode for this agent
Comment 8 Oyvind Albrigtsen 2016-03-01 13:20:33 UTC 
Before:
# rpm -q resource-agents
resource-agents-3.9.5-54.el7_2.6.x86_64
# pcs resource enable Tomcat
# tail -f /var/log/audit/audit.log
...
type=USER_AUTH msg=audit(1450704996.027:124): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:authentication acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1450704996.027:125): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:accounting acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1450704996.041:126): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:session_open acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success'
type=CRED_ACQ msg=audit(1450704996.041:127): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1450704996.122:128): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success'

After:
# rpm -q resource-agents
resource-agents-3.9.5-61.el7.x86_64
# pcs resource enable Tomcat
# tail -f /var/log/audit/audit.log
...
type=USER_START msg=audit(1450946772.674:53): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:session_open acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=CRED_ACQ msg=audit(1450946772.674:54): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1450946772.741:55): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1450946772.741:56): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:session_close acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
Comment 11 Oyvind Albrigtsen 2016-09-16 13:17:50 UTC 
Tested and working patch for systemd to make it work with the latest Tomcat version: https://github.com/ClusterLabs/resource-agents/pull/846
Comment 17 errata-xmlrpc 2016-11-03 23:58:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2174.html
Comment 19 John Ruemker 2016-11-10 20:33:02 UTC 
*** Bug 1383922 has been marked as a duplicate of this bug. ***