Bug 1470735
Summary: | [regression] tomcat fails to start via tomcat-jsvc service startup due to selinux denials | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Onderka <jonderka> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | ||||
Priority: | high | ||||||
Version: | 7.4 | CC: | csutherl, dmoppert, jonderka, lvrabec, mbabacek, mgrepl, mmalik, mthacker, plautrba, pvrabec, ssekidde, toneata, troels, twalsh | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: |
*Tomcat* can now be started using *tomcat-jsvc* with *SELinux* in enforcing mode
In Red Hat Enterprise Linux 7.4, the `tomcat_t` unconfined domain was not correctly defined in the *SELinux* policy. Consequently, the *Tomcat* server cannot be started by the *tomcat-jsvc* service with *SELinux* in enforcing mode. This update allows the `tomcat_t` domain to use the `dac_override`, `setuid`, and `kill` capability rules. As a result, *Tomcat* is now able to start through *tomcat-jsvc* with *SELinux* in enforcing mode.
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 1485308 (view as bug list) | Environment: | |||||
Last Closed: | 2018-04-10 12:34:36 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1485308 | ||||||
Attachments: |
|
Description
Jan Onderka
2017-07-13 14:25:57 UTC
From a quick inspection, I suspect an selinux policy issue. The denials are: > denied { setuid } for pid=18047 comm="jsvc" capability=7 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability > denied { setcap } for pid=18049 comm="jsvc" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process Comparing policy-rhel-7.3-contrib.patch with policy-rhel-7.4-contrib.patch (in the selinux-policy package), the former has: > # tomcat local policy > # > > optional_policy(` > unconfined_domain(tomcat_t) > `) while the latter has an explicit set of allow rules that does not (afaict) include `setcap` or `setuid`. (adding Miroslav, Lukas in case they can comment on this) Following SELinux denial appeared in enforcing mode: ---- type=PROCTITLE msg=audit(07/17/2017 08:52:11.579:318) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us type=SYSCALL msg=audit(07/17/2017 08:52:11.579:318) : arch=x86_64 syscall=setuid success=no exit=EPERM(Operation not permitted) a0=tomcat a1=0x5b a2=0x1 a3=0x7f4278436300 items=0 ppid=4366 pid=4384 auid=unset uid=root gid=tomcat euid=root suid=root fsuid=root egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(07/17/2017 08:52:11.579:318) : avc: denied { setuid } for pid=4384 comm=jsvc capability=setuid scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=0 ---- Following SELinux denials appeared in permissive mode: ---- type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:323) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us type=SYSCALL msg=audit(07/17/2017 08:53:51.178:323) : arch=x86_64 syscall=setuid success=yes exit=0 a0=tomcat a1=0x5b a2=0x1 a3=0x7f2d7b965300 items=0 ppid=4557 pid=4575 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(07/17/2017 08:53:51.178:323) : avc: denied { setuid } for pid=4575 comm=jsvc capability=setuid scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 ---- type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:324) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=1 name=/usr/share/tomcat/logs/catalina.out inode=26630337 dev=fd:02 mode=file,660 ouid=tomcat ogid=tomcat rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=NORMAL type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=0 name=/usr/share/tomcat/logs/ inode=26630347 dev=fd:02 mode=dir,770 ouid=tomcat ogid=root rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=PARENT type=CWD msg=audit(07/17/2017 08:53:51.178:324) : cwd=/ type=SYSCALL msg=audit(07/17/2017 08:53:51.178:324) : arch=x86_64 syscall=open success=yes exit=5 a0=0x1e41280 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=2 ppid=1 pid=4557 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(07/17/2017 08:53:51.178:324) : avc: denied { dac_override } for pid=4557 comm=jsvc capability=dac_override scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 ---- type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:325) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh type=CAPSET msg=audit(07/17/2017 08:53:51.178:325) : pid=4577 cap_pi=dac_read_search,setgid,setuid,net_bind_service cap_pp=dac_read_search,setgid,setuid,net_bind_service cap_pe=dac_read_search,setgid,setuid,net_bind_service type=SYSCALL msg=audit(07/17/2017 08:53:51.178:325) : arch=x86_64 syscall=capset success=yes exit=0 a0=0x7ffc5a7634e0 a1=0x7ffc5a7634f0 a2=0x7f74a4767087 a3=0x1 items=0 ppid=4557 pid=4577 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(07/17/2017 08:53:51.178:325) : avc: denied { setcap } for pid=4577 comm=jsvc scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1 ---- The dac_override is maybe caused by the new kernel: # rpm -qa selinux\* kernel\* | sort kernel-4.11.0-10.el7a.x86_64 kernel-headers-4.11.0-10.el7a.x86_64 kernel-tools-4.11.0-10.el7a.x86_64 kernel-tools-libs-4.11.0-10.el7a.x86_64 selinux-policy-3.13.1-166.el7.noarch selinux-policy-devel-3.13.1-166.el7.noarch selinux-policy-doc-3.13.1-166.el7.noarch selinux-policy-minimum-3.13.1-166.el7.noarch selinux-policy-mls-3.13.1-166.el7.noarch selinux-policy-sandbox-3.13.1-166.el7.noarch selinux-policy-targeted-3.13.1-166.el7.noarch # Following SELinux denial also appeared in permissive mode as a result of "service tomcat-jsvc stop" command: ---- type=PROCTITLE msg=audit(07/17/2017 10:09:00.304:625) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us type=OBJ_PID msg=audit(07/17/2017 10:09:00.304:625) : opid=30893 oauid=unset ouid=tomcat oses=-1 obj=system_u:system_r:tomcat_t:s0 ocomm=jsvc type=SYSCALL msg=audit(07/17/2017 10:09:00.304:625) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x78ad a1=SIG0 a2=0x0 a3=0x7ffe7e002fc0 items=0 ppid=1 pid=30976 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(07/17/2017 10:09:00.304:625) : avc: denied { kill } for pid=30976 comm=jsvc capability=kill scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 ---- Hello Mark, Please review and provide PMApproved to move forward cloning this bug. Mark, From devel POV, patch is about 2 lines in tomcat policy, I'm fine with the backport. Lukas. pm approval added for 7.5 and 7.4.z Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |