Bug 1470735

Summary: [regression] tomcat fails to start via tomcat-jsvc service startup due to selinux denials
Product: Red Hat Enterprise Linux 7 Reporter: Jan Onderka <jonderka>
Component: selinux-policyAssignee: Lukas Vrabec 🐦 <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik ♈🏡🍅 <mmalik>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.4CC: csutherl, dmoppert, jonderka, lvrabec, mbabacek, mgrepl, mmalik, mthacker, plautrba, pvrabec, ssekidde, toneata, troels, twalsh
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
*Tomcat* can now be started using *tomcat-jsvc* with *SELinux* in enforcing mode In Red Hat Enterprise Linux 7.4, the `tomcat_t` unconfined domain was not correctly defined in the *SELinux* policy. Consequently, the *Tomcat* server cannot be started by the *tomcat-jsvc* service with *SELinux* in enforcing mode. This update allows the `tomcat_t` domain to use the `dac_override`, `setuid`, and `kill` capability rules. As a result, *Tomcat* is now able to start through *tomcat-jsvc* with *SELinux* in enforcing mode.
Story Points: ---
Clone Of:
: 1485308 (view as bug list) Environment:
Last Closed: 2018-04-10 12:34:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1485308    
Attachments:
Description Flags
AVC_denials_log none

Description Jan Onderka 2017-07-13 14:25:57 UTC
Created attachment 1297687 [details]
AVC_denials_log

Description of problem:
There are present AVC denials during start of tomcat-jsvc service startup. Check test_log-BZ1201409-avc.log for more information.

Version-Release number of selected component (if applicable):
tomcat-7.0.76-2
selinux-policy-3.13.1-166

Steps to Reproduce:
1. yum install tomcat*
2. service tomcat-jsvc start
3. pgrep -l -f tomcat
service should works

Actual results:


Expected results:
service starts and there are no AVC denials

Comment 2 Doran Moppert 2017-07-14 05:08:40 UTC
From a quick inspection, I suspect an selinux policy issue.  The denials are:

> denied  { setuid } for  pid=18047 comm="jsvc" capability=7  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability

> denied  { setcap } for  pid=18049 comm="jsvc" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process

Comparing policy-rhel-7.3-contrib.patch with policy-rhel-7.4-contrib.patch (in the selinux-policy package), the former has:

> # tomcat local policy
> #
>
> optional_policy(`
>    unconfined_domain(tomcat_t)
> `)

while the latter has an explicit set of allow rules that does not (afaict) include `setcap` or `setuid`.

(adding Miroslav, Lukas in case they can comment on this)

Comment 5 Milos Malik ♈🏡🍅 2017-07-17 06:57:34 UTC
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(07/17/2017 08:52:11.579:318) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=SYSCALL msg=audit(07/17/2017 08:52:11.579:318) : arch=x86_64 syscall=setuid success=no exit=EPERM(Operation not permitted) a0=tomcat a1=0x5b a2=0x1 a3=0x7f4278436300 items=0 ppid=4366 pid=4384 auid=unset uid=root gid=tomcat euid=root suid=root fsuid=root egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:52:11.579:318) : avc:  denied  { setuid } for  pid=4384 comm=jsvc capability=setuid  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=0 
----

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:323) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:323) : arch=x86_64 syscall=setuid success=yes exit=0 a0=tomcat a1=0x5b a2=0x1 a3=0x7f2d7b965300 items=0 ppid=4557 pid=4575 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:323) : avc:  denied  { setuid } for  pid=4575 comm=jsvc capability=setuid  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:324) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh 
type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=1 name=/usr/share/tomcat/logs/catalina.out inode=26630337 dev=fd:02 mode=file,660 ouid=tomcat ogid=tomcat rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=NORMAL 
type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=0 name=/usr/share/tomcat/logs/ inode=26630347 dev=fd:02 mode=dir,770 ouid=tomcat ogid=root rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=PARENT 
type=CWD msg=audit(07/17/2017 08:53:51.178:324) : cwd=/ 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:324) : arch=x86_64 syscall=open success=yes exit=5 a0=0x1e41280 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=2 ppid=1 pid=4557 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:324) : avc:  denied  { dac_override } for  pid=4557 comm=jsvc capability=dac_override  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:325) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh 
type=CAPSET msg=audit(07/17/2017 08:53:51.178:325) : pid=4577 cap_pi=dac_read_search,setgid,setuid,net_bind_service cap_pp=dac_read_search,setgid,setuid,net_bind_service cap_pe=dac_read_search,setgid,setuid,net_bind_service 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:325) : arch=x86_64 syscall=capset success=yes exit=0 a0=0x7ffc5a7634e0 a1=0x7ffc5a7634f0 a2=0x7f74a4767087 a3=0x1 items=0 ppid=4557 pid=4577 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:325) : avc:  denied  { setcap } for  pid=4577 comm=jsvc scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1 
----

The dac_override is maybe caused by the new kernel:

# rpm -qa selinux\* kernel\* | sort
kernel-4.11.0-10.el7a.x86_64
kernel-headers-4.11.0-10.el7a.x86_64
kernel-tools-4.11.0-10.el7a.x86_64
kernel-tools-libs-4.11.0-10.el7a.x86_64
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-devel-3.13.1-166.el7.noarch
selinux-policy-doc-3.13.1-166.el7.noarch
selinux-policy-minimum-3.13.1-166.el7.noarch
selinux-policy-mls-3.13.1-166.el7.noarch
selinux-policy-sandbox-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
#

Comment 6 Milos Malik ♈🏡🍅 2017-07-17 08:10:45 UTC
Following SELinux denial also appeared in permissive mode as a result of "service tomcat-jsvc stop" command:
----
type=PROCTITLE msg=audit(07/17/2017 10:09:00.304:625) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=OBJ_PID msg=audit(07/17/2017 10:09:00.304:625) : opid=30893 oauid=unset ouid=tomcat oses=-1 obj=system_u:system_r:tomcat_t:s0 ocomm=jsvc 
type=SYSCALL msg=audit(07/17/2017 10:09:00.304:625) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x78ad a1=SIG0 a2=0x0 a3=0x7ffe7e002fc0 items=0 ppid=1 pid=30976 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 10:09:00.304:625) : avc:  denied  { kill } for  pid=30976 comm=jsvc capability=kill  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----

Comment 16 Oneata Mircea Teodor 2017-08-24 07:02:22 UTC
Hello Mark,

Please review and provide PMApproved to move forward cloning this bug.

Comment 17 Lukas Vrabec 🐦 2017-08-24 07:46:45 UTC
Mark, 

From devel POV, patch is about 2 lines in tomcat policy, I'm fine with the backport. 

Lukas.

Comment 18 Mark Thacker 2017-08-25 10:04:17 UTC
pm approval added for 7.5 and 7.4.z

Comment 24 errata-xmlrpc 2018-04-10 12:34:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763