Bug 1534628

Summary: SELinux prevents Jetty Web App server from mapping a file in /tmp/hsperfdata_jetty/ directory
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: dwalsh, lvrabec, mgrepl, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.24.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-06 15:31:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2018-01-15 15:51:28 UTC
Description of problem:

Version-Release number of selected component (if applicable):
jetty-9.4.6-2.v20170531.fc27.noarch
jetty-alpn-client-9.4.6-2.v20170531.fc27.noarch
jetty-alpn-server-9.4.6-2.v20170531.fc27.noarch
jetty-annotations-9.4.6-2.v20170531.fc27.noarch
jetty-ant-9.4.6-2.v20170531.fc27.noarch
jetty-cdi-9.4.6-2.v20170531.fc27.noarch
jetty-client-9.4.6-2.v20170531.fc27.noarch
jetty-continuation-9.4.6-2.v20170531.fc27.noarch
jetty-deploy-9.4.6-2.v20170531.fc27.noarch
jetty-fcgi-client-9.4.6-2.v20170531.fc27.noarch
jetty-fcgi-server-9.4.6-2.v20170531.fc27.noarch
jetty-http2-client-9.4.6-2.v20170531.fc27.noarch
jetty-http2-common-9.4.6-2.v20170531.fc27.noarch
jetty-http2-hpack-9.4.6-2.v20170531.fc27.noarch
jetty-http2-http-client-transport-9.4.6-2.v20170531.fc27.noarch
jetty-http2-server-9.4.6-2.v20170531.fc27.noarch
jetty-http-9.4.6-2.v20170531.fc27.noarch
jetty-httpservice-9.4.6-2.v20170531.fc27.noarch
jetty-http-spi-9.4.6-2.v20170531.fc27.noarch
jetty-infinispan-9.4.6-2.v20170531.fc27.noarch
jetty-io-9.4.6-2.v20170531.fc27.noarch
jetty-jaas-9.4.6-2.v20170531.fc27.noarch
jetty-jaspi-9.4.6-2.v20170531.fc27.noarch
jetty-javax-websocket-client-impl-9.4.6-2.v20170531.fc27.noarch
jetty-javax-websocket-server-impl-9.4.6-2.v20170531.fc27.noarch
jetty-jmx-9.4.6-2.v20170531.fc27.noarch
jetty-jndi-9.4.6-2.v20170531.fc27.noarch
jetty-jsp-9.4.6-2.v20170531.fc27.noarch
jetty-jspc-maven-plugin-9.4.6-2.v20170531.fc27.noarch
jetty-jstl-9.4.6-2.v20170531.fc27.noarch
jetty-maven-plugin-9.4.6-2.v20170531.fc27.noarch
jetty-nosql-9.4.6-2.v20170531.fc27.noarch
jetty-osgi-alpn-9.4.6-2.v20170531.fc27.noarch
jetty-osgi-boot-9.4.6-2.v20170531.fc27.noarch
jetty-osgi-boot-jsp-9.4.6-2.v20170531.fc27.noarch
jetty-osgi-boot-warurl-9.4.6-2.v20170531.fc27.noarch
jetty-plus-9.4.6-2.v20170531.fc27.noarch
jetty-proxy-9.4.6-2.v20170531.fc27.noarch
jetty-quickstart-9.4.6-2.v20170531.fc27.noarch
jetty-rewrite-9.4.6-2.v20170531.fc27.noarch
jetty-schemas-3.1-3.fc27.noarch
jetty-security-9.4.6-2.v20170531.fc27.noarch
jetty-server-9.4.6-2.v20170531.fc27.noarch
jetty-servlet-9.4.6-2.v20170531.fc27.noarch
jetty-servlets-9.4.6-2.v20170531.fc27.noarch
jetty-spring-9.4.6-2.v20170531.fc27.noarch
jetty-start-9.4.6-2.v20170531.fc27.noarch
jetty-unixsocket-9.4.6-2.v20170531.fc27.noarch
jetty-util-9.4.6-2.v20170531.fc27.noarch
jetty-util-ajax-9.4.6-2.v20170531.fc27.noarch
jetty-webapp-9.4.6-2.v20170531.fc27.noarch
jetty-websocket-api-9.4.6-2.v20170531.fc27.noarch
jetty-websocket-client-9.4.6-2.v20170531.fc27.noarch
jetty-websocket-common-9.4.6-2.v20170531.fc27.noarch
jetty-websocket-server-9.4.6-2.v20170531.fc27.noarch
jetty-websocket-servlet-9.4.6-2.v20170531.fc27.noarch
jetty-xml-9.4.6-2.v20170531.fc27.noarch
selinux-policy-3.13.1-283.16.fc27.noarch
selinux-policy-targeted-3.13.1-283.16.fc27.noarch

How reproducible:
* always

Steps to Reproduce:
1. get a Fedora27 machine (targeted policy is active)
2. start the jetty service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=AVC msg=audit(01/15/2018 10:46:13.915:413) : avc:  denied  { map } for  pid=19142 comm=java path=/tmp/hsperfdata_jetty/19142 dev="tmpfs" ino=58685 scontext=system_u:system_r:jetty_t:s0 tcontext=system_u:object_r:jetty_tmp_t:s0 tclass=file permissive=0 
----

Expected results:
* no SELinux denials

Additional info:

Comment 1 Milos Malik 2018-01-15 16:38:09 UTC
The same SELinux denial appears in permissive mode, nothing else.

Comment 2 Fedora Update System 2018-01-30 16:40:44 UTC
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 3 Fedora Update System 2018-01-31 22:44:41 UTC
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 4 Fedora Update System 2018-02-06 15:31:10 UTC
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.