Bug 1565226

Summary: Red Hat Certificate System (RHCS) gets execstack denial during startup
Product: Red Hat Enterprise Linux 7 Reporter: David Mulford <dmulford>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact: Mirek Jahoda <mjahoda>
Priority: unspecified    
Version: 7.4CC: afarley, csutherl, lvrabec, mgrepl, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-197.el7 Doc Type: Release Note
Doc Text:
A new SELinux boolean called tomcat_use_execmem was introduced so that system administrator can decide if such use case should be allowed or not.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:03:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Mulford 2018-04-09 16:29:34 UTC 
Description of problem:
After upgrading from RHEL 7.3 and RHCS 9.1 to RHEL 7.4 and RHCS 9.2, the following AVC denial is seen when starting RHCS services.

type=AVC msg=audit(1523027312.736:510): avc:  denied  { execstack } for  pid=2642 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process


Version-Release number of selected component (if applicable):
- RHEL 7.4
- RHCS 9.2


Actual results:
RHCS services fail to start with AVC denial listed above.

Expected results:
All RHCS services should start successfully.
Comment 4 Milos Malik 2018-04-13 12:12:13 UTC 
Based on the content of the SELinux denial, Tomcat server tries to run java, which behaves differently than Tomcat. Here is the only way to escape from the tomcat_t domain:

# sesearch -s tomcat_t -c process -T
Found 1 semantic te rules:
   type_transition tomcat_t abrt_helper_exec_t : process abrt_helper_t; 

#

Could this be related to https://bugzilla.redhat.com/show_bug.cgi?id=1432083 ?
Comment 5 Lukas Vrabec 2018-04-13 15:37:11 UTC 
I would say we should create new boolean called tomcat_execmem which will allow make stack executable.
Comment 11 errata-xmlrpc 2018-10-30 10:03:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111