Bug 1760889
| Summary: | SELinux prevents jetty from searching under /sys/fs/cgroup directory | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Richard Fiľo <rfilo> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 30 | CC: | dwalsh, lvrabec, mgrepl, plautrba, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-52.fc30 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-17 01:13:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hopefully jetty can handle CgroupsV2 as well as V1. It will be fixed in SELinux policy package. PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/155 commit 9a04972cef785f47850c4d1674f49c70e1b4e3f4 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Richard Filo <rfilo>
Date: Fri Oct 18 11:50:39 2019 +0200
Allow jetty_t domain search and read cgroup_t files.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1760889
FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8 selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8 FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Jetty Web Application Server cannot read various cgroup limits which are set on the system. Version-Release number of selected component (if applicable): selinux-policy-3.14.3-46.fc30.noarch selinux-policy-targeted-3.14.3-46.fc30.noarch jetty-9.4.15-1.v20190215.fc30.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora 30 machine (targeted policy is active) 2. run following automated TC: * /CoreOS/selinux-policy/Regression/jetty-and-similar 3. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(09/26/2019 07:02:52.960:249) : proctitle=/usr/lib/jvm/java-1.8.0-openjdk/bin/java -Djetty.logs=/var/log/jetty/logs -Djetty.home=/usr/share/jetty -Djetty.base=/usr/share/ type=PATH msg=audit(09/26/2019 07:02:52.960:249) : item=0 name=/sys/fs/cgroup/memory/system.slice/jetty.service/memory.limit_in_bytes nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/26/2019 07:02:52.960:249) : cwd=/usr/share/jetty type=SYSCALL msg=audit(09/26/2019 07:02:52.960:249) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff9eb07f98 a2=O_RDONLY a3=0x0 items=1 ppid=6811 pid=6820 auid=unset uid=jetty gid=jetty euid=jetty suid=jetty fsuid=jetty egid=jetty sgid=jetty fsgid=jetty tty=(none) ses=unset comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.fc30.ppc64le/bin/java subj=system_u:system_r:jetty_t:s0 key=(null) type=AVC msg=audit(09/26/2019 07:02:52.960:249) : avc: denied { search } for pid=6820 comm=java name=/ dev="tmpfs" ino=1131 scontext=system_u:system_r:jetty_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(09/26/2019 07:02:52.960:252) : proctitle=/usr/lib/jvm/java-1.8.0-openjdk/bin/java -Djetty.logs=/var/log/jetty/logs -Djetty.home=/usr/share/jetty -Djetty.base=/usr/share/ type=PATH msg=audit(09/26/2019 07:02:52.960:252) : item=0 name=/sys/fs/cgroup/cpu,cpuacct/cpu.shares nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/26/2019 07:02:52.960:252) : cwd=/usr/share/jetty type=SYSCALL msg=audit(09/26/2019 07:02:52.960:252) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff9eb0c208 a2=O_RDONLY a3=0x0 items=1 ppid=6811 pid=6820 auid=unset uid=jetty gid=jetty euid=jetty suid=jetty fsuid=jetty egid=jetty sgid=jetty fsgid=jetty tty=(none) ses=unset comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.fc30.ppc64le/bin/java subj=system_u:system_r:jetty_t:s0 key=(null) type=AVC msg=audit(09/26/2019 07:02:52.960:252) : avc: denied { search } for pid=6820 comm=java name=/ dev="tmpfs" ino=1131 scontext=system_u:system_r:jetty_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 ---- Expected results: * no SELinux denials Additional info: