Bug 700522

Summary: pki tomcat6 instances currently running unconfined
Product: Red Hat Enterprise Linux 6 Reporter: Ade Lee <alee>
Component: pki-coreAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1CC: awnuk, benl, cfu, dlackey, dpal, jgalipea, jmagne, kchamart, mharmsen
Target Milestone: rc   
Target Release: 6.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 700505 Environment:
Last Closed: 2011-12-06 16:29:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 700505    
Bug Blocks:    
Attachments:
Description Flags
patch to allow server to come up if selinux disabled awnuk: review+

Description Ade Lee 2011-04-28 15:18:27 UTC 
+++ This bug was initially created as a clone of Bug #700505 +++

Description of problem:

Due to changes in the startup scripts, pki tomcat6 instances (on tip and on ipa branch) currently run unconfined.  That is, the pki selinux policy is present but is not being used.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jenny Severance 2011-05-27 14:09:06 UTC 
Needs some additional information - how to verify fix? thx
Comment 2 Ade Lee 2011-08-09 17:32:39 UTC 
Patch in BZ 700505:

6.2 branch:

[vakwetu@goofy-vm6 base]$ svn ci -m "Resolves #700505 - pki tomcat6 instances currently running unconfined"
Sending        base/common/scripts/functions
Sending        base/selinux/src/pki.fc
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Transmitting file data ....
Committed revision 2128.
Comment 3 Ade Lee 2011-08-09 17:36:05 UTC 
How to verify:

1. make sure selinux is enabled and enforcing
2. pkicreate an instance -- or install ipa
3. installation should complete successfully.
4.  Check context of the java process

ps -efZ |grep pki-ca

It should show something like this :

unconfined_u:system_r:pki_ca_t:s0 pkiuser 25191    1  0 09:37 ?        00:00:18 /usr/lib/jvm/java/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 vakwetu 25794 14003  0 10:29 pts/0 00:00:00 grep pki-ca

The important bit is unconfined_u:system_r:pki_ca_t:s0 pkiuser and in particular pki_ca_t .  Before, it used to be unconfined_java_t
Comment 4 Matthew Harmsen 2011-08-09 18:52:35 UTC 
Patch 'pki/patches/pki-core-9.0.3-r2128.patch' was previously checked-in as revision #2129.

IPA_v2_RHEL_6_ERRATA_BRANCH:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       specs/pki-core.spec

# svn commit
Sending        specs/pki-core.spec
Transmitting file data .
Committed revision 2134.
Comment 6 Ade Lee 2011-08-15 20:29:03 UTC 
Created attachment 518326 [details]
patch to allow server to come up if selinux disabled
Comment 7 Ade Lee 2011-08-15 20:49:57 UTC 
6,2:

Patch reviewed in BZ 700505:

svn ci -m "Resolves #700522 - pki tomcat6 instances currently running unconfined, allow server to come up when selinux disabled" base/common/
Sending        base/common/scripts/functions
Transmitting file data .
Committed revision 2147.
Comment 8 Kashyap Chamarthy 2011-11-08 17:57:46 UTC 
VERIFIED

Version Info.
#######################################
[root@ipaqavma ~]# rpm -qi pki-ca
Name        : pki-ca                       Relocations: (not relocatable)
Version     : 9.0.3                             Vendor: Red Hat, Inc.
Release     : 20.el6                        Build Date: Mon 03 Oct 2011 08:08:55 PM EDT
Install Date: Tue 08 Nov 2011 01:05:46 AM EST      Build Host: x86-002.build.bos.redhat.com

Correct context is set now.
#######################################
[root@ipaqavma ~]# ps -efZ |grep pki-ca
unconfined_u:system_r:pki_ca_t:s0 pkiuser 2361     1  0 08:42 ?        00:00:25 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5020 5002  0 12:50 pts/2 00:00:00 grep pki-ca
[root@ipaqavma ~]# 
[root@ipaqavma ~]# 
#######################################
Comment 9 errata-xmlrpc 2011-12-06 16:29:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1655.html