Bug 837149

It has been fixed in selinux-policy-3.10.0-134.fc17

what is your policy version

# rpm -q selinux-policy

selinux-policy-3.10.0-132.fc17.noarch

I have a single update awaiting application in yum to

selinux-policy.noarch                                           3.10.0-134.fc17                                               updates

Does that update correct the issue?

Don't mind my dyslexia - I just noticed that you said the update fixes this issue. I'll apply the update to confirm.

After update, relable and reboot this issue continues to persist.:

[root@strawberry]~# ps auxZ | grep -i tomcat
system_u:system_r:initrc_t:s0   tomcat    2444 23.0  0.5 3391368 44652 ?       Sl   15:30   0:00 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2470 0.0  0.0 109400 888 pts/0 S+ 15:30   0:00 grep --color=auto -i tomcat
[root@strawberry]~# yum info selinux-policy
Loaded plugins: changelog, langpacks, presto, refresh-packagekit
Installed Packages
Name        : selinux-policy
Arch        : noarch
Version     : 3.10.0
Release     : 134.fc17
Size        : 62  
Repo        : installed
From repo   : updates
Summary     : SELinux policy configuration
URL         : http://oss.tresys.com/repos/refpolicy/
License     : GPLv2+
Description : SELinux Reference Policy - modular.
            : Based off of reference policy: Checked out revision  2.20091117

Ok, probably I see the problem. We have labeling just for

/usr/sbin/tomcat        --  gen_context(system_u:object_r:tomcat_exec_t,s0)


So try to execute

# chcon -t tomcat_exec_t `which tomcat6`
# ls -Z `which tomcat6`
# systemctl restart tomcat6.service

This has corrected the problem (temporaily). I will wait for the policy update to be shipped for the permanent fix.

system_u:system_r:tomcat_t:s0   tomcat    2970 18.8  0.7 3923952 60816 ?       Sl   15:54   0:01 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

Is this issue also present on RHEL?

Fixed in selinux-policy-3.10.0-137.fc17

We will need to fix it in RHEL6.4 too.

selinux-policy-3.10.0-137.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-137.fc17

Package selinux-policy-3.10.0-137.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-137.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10279/selinux-policy-3.10.0-137.fc17
then log in and leave karma (feedback).

selinux-policy-3.10.0-137.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.