Bug 1280319 - ocf:heartbeat:tomcat resource agents failed in SELinux enforcing mode
ocf:heartbeat:tomcat resource agents failed in SELinux enforcing mode
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: resource-agents (Show other bugs)
6.8
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Oyvind Albrigtsen
cluster-qe@redhat.com
:
Depends On: 1249430
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-11 08:22 EST by Oyvind Albrigtsen
Modified: 2016-05-10 15:15 EDT (History)
13 users (show)

See Also:
Fixed In Version: resource-agents-3.9.5-28.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1249430
Environment:
Last Closed: 2016-05-10 15:15:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Working patch (1.54 KB, patch)
2015-11-12 05:26 EST, Oyvind Albrigtsen
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache Bugzilla 1234276 None None None Never

  None (edit)
Comment 2 Oyvind Albrigtsen 2015-11-12 05:26 EST
Created attachment 1093115 [details]
Working patch
Comment 3 Oyvind Albrigtsen 2015-11-12 05:27:36 EST
Tested patch. Working as expected.
Comment 4 Oyvind Albrigtsen 2015-12-21 08:41:19 EST
Check /var/log/audit/audit.log after starting the tomcat resource.

Before:
tomcat is started with su.

After:
tomcat is started with runuser.
Comment 5 Oyvind Albrigtsen 2015-12-24 03:51:27 EST
Before:
# pcs resource enable Tomcat
# tail -f /var/log/audit/audit.log
...
type=USER_AUTH msg=audit(1450704996.027:124): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:authentication acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1450704996.027:125): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:accounting acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1450704996.041:126): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:session_open acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success'
type=CRED_ACQ msg=audit(1450704996.041:127): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1450704996.122:128): user pid=27217 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/bin/su" hostname=? addr=? terminal=? res=success'

After:
# pcs resource enable Tomcat
# tail -f /var/log/audit/audit.log
...
type=USER_START msg=audit(1450946772.674:53): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:session_open acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=CRED_ACQ msg=audit(1450946772.674:54): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1450946772.741:55): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:setcred acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1450946772.741:56): user pid=4051 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cluster_t:s0 msg='op=PAM:session_close acct="tomcat" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
Comment 9 errata-xmlrpc 2016-05-10 15:15:27 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0735.html

Note You need to log in before you can comment on or make changes to this bug.