Bug 1432055 - tomcat_t domain is in unconfined_domain
Summary: tomcat_t domain is in unconfined_domain
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 26
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-14 12:28 UTC by omokazuki
Modified: 2018-02-13 11:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-13 11:06:37 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description omokazuki 2017-03-14 12:28:14 UTC
Description of problem:

It seems tomcat_t domain is in unconfined_domain, then any process which is having tomcat_t domain can access to any file. Maybe there is a bug in policy file.

Version-Release number of selected component (if applicable):
Policy Version 30.

[root@fedora25 ~]# seinfo 

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.30 (binary, mls)

   Classes:            94    Permissions:       257
   Sensitivities:       1    Categories:       1024
   Types:            4811    Attributes:        272
   Users:               8    Roles:              14
   Booleans:          306    Cond. Expr.:       355
   Allow:          102781    Neverallow:          0
   Auditallow:        158    Dontaudit:        8907
   Type_trans:      18033    Type_change:        74
   Type_member:        35    Role allow:         39
   Role_trans:        421    Range_trans:      5753
   Constraints:       109    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             28
   Genfscon:          107    Portcon:           601
   Netifcon:            0    Nodecon:             0
   Permissives:         1    Polcap:              2



How reproducible:


Steps to Reproduce:
1. Run "sesearch -ACS -s tomcat_t -t shadow_t -c file -p read"
2. Run "seinfo -ttomcat_t -x"

Actual results:

[root@fedora25 ~]# sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans open audit_access } ; 

[root@fedora25 ~]# seinfo -ttomcat_t -x
   tomcat_t
      can_read_shadow_passwords
      can_write_shadow_passwords
      can_relabelto_shadow_passwords
      can_change_object_identity
      can_load_kernmodule
      can_load_policy
      can_setbool
      can_setenforce
      corenet_unconfined_type
      corenet_unlabeled_type
      devices_unconfined_type
      domain
      files_unconfined_type
      filesystem_unconfined_type
      kern_unconfined
      kernel_system_state_reader
      process_uncond_exempt
      selinux_unconfined_type
      storage_unconfined_type
      unconfined_domain_type
      dbusd_unconfined
      daemon
      syslog_client_type
      sepgsql_unconfined_type
      tomcat_domain
      userdom_filetrans_type
      x_domain
      xserver_unconfined_type


Expected results:

tomcat_t domain should not have unconfined_domain_type.

Additional info:


Note You need to log in before you can comment on or make changes to this bug.