1432083 – tomcat_t domain is in unconfined_domain

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1432083 - tomcat_t domain is in unconfined_domain

Summary: tomcat_t domain is in unconfined_domain

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Vit Mojzis
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-14 13:41 UTC by omokazuki
Modified:	2021-08-30 13:17 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.13.1-145.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 15:22:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1432055	unspecified	CLOSED	tomcat_t domain is in unconfined_domain	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1450436	high	CLOSED	Satellite installation fails on rhel7.4 beta -- Candlepin can't connect to pgsql	2023-09-15 00:02:10 UTC
Red Hat Knowledge Base (Solution)	3219121	None	None	None	2017-11-13 16:11:59 UTC
Red Hat Product Errata	RHBA-2017:1861	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Internal Links: 1450436

Description omokazuki 2017-03-14 13:41:25 UTC

Description of problem:

It seems tomcat_t domain is in unconfined_domain, then any process which is having tomcat_t domain can access to any file. Maybe there is a bug in policy file.
(I checked Fedora25, RHEL7.3).

Version-Release number of selected component (if applicable):

Policy version 28.

[root@localhost ~]# seinfo

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)

   Classes:            91    Permissions:       256
   Sensitivities:       1    Categories:       1024
   Types:            4729    Attributes:        251
   Users:               8    Roles:              14
   Booleans:          301    Cond. Expr.:       350
   Allow:          101261    Neverallow:          0
   Auditallow:        157    Dontaudit:        8030
   Type_trans:      17756    Type_change:        74
   Type_member:        35    Role allow:         39
   Role_trans:        416    Range_trans:      5697
   Constraints:       109    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             28
   Genfscon:          105    Portcon:           596
   Netifcon:            0    Nodecon:             0
   Permissives:         6    Polcap:              2

[root@localhost ~]# rpm -qa|grep -i policy
selinux-policy-targeted-3.13.1-102.el7_3.15.noarch
selinux-policy-3.13.1-102.el7_3.15.noarch
policycoreutils-2.5-11.el7_3.x86_64

How reproducible:


Steps to Reproduce:
1. Run "sesearch -ACS -s tomcat_t -t shadow_t -c file -p read"
2. Run "seinfo -ttomcat_t -x"

Actual results:
[root@localhost ~]# sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans open audit_access } ; 

[root@localhost ~]# seinfo -ttomcat_t -x
   tomcat_t
      can_change_object_identity
      can_load_kernmodule
      can_load_policy
      can_setbool
      can_setenforce
      corenet_unconfined_type
      corenet_unlabeled_type
      devices_unconfined_type
      domain
      files_unconfined_type
      filesystem_unconfined_type
      kern_unconfined
      kernel_system_state_reader
      process_uncond_exempt
      selinux_unconfined_type
      storage_unconfined_type
      unconfined_domain_type
      dbusd_unconfined
      daemon
      syslog_client_type
      sepgsql_unconfined_type
      tomcat_domain
      userdom_filetrans_type
      x_domain
      xserver_unconfined_type
[root@localhost ~]# 

Expected results:

tomcat_t domain should not have unconfined_domain_type.

Additional info:
I submitted same issue on Fedora bugzilla.
https://bugzilla.redhat.com/show_bug.cgi?id=1432055

Comment 3 Lukas Vrabec 2017-03-23 11:28:58 UTC

I expect more AVCs here, could you test tomcat in permissive mode? 

Thanks.

Comment 7 omokazuki 2017-03-28 07:19:19 UTC

(In reply to Lukas Vrabec from comment #3)
> I expect more AVCs here, could you test tomcat in permissive mode? 
> 
> Thanks.

Hi,

I'm not expert of tomcat (I'm just security researcher), so I can't get enough
AVCs for working tomcat properly. Sorry...

So I guess we have 2 ways to fix;

1. Just remove unconfined_domain(tomcat_t) on tomcat.te
or
2. Add below(example) boolean to choose tomcat works on unconfined_domain or not.

I know below policy will not work(I couldn't compile it on fedora 25), 
but I guess we could create this kind of boolean for temporary solution. 
So what do you think?

OMO
------------------------------------------------------------
+#######################################
+#
+# tomcat local policy
+#
+
+## <desc>
+## <p>
+## Allow tomcat to run unconfined scripts
+## </p>
+## </desc>
+gen_tunable(tomcat_run_unconfined, true)
+
+tunable_policy(`tomcat_run_unconfined',`
+    optional_policy(`
+            unconfined_domain(tomcat_t)
+    ')
+')

Comment 21 errata-xmlrpc 2017-08-01 15:22:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.