Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
(In reply to Lukas Vrabec from comment #3)
> I expect more AVCs here, could you test tomcat in permissive mode?
>
> Thanks.
Hi,
I'm not expert of tomcat (I'm just security researcher), so I can't get enough
AVCs for working tomcat properly. Sorry...
So I guess we have 2 ways to fix;
1. Just remove unconfined_domain(tomcat_t) on tomcat.te
or
2. Add below(example) boolean to choose tomcat works on unconfined_domain or not.
I know below policy will not work(I couldn't compile it on fedora 25),
but I guess we could create this kind of boolean for temporary solution.
So what do you think?
OMO
------------------------------------------------------------
+#######################################
+#
+# tomcat local policy
+#
+
+## <desc>
+## <p>
+## Allow tomcat to run unconfined scripts
+## </p>
+## </desc>
+gen_tunable(tomcat_run_unconfined, true)
+
+tunable_policy(`tomcat_run_unconfined',`
+ optional_policy(`
+ unconfined_domain(tomcat_t)
+ ')
+')
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:1861
Description of problem: It seems tomcat_t domain is in unconfined_domain, then any process which is having tomcat_t domain can access to any file. Maybe there is a bug in policy file. (I checked Fedora25, RHEL7.3). Version-Release number of selected component (if applicable): Policy version 28. [root@localhost ~]# seinfo Statistics for policy file: /sys/fs/selinux/policy Policy Version & Type: v.28 (binary, mls) Classes: 91 Permissions: 256 Sensitivities: 1 Categories: 1024 Types: 4729 Attributes: 251 Users: 8 Roles: 14 Booleans: 301 Cond. Expr.: 350 Allow: 101261 Neverallow: 0 Auditallow: 157 Dontaudit: 8030 Type_trans: 17756 Type_change: 74 Type_member: 35 Role allow: 39 Role_trans: 416 Range_trans: 5697 Constraints: 109 Validatetrans: 0 Initial SIDs: 27 Fs_use: 28 Genfscon: 105 Portcon: 596 Netifcon: 0 Nodecon: 0 Permissives: 6 Polcap: 2 [root@localhost ~]# rpm -qa|grep -i policy selinux-policy-targeted-3.13.1-102.el7_3.15.noarch selinux-policy-3.13.1-102.el7_3.15.noarch policycoreutils-2.5-11.el7_3.x86_64 How reproducible: Steps to Reproduce: 1. Run "sesearch -ACS -s tomcat_t -t shadow_t -c file -p read" 2. Run "seinfo -ttomcat_t -x" Actual results: [root@localhost ~]# sesearch -ACS -s tomcat_t -t shadow_t -c file -p read Found 1 semantic av rules: allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans open audit_access } ; [root@localhost ~]# seinfo -ttomcat_t -x tomcat_t can_change_object_identity can_load_kernmodule can_load_policy can_setbool can_setenforce corenet_unconfined_type corenet_unlabeled_type devices_unconfined_type domain files_unconfined_type filesystem_unconfined_type kern_unconfined kernel_system_state_reader process_uncond_exempt selinux_unconfined_type storage_unconfined_type unconfined_domain_type dbusd_unconfined daemon syslog_client_type sepgsql_unconfined_type tomcat_domain userdom_filetrans_type x_domain xserver_unconfined_type [root@localhost ~]# Expected results: tomcat_t domain should not have unconfined_domain_type. Additional info: I submitted same issue on Fedora bugzilla. https://bugzilla.redhat.com/show_bug.cgi?id=1432055