Bug 1432083 - tomcat_t domain is in unconfined_domain
Summary: tomcat_t domain is in unconfined_domain
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Vit Mojzis
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-14 13:41 UTC by omokazuki
Modified: 2017-11-13 16:12 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.13.1-145.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 15:22:43 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC
Red Hat Bugzilla 1432055 None CLOSED tomcat_t domain is in unconfined_domain 2018-10-01 10:14:34 UTC
Red Hat Bugzilla 1450436 None None None Never
Red Hat Knowledge Base (Solution) 3219121 None None None 2017-11-13 16:11:59 UTC

Internal Links: 1450436

Description omokazuki 2017-03-14 13:41:25 UTC
Description of problem:

It seems tomcat_t domain is in unconfined_domain, then any process which is having tomcat_t domain can access to any file. Maybe there is a bug in policy file.
(I checked Fedora25, RHEL7.3).

Version-Release number of selected component (if applicable):

Policy version 28.

[root@localhost ~]# seinfo

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)

   Classes:            91    Permissions:       256
   Sensitivities:       1    Categories:       1024
   Types:            4729    Attributes:        251
   Users:               8    Roles:              14
   Booleans:          301    Cond. Expr.:       350
   Allow:          101261    Neverallow:          0
   Auditallow:        157    Dontaudit:        8030
   Type_trans:      17756    Type_change:        74
   Type_member:        35    Role allow:         39
   Role_trans:        416    Range_trans:      5697
   Constraints:       109    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             28
   Genfscon:          105    Portcon:           596
   Netifcon:            0    Nodecon:             0
   Permissives:         6    Polcap:              2

[root@localhost ~]# rpm -qa|grep -i policy
selinux-policy-targeted-3.13.1-102.el7_3.15.noarch
selinux-policy-3.13.1-102.el7_3.15.noarch
policycoreutils-2.5-11.el7_3.x86_64

How reproducible:


Steps to Reproduce:
1. Run "sesearch -ACS -s tomcat_t -t shadow_t -c file -p read"
2. Run "seinfo -ttomcat_t -x"

Actual results:
[root@localhost ~]# sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans open audit_access } ; 

[root@localhost ~]# seinfo -ttomcat_t -x
   tomcat_t
      can_change_object_identity
      can_load_kernmodule
      can_load_policy
      can_setbool
      can_setenforce
      corenet_unconfined_type
      corenet_unlabeled_type
      devices_unconfined_type
      domain
      files_unconfined_type
      filesystem_unconfined_type
      kern_unconfined
      kernel_system_state_reader
      process_uncond_exempt
      selinux_unconfined_type
      storage_unconfined_type
      unconfined_domain_type
      dbusd_unconfined
      daemon
      syslog_client_type
      sepgsql_unconfined_type
      tomcat_domain
      userdom_filetrans_type
      x_domain
      xserver_unconfined_type
[root@localhost ~]# 

Expected results:

tomcat_t domain should not have unconfined_domain_type.

Additional info:
I submitted same issue on Fedora bugzilla.
https://bugzilla.redhat.com/show_bug.cgi?id=1432055

Comment 3 Lukas Vrabec 2017-03-23 11:28:58 UTC
I expect more AVCs here, could you test tomcat in permissive mode? 

Thanks.

Comment 7 omokazuki 2017-03-28 07:19:19 UTC
(In reply to Lukas Vrabec from comment #3)
> I expect more AVCs here, could you test tomcat in permissive mode? 
> 
> Thanks.

Hi,

I'm not expert of tomcat (I'm just security researcher), so I can't get enough
AVCs for working tomcat properly. Sorry...

So I guess we have 2 ways to fix;

1. Just remove unconfined_domain(tomcat_t) on tomcat.te
or
2. Add below(example) boolean to choose tomcat works on unconfined_domain or not.

I know below policy will not work(I couldn't compile it on fedora 25), 
but I guess we could create this kind of boolean for temporary solution. 
So what do you think?

OMO
------------------------------------------------------------
+#######################################
+#
+# tomcat local policy
+#
+
+## <desc>
+## <p>
+## Allow tomcat to run unconfined scripts
+## </p>
+## </desc>
+gen_tunable(tomcat_run_unconfined, true)
+
+tunable_policy(`tomcat_run_unconfined',`
+    optional_policy(`
+            unconfined_domain(tomcat_t)
+    ')
+')

Comment 21 errata-xmlrpc 2017-08-01 15:22:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.