I switched to "Permissive" and run installation to produce all AVCs: #============= tomcat_t ============== allow tomcat_t amqp_port_t:tcp_socket name_connect; allow tomcat_t candlepin_etc_certs_rw_t:dir { getattr open read search }; allow tomcat_t candlepin_etc_certs_rw_t:file { getattr open read }; allow tomcat_t candlepin_etc_rw_t:file { getattr open read }; allow tomcat_t postgresql_port_t:tcp_socket name_connect; allow tomcat_t sysctl_net_t:file { getattr open read }; Tomcat SELinux policy has changed and requires us to add some new rules (rule #1 to #4) The last two rules should be fixed in RHEL7.4 and not in candlepin-selinux BZ #1450819
To be precise pasting the AVCs: avc: denied { read } for pid=13920 comm="java" name="candlepin.conf" dev="dm-0" ino=645937689 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_rw_t:s0 tclass=file avc: denied { open } for pid=13920 comm="java" path="/etc/candlepin/candlepin.conf" dev="dm-0" ino=645937689 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_rw_t:s0 tclass=file avc: denied { getattr } for pid=13920 comm="java" path="/etc/candlepin/candlepin.conf" dev="dm-0" ino=645937689 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_rw_t:s0 tclass=file avc: denied { getattr } for pid=13920 comm="java" path="/etc/candlepin/certs/upstream" dev="dm-0" ino=671090747 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=dir avc: denied { read } for pid=13920 comm="java" name="upstream" dev="dm-0" ino=671090747 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=dir avc: denied { open } for pid=13920 comm="java" path="/etc/candlepin/certs/upstream" dev="dm-0" ino=671090747 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=dir avc: denied { read } for pid=13920 comm="java" name="candlepin-redhat-ca.crt" dev="dm-0" ino=671090748 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file avc: denied { open } for pid=13920 comm="java" path="/etc/candlepin/certs/upstream/candlepin-redhat-ca.crt" dev="dm-0" ino=671090748 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file avc: denied { getattr } for pid=13920 comm="java" path="/etc/candlepin/certs/upstream/candlepin-redhat-ca.crt" dev="dm-0" ino=671090748 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file avc: denied { getattr } for pid=13920 comm="java" path="/etc/candlepin/certs/amqp/candlepin.truststore" dev="dm-0" ino=662704171 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file avc: denied { read } for pid=13920 comm="java" name="candlepin.truststore" dev="dm-0" ino=662704171 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file avc: denied { open } for pid=13920 comm="java" path="/etc/candlepin/certs/amqp/candlepin.truststore" dev="dm-0" ino=662704171 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file
Fix available in candlepin-0.9.54.23-1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2421
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days