Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1470735

Summary: [regression] tomcat fails to start via tomcat-jsvc service startup due to selinux denials
Product: Red Hat Enterprise Linux 7 Reporter: Jan Onderka <jonderka>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.4CC: csutherl, dmoppert, jonderka, lvrabec, mbabacek, mgrepl, mmalik, mthacker, plautrba, pvrabec, ssekidde, toneata, troels, twalsh
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
*Tomcat* can now be started using *tomcat-jsvc* with *SELinux* in enforcing mode In Red Hat Enterprise Linux 7.4, the `tomcat_t` unconfined domain was not correctly defined in the *SELinux* policy. Consequently, the *Tomcat* server cannot be started by the *tomcat-jsvc* service with *SELinux* in enforcing mode. This update allows the `tomcat_t` domain to use the `dac_override`, `setuid`, and `kill` capability rules. As a result, *Tomcat* is now able to start through *tomcat-jsvc* with *SELinux* in enforcing mode.
 Story Points: ---
Clone Of:
: 1485308 (view as bug list) Environment:
Last Closed: 2018-04-10 12:34:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1485308    
Attachments:
Description Flags
AVC_denials_log none

Description Jan Onderka 2017-07-13 14:25:57 UTC 
Created attachment 1297687 [details]
AVC_denials_log

Description of problem:
There are present AVC denials during start of tomcat-jsvc service startup. Check test_log-BZ1201409-avc.log for more information.

Version-Release number of selected component (if applicable):
tomcat-7.0.76-2
selinux-policy-3.13.1-166

Steps to Reproduce:
1. yum install tomcat*
2. service tomcat-jsvc start
3. pgrep -l -f tomcat
service should works

Actual results:


Expected results:
service starts and there are no AVC denials
Comment 2 Doran Moppert 2017-07-14 05:08:40 UTC 
From a quick inspection, I suspect an selinux policy issue.  The denials are:

> denied  { setuid } for  pid=18047 comm="jsvc" capability=7  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability

> denied  { setcap } for  pid=18049 comm="jsvc" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process

Comparing policy-rhel-7.3-contrib.patch with policy-rhel-7.4-contrib.patch (in the selinux-policy package), the former has:

> # tomcat local policy
> #
>
> optional_policy(`
>    unconfined_domain(tomcat_t)
> `)

while the latter has an explicit set of allow rules that does not (afaict) include `setcap` or `setuid`.

(adding Miroslav, Lukas in case they can comment on this)
Comment 5 Milos Malik 2017-07-17 06:57:34 UTC 
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(07/17/2017 08:52:11.579:318) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=SYSCALL msg=audit(07/17/2017 08:52:11.579:318) : arch=x86_64 syscall=setuid success=no exit=EPERM(Operation not permitted) a0=tomcat a1=0x5b a2=0x1 a3=0x7f4278436300 items=0 ppid=4366 pid=4384 auid=unset uid=root gid=tomcat euid=root suid=root fsuid=root egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:52:11.579:318) : avc:  denied  { setuid } for  pid=4384 comm=jsvc capability=setuid  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=0 
----

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:323) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:323) : arch=x86_64 syscall=setuid success=yes exit=0 a0=tomcat a1=0x5b a2=0x1 a3=0x7f2d7b965300 items=0 ppid=4557 pid=4575 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:323) : avc:  denied  { setuid } for  pid=4575 comm=jsvc capability=setuid  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:324) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh 
type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=1 name=/usr/share/tomcat/logs/catalina.out inode=26630337 dev=fd:02 mode=file,660 ouid=tomcat ogid=tomcat rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=NORMAL 
type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=0 name=/usr/share/tomcat/logs/ inode=26630347 dev=fd:02 mode=dir,770 ouid=tomcat ogid=root rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=PARENT 
type=CWD msg=audit(07/17/2017 08:53:51.178:324) : cwd=/ 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:324) : arch=x86_64 syscall=open success=yes exit=5 a0=0x1e41280 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=2 ppid=1 pid=4557 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:324) : avc:  denied  { dac_override } for  pid=4557 comm=jsvc capability=dac_override  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:325) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh 
type=CAPSET msg=audit(07/17/2017 08:53:51.178:325) : pid=4577 cap_pi=dac_read_search,setgid,setuid,net_bind_service cap_pp=dac_read_search,setgid,setuid,net_bind_service cap_pe=dac_read_search,setgid,setuid,net_bind_service 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:325) : arch=x86_64 syscall=capset success=yes exit=0 a0=0x7ffc5a7634e0 a1=0x7ffc5a7634f0 a2=0x7f74a4767087 a3=0x1 items=0 ppid=4557 pid=4577 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:325) : avc:  denied  { setcap } for  pid=4577 comm=jsvc scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1 
----

The dac_override is maybe caused by the new kernel:

# rpm -qa selinux\* kernel\* | sort
kernel-4.11.0-10.el7a.x86_64
kernel-headers-4.11.0-10.el7a.x86_64
kernel-tools-4.11.0-10.el7a.x86_64
kernel-tools-libs-4.11.0-10.el7a.x86_64
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-devel-3.13.1-166.el7.noarch
selinux-policy-doc-3.13.1-166.el7.noarch
selinux-policy-minimum-3.13.1-166.el7.noarch
selinux-policy-mls-3.13.1-166.el7.noarch
selinux-policy-sandbox-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
#
Comment 6 Milos Malik 2017-07-17 08:10:45 UTC 
Following SELinux denial also appeared in permissive mode as a result of "service tomcat-jsvc stop" command:
----
type=PROCTITLE msg=audit(07/17/2017 10:09:00.304:625) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=OBJ_PID msg=audit(07/17/2017 10:09:00.304:625) : opid=30893 oauid=unset ouid=tomcat oses=-1 obj=system_u:system_r:tomcat_t:s0 ocomm=jsvc 
type=SYSCALL msg=audit(07/17/2017 10:09:00.304:625) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x78ad a1=SIG0 a2=0x0 a3=0x7ffe7e002fc0 items=0 ppid=1 pid=30976 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 10:09:00.304:625) : avc:  denied  { kill } for  pid=30976 comm=jsvc capability=kill  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
Comment 16 Oneata Mircea Teodor 2017-08-24 07:02:22 UTC 
Hello Mark,

Please review and provide PMApproved to move forward cloning this bug.
Comment 17 Lukas Vrabec 2017-08-24 07:46:45 UTC 
Mark, 

From devel POV, patch is about 2 lines in tomcat policy, I'm fine with the backport. 

Lukas.
Comment 18 Mark Thacker 2017-08-25 10:04:17 UTC 
pm approval added for 7.5 and 7.4.z
Comment 24 errata-xmlrpc 2018-04-10 12:34:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763