1470735 – [regression] tomcat fails to start via tomcat-jsvc service startup due to selinux denials

Bug 1470735 - [regression] tomcat fails to start via tomcat-jsvc service startup due to selinux denials

Summary: [regression] tomcat fails to start via tomcat-jsvc service startup due to sel...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1485308
TreeView+	depends on / blocked

Reported:	2017-07-13 14:25 UTC by Jan Onderka
Modified:	2018-04-10 12:36 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Tomcat can now be started using tomcat-jsvc with SELinux in enforcing mode In Red Hat Enterprise Linux 7.4, the `tomcat_t` unconfined domain was not correctly defined in the SELinux policy. Consequently, the Tomcat server cannot be started by the tomcat-jsvc service with SELinux in enforcing mode. This update allows the `tomcat_t` domain to use the `dac_override`, `setuid`, and `kill` capability rules. As a result, Tomcat is now able to start through tomcat-jsvc with SELinux in enforcing mode.
Clone Of:
Clones:	1485308 (view as bug list)
Environment:
Last Closed:	2018-04-10 12:34:36 UTC
Target Upstream Version:

Attachments	(Terms of Use)
AVC_denials_log (2.98 KB, text/plain) 2017-07-13 14:25 UTC, Jan Onderka	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	0	None	None	None	2018-04-10 12:36:05 UTC

Description Jan Onderka 2017-07-13 14:25:57 UTC

Created attachment 1297687 [details]
AVC_denials_log

Description of problem:
There are present AVC denials during start of tomcat-jsvc service startup. Check test_log-BZ1201409-avc.log for more information.

Version-Release number of selected component (if applicable):
tomcat-7.0.76-2
selinux-policy-3.13.1-166

Steps to Reproduce:
1. yum install tomcat*
2. service tomcat-jsvc start
3. pgrep -l -f tomcat
service should works

Actual results:


Expected results:
service starts and there are no AVC denials

Comment 2 Doran Moppert 2017-07-14 05:08:40 UTC

From a quick inspection, I suspect an selinux policy issue.  The denials are:

> denied  { setuid } for  pid=18047 comm="jsvc" capability=7  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability

> denied  { setcap } for  pid=18049 comm="jsvc" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process

Comparing policy-rhel-7.3-contrib.patch with policy-rhel-7.4-contrib.patch (in the selinux-policy package), the former has:

> # tomcat local policy
> #
>
> optional_policy(`
>    unconfined_domain(tomcat_t)
> `)

while the latter has an explicit set of allow rules that does not (afaict) include `setcap` or `setuid`.

(adding Miroslav, Lukas in case they can comment on this)

Comment 5 Milos Malik 2017-07-17 06:57:34 UTC

Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(07/17/2017 08:52:11.579:318) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=SYSCALL msg=audit(07/17/2017 08:52:11.579:318) : arch=x86_64 syscall=setuid success=no exit=EPERM(Operation not permitted) a0=tomcat a1=0x5b a2=0x1 a3=0x7f4278436300 items=0 ppid=4366 pid=4384 auid=unset uid=root gid=tomcat euid=root suid=root fsuid=root egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:52:11.579:318) : avc:  denied  { setuid } for  pid=4384 comm=jsvc capability=setuid  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=0 
----

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:323) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:323) : arch=x86_64 syscall=setuid success=yes exit=0 a0=tomcat a1=0x5b a2=0x1 a3=0x7f2d7b965300 items=0 ppid=4557 pid=4575 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:323) : avc:  denied  { setuid } for  pid=4575 comm=jsvc capability=setuid  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:324) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh 
type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=1 name=/usr/share/tomcat/logs/catalina.out inode=26630337 dev=fd:02 mode=file,660 ouid=tomcat ogid=tomcat rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=NORMAL 
type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=0 name=/usr/share/tomcat/logs/ inode=26630347 dev=fd:02 mode=dir,770 ouid=tomcat ogid=root rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=PARENT 
type=CWD msg=audit(07/17/2017 08:53:51.178:324) : cwd=/ 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:324) : arch=x86_64 syscall=open success=yes exit=5 a0=0x1e41280 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=2 ppid=1 pid=4557 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:324) : avc:  denied  { dac_override } for  pid=4557 comm=jsvc capability=dac_override  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:325) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh 
type=CAPSET msg=audit(07/17/2017 08:53:51.178:325) : pid=4577 cap_pi=dac_read_search,setgid,setuid,net_bind_service cap_pp=dac_read_search,setgid,setuid,net_bind_service cap_pe=dac_read_search,setgid,setuid,net_bind_service 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:325) : arch=x86_64 syscall=capset success=yes exit=0 a0=0x7ffc5a7634e0 a1=0x7ffc5a7634f0 a2=0x7f74a4767087 a3=0x1 items=0 ppid=4557 pid=4577 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:325) : avc:  denied  { setcap } for  pid=4577 comm=jsvc scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1 
----

The dac_override is maybe caused by the new kernel:

# rpm -qa selinux\* kernel\* | sort
kernel-4.11.0-10.el7a.x86_64
kernel-headers-4.11.0-10.el7a.x86_64
kernel-tools-4.11.0-10.el7a.x86_64
kernel-tools-libs-4.11.0-10.el7a.x86_64
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-devel-3.13.1-166.el7.noarch
selinux-policy-doc-3.13.1-166.el7.noarch
selinux-policy-minimum-3.13.1-166.el7.noarch
selinux-policy-mls-3.13.1-166.el7.noarch
selinux-policy-sandbox-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
#

Comment 6 Milos Malik 2017-07-17 08:10:45 UTC

Following SELinux denial also appeared in permissive mode as a result of "service tomcat-jsvc stop" command:
----
type=PROCTITLE msg=audit(07/17/2017 10:09:00.304:625) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=OBJ_PID msg=audit(07/17/2017 10:09:00.304:625) : opid=30893 oauid=unset ouid=tomcat oses=-1 obj=system_u:system_r:tomcat_t:s0 ocomm=jsvc 
type=SYSCALL msg=audit(07/17/2017 10:09:00.304:625) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x78ad a1=SIG0 a2=0x0 a3=0x7ffe7e002fc0 items=0 ppid=1 pid=30976 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 10:09:00.304:625) : avc:  denied  { kill } for  pid=30976 comm=jsvc capability=kill  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----

Comment 16 Oneata Mircea Teodor 2017-08-24 07:02:22 UTC

Hello Mark,

Please review and provide PMApproved to move forward cloning this bug.

Comment 17 Lukas Vrabec 2017-08-24 07:46:45 UTC

Mark, 

From devel POV, patch is about 2 lines in tomcat policy, I'm fine with the backport. 

Lukas.

Comment 18 Mark Thacker 2017-08-25 10:04:17 UTC

pm approval added for 7.5 and 7.4.z

Comment 24 errata-xmlrpc 2018-04-10 12:34:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.