Bug 1470735 - [regression] tomcat fails to start via tomcat-jsvc service startup due to selinux denials
[regression] tomcat fails to start via tomcat-jsvc service startup due to sel...
Status: VERIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
All Linux
high Severity high
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
: ZStream
Depends On:
Blocks: 1485308
  Show dependency treegraph
 
Reported: 2017-07-13 10:25 EDT by Jan Onderka
Modified: 2017-10-06 12:44 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Tomcat is not part unconfined in RHEL-7.4, so SELinux security policy is enforced by SELinux Consequence: tomcat fails to start via tomcat-jsvc due to SELinux Fix: Allow tomcat_t SELinux domain couple capability rules (dac_override, setuid, kill) Result: Tomcat start correctly via tomcat-jsvc servica with SELinux in enforcing mode.
Story Points: ---
Clone Of:
: 1485308 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVC_denials_log (2.98 KB, text/plain)
2017-07-13 10:25 EDT, Jan Onderka
no flags Details

  None (edit)
Description Jan Onderka 2017-07-13 10:25:57 EDT
Created attachment 1297687 [details]
AVC_denials_log

Description of problem:
There are present AVC denials during start of tomcat-jsvc service startup. Check test_log-BZ1201409-avc.log for more information.

Version-Release number of selected component (if applicable):
tomcat-7.0.76-2
selinux-policy-3.13.1-166

Steps to Reproduce:
1. yum install tomcat*
2. service tomcat-jsvc start
3. pgrep -l -f tomcat
service should works

Actual results:


Expected results:
service starts and there are no AVC denials
Comment 2 Doran Moppert 2017-07-14 01:08:40 EDT
From a quick inspection, I suspect an selinux policy issue.  The denials are:

> denied  { setuid } for  pid=18047 comm="jsvc" capability=7  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability

> denied  { setcap } for  pid=18049 comm="jsvc" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process

Comparing policy-rhel-7.3-contrib.patch with policy-rhel-7.4-contrib.patch (in the selinux-policy package), the former has:

> # tomcat local policy
> #
>
> optional_policy(`
>    unconfined_domain(tomcat_t)
> `)

while the latter has an explicit set of allow rules that does not (afaict) include `setcap` or `setuid`.

(adding Miroslav, Lukas in case they can comment on this)
Comment 5 Milos Malik 2017-07-17 02:57:34 EDT
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(07/17/2017 08:52:11.579:318) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=SYSCALL msg=audit(07/17/2017 08:52:11.579:318) : arch=x86_64 syscall=setuid success=no exit=EPERM(Operation not permitted) a0=tomcat a1=0x5b a2=0x1 a3=0x7f4278436300 items=0 ppid=4366 pid=4384 auid=unset uid=root gid=tomcat euid=root suid=root fsuid=root egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:52:11.579:318) : avc:  denied  { setuid } for  pid=4384 comm=jsvc capability=setuid  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=0 
----

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:323) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:323) : arch=x86_64 syscall=setuid success=yes exit=0 a0=tomcat a1=0x5b a2=0x1 a3=0x7f2d7b965300 items=0 ppid=4557 pid=4575 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:323) : avc:  denied  { setuid } for  pid=4575 comm=jsvc capability=setuid  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:324) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh 
type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=1 name=/usr/share/tomcat/logs/catalina.out inode=26630337 dev=fd:02 mode=file,660 ouid=tomcat ogid=tomcat rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=NORMAL 
type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=0 name=/usr/share/tomcat/logs/ inode=26630347 dev=fd:02 mode=dir,770 ouid=tomcat ogid=root rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=PARENT 
type=CWD msg=audit(07/17/2017 08:53:51.178:324) : cwd=/ 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:324) : arch=x86_64 syscall=open success=yes exit=5 a0=0x1e41280 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=2 ppid=1 pid=4557 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:324) : avc:  denied  { dac_override } for  pid=4557 comm=jsvc capability=dac_override  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:325) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh 
type=CAPSET msg=audit(07/17/2017 08:53:51.178:325) : pid=4577 cap_pi=dac_read_search,setgid,setuid,net_bind_service cap_pp=dac_read_search,setgid,setuid,net_bind_service cap_pe=dac_read_search,setgid,setuid,net_bind_service 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:325) : arch=x86_64 syscall=capset success=yes exit=0 a0=0x7ffc5a7634e0 a1=0x7ffc5a7634f0 a2=0x7f74a4767087 a3=0x1 items=0 ppid=4557 pid=4577 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:325) : avc:  denied  { setcap } for  pid=4577 comm=jsvc scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1 
----

The dac_override is maybe caused by the new kernel:

# rpm -qa selinux\* kernel\* | sort
kernel-4.11.0-10.el7a.x86_64
kernel-headers-4.11.0-10.el7a.x86_64
kernel-tools-4.11.0-10.el7a.x86_64
kernel-tools-libs-4.11.0-10.el7a.x86_64
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-devel-3.13.1-166.el7.noarch
selinux-policy-doc-3.13.1-166.el7.noarch
selinux-policy-minimum-3.13.1-166.el7.noarch
selinux-policy-mls-3.13.1-166.el7.noarch
selinux-policy-sandbox-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
#
Comment 6 Milos Malik 2017-07-17 04:10:45 EDT
Following SELinux denial also appeared in permissive mode as a result of "service tomcat-jsvc stop" command:
----
type=PROCTITLE msg=audit(07/17/2017 10:09:00.304:625) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=OBJ_PID msg=audit(07/17/2017 10:09:00.304:625) : opid=30893 oauid=unset ouid=tomcat oses=-1 obj=system_u:system_r:tomcat_t:s0 ocomm=jsvc 
type=SYSCALL msg=audit(07/17/2017 10:09:00.304:625) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x78ad a1=SIG0 a2=0x0 a3=0x7ffe7e002fc0 items=0 ppid=1 pid=30976 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 10:09:00.304:625) : avc:  denied  { kill } for  pid=30976 comm=jsvc capability=kill  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
Comment 16 Oneata Mircea Teodor 2017-08-24 03:02:22 EDT
Hello Mark,

Please review and provide PMApproved to move forward cloning this bug.
Comment 17 Lukas Vrabec 2017-08-24 03:46:45 EDT
Mark, 

From devel POV, patch is about 2 lines in tomcat policy, I'm fine with the backport. 

Lukas.
Comment 18 Mark Thacker 2017-08-25 06:04:17 EDT
pm approval added for 7.5 and 7.4.z

Note You need to log in before you can comment on or make changes to this bug.