RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1470735 - [regression] tomcat fails to start via tomcat-jsvc service startup due to selinux denials
Summary: [regression] tomcat fails to start via tomcat-jsvc service startup due to sel...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1485308
TreeView+ depends on / blocked
 
Reported: 2017-07-13 14:25 UTC by Jan Onderka
Modified: 2018-04-10 12:36 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
*Tomcat* can now be started using *tomcat-jsvc* with *SELinux* in enforcing mode In Red Hat Enterprise Linux 7.4, the `tomcat_t` unconfined domain was not correctly defined in the *SELinux* policy. Consequently, the *Tomcat* server cannot be started by the *tomcat-jsvc* service with *SELinux* in enforcing mode. This update allows the `tomcat_t` domain to use the `dac_override`, `setuid`, and `kill` capability rules. As a result, *Tomcat* is now able to start through *tomcat-jsvc* with *SELinux* in enforcing mode.
Clone Of:
: 1485308 (view as bug list)
Environment:
Last Closed: 2018-04-10 12:34:36 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
AVC_denials_log (2.98 KB, text/plain)
2017-07-13 14:25 UTC, Jan Onderka
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 0 None None None 2018-04-10 12:36:05 UTC

Description Jan Onderka 2017-07-13 14:25:57 UTC
Created attachment 1297687 [details]
AVC_denials_log

Description of problem:
There are present AVC denials during start of tomcat-jsvc service startup. Check test_log-BZ1201409-avc.log for more information.

Version-Release number of selected component (if applicable):
tomcat-7.0.76-2
selinux-policy-3.13.1-166

Steps to Reproduce:
1. yum install tomcat*
2. service tomcat-jsvc start
3. pgrep -l -f tomcat
service should works

Actual results:


Expected results:
service starts and there are no AVC denials

Comment 2 Doran Moppert 2017-07-14 05:08:40 UTC
From a quick inspection, I suspect an selinux policy issue.  The denials are:

> denied  { setuid } for  pid=18047 comm="jsvc" capability=7  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability

> denied  { setcap } for  pid=18049 comm="jsvc" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process

Comparing policy-rhel-7.3-contrib.patch with policy-rhel-7.4-contrib.patch (in the selinux-policy package), the former has:

> # tomcat local policy
> #
>
> optional_policy(`
>    unconfined_domain(tomcat_t)
> `)

while the latter has an explicit set of allow rules that does not (afaict) include `setcap` or `setuid`.

(adding Miroslav, Lukas in case they can comment on this)

Comment 5 Milos Malik 2017-07-17 06:57:34 UTC
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(07/17/2017 08:52:11.579:318) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=SYSCALL msg=audit(07/17/2017 08:52:11.579:318) : arch=x86_64 syscall=setuid success=no exit=EPERM(Operation not permitted) a0=tomcat a1=0x5b a2=0x1 a3=0x7f4278436300 items=0 ppid=4366 pid=4384 auid=unset uid=root gid=tomcat euid=root suid=root fsuid=root egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:52:11.579:318) : avc:  denied  { setuid } for  pid=4384 comm=jsvc capability=setuid  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=0 
----

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:323) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:323) : arch=x86_64 syscall=setuid success=yes exit=0 a0=tomcat a1=0x5b a2=0x1 a3=0x7f2d7b965300 items=0 ppid=4557 pid=4575 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:323) : avc:  denied  { setuid } for  pid=4575 comm=jsvc capability=setuid  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:324) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh 
type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=1 name=/usr/share/tomcat/logs/catalina.out inode=26630337 dev=fd:02 mode=file,660 ouid=tomcat ogid=tomcat rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=NORMAL 
type=PATH msg=audit(07/17/2017 08:53:51.178:324) : item=0 name=/usr/share/tomcat/logs/ inode=26630347 dev=fd:02 mode=dir,770 ouid=tomcat ogid=root rdev=00:00 obj=system_u:object_r:tomcat_log_t:s0 nametype=PARENT 
type=CWD msg=audit(07/17/2017 08:53:51.178:324) : cwd=/ 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:324) : arch=x86_64 syscall=open success=yes exit=5 a0=0x1e41280 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=2 ppid=1 pid=4557 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:324) : avc:  denied  { dac_override } for  pid=4557 comm=jsvc capability=dac_override  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2017 08:53:51.178:325) : proctitle=jsvc.exec -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /usr/sh 
type=CAPSET msg=audit(07/17/2017 08:53:51.178:325) : pid=4577 cap_pi=dac_read_search,setgid,setuid,net_bind_service cap_pp=dac_read_search,setgid,setuid,net_bind_service cap_pe=dac_read_search,setgid,setuid,net_bind_service 
type=SYSCALL msg=audit(07/17/2017 08:53:51.178:325) : arch=x86_64 syscall=capset success=yes exit=0 a0=0x7ffc5a7634e0 a1=0x7ffc5a7634f0 a2=0x7f74a4767087 a3=0x1 items=0 ppid=4557 pid=4577 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 08:53:51.178:325) : avc:  denied  { setcap } for  pid=4577 comm=jsvc scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1 
----

The dac_override is maybe caused by the new kernel:

# rpm -qa selinux\* kernel\* | sort
kernel-4.11.0-10.el7a.x86_64
kernel-headers-4.11.0-10.el7a.x86_64
kernel-tools-4.11.0-10.el7a.x86_64
kernel-tools-libs-4.11.0-10.el7a.x86_64
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-devel-3.13.1-166.el7.noarch
selinux-policy-doc-3.13.1-166.el7.noarch
selinux-policy-minimum-3.13.1-166.el7.noarch
selinux-policy-mls-3.13.1-166.el7.noarch
selinux-policy-sandbox-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
#

Comment 6 Milos Malik 2017-07-17 08:10:45 UTC
Following SELinux denial also appeared in permissive mode as a result of "service tomcat-jsvc stop" command:
----
type=PROCTITLE msg=audit(07/17/2017 10:09:00.304:625) : proctitle=/usr/bin/jsvc -nodetach -pidfile /var/run/jsvc-tomcat.pid -user tomcat -outfile /usr/share/tomcat/logs/catalina.out -errfile /us 
type=OBJ_PID msg=audit(07/17/2017 10:09:00.304:625) : opid=30893 oauid=unset ouid=tomcat oses=-1 obj=system_u:system_r:tomcat_t:s0 ocomm=jsvc 
type=SYSCALL msg=audit(07/17/2017 10:09:00.304:625) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x78ad a1=SIG0 a2=0x0 a3=0x7ffe7e002fc0 items=0 ppid=1 pid=30976 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jsvc exe=/usr/bin/jsvc subj=system_u:system_r:tomcat_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 10:09:00.304:625) : avc:  denied  { kill } for  pid=30976 comm=jsvc capability=kill  scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=capability permissive=1 
----

Comment 16 Oneata Mircea Teodor 2017-08-24 07:02:22 UTC
Hello Mark,

Please review and provide PMApproved to move forward cloning this bug.

Comment 17 Lukas Vrabec 2017-08-24 07:46:45 UTC
Mark, 

From devel POV, patch is about 2 lines in tomcat policy, I'm fine with the backport. 

Lukas.

Comment 18 Mark Thacker 2017-08-25 10:04:17 UTC
pm approval added for 7.5 and 7.4.z

Comment 24 errata-xmlrpc 2018-04-10 12:34:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763


Note You need to log in before you can comment on or make changes to this bug.