Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1477948 - in bug 1451318, Tomcat was allowed to connect to PostgreSQL port, but there should be a boolean for that
in bug 1451318, Tomcat was allowed to connect to PostgreSQL port, but there s...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
Mirek Jahoda
:
Depends On:
Blocks: 1477960
  Show dependency treegraph
 
Reported: 2017-08-03 05:50 EDT by Jan Hutař
Modified: 2018-10-30 06:02 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
A new SELinux boolean called tomcat_can_network_connect_db was introduced so that system administrator can decide if such use case should be allowed or not.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-10-30 06:01:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 06:02 EDT

  None (edit)
Description Jan Hutař 2017-08-03 05:50:39 EDT 
Description of problem:
In bug 1451318, Tomcat was allowed to connect to PostgreSQL port, but there should be a boolean for that


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-166.el7


How reproducible:
always


Steps to Reproduce:
1. Try to access PostgreSQL from application running in Tomcat
   (for me it was Spacewalk)


Actual results:
Application running in Tomcat is allowed to access PostgreSQL by default


Expected results:
This should not be allowed by default. Apache also have extra boolean:

$ getsebool -a | grep httpd
[...]
httpd_can_network_connect --> off
[...]
httpd_can_network_connect_db --> off
[...]


Additional info:
It was implemented in bug 1451318 and this bug is a sibling of bug 1477887.
Comment 5 errata-xmlrpc 2018-10-30 06:01:27 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.