Bug 1477948 - in bug 1451318, Tomcat was allowed to connect to PostgreSQL port, but there should be a boolean for that
Summary: in bug 1451318, Tomcat was allowed to connect to PostgreSQL port, but there s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1477960
TreeView+ depends on / blocked
 
Reported: 2017-08-03 09:50 UTC by Jan Hutař
Modified: 2018-12-16 06:43 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
A new SELinux boolean called tomcat_can_network_connect_db was introduced so that system administrator can decide if such use case should be allowed or not.
Clone Of:
Environment:
Last Closed: 2018-10-30 10:01:27 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:02:38 UTC
Red Hat Bugzilla 1615806 None CLOSED Satellite installation fails on rhel 7.6 Beta with /Stage[main]/Candlepin::Service/Exec[cpinit]/returns: change from not... 2019-03-11 11:45:59 UTC
Red Hat Knowledge Base (Article) 3685231 None None None 2018-11-12 14:11:16 UTC

Internal Links: 1615806

Description Jan Hutař 2017-08-03 09:50:39 UTC
Description of problem:
In bug 1451318, Tomcat was allowed to connect to PostgreSQL port, but there should be a boolean for that


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-166.el7


How reproducible:
always


Steps to Reproduce:
1. Try to access PostgreSQL from application running in Tomcat
   (for me it was Spacewalk)


Actual results:
Application running in Tomcat is allowed to access PostgreSQL by default


Expected results:
This should not be allowed by default. Apache also have extra boolean:

$ getsebool -a | grep httpd
[...]
httpd_can_network_connect --> off
[...]
httpd_can_network_connect_db --> off
[...]


Additional info:
It was implemented in bug 1451318 and this bug is a sibling of bug 1477887.

Comment 5 errata-xmlrpc 2018-10-30 10:01:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.