Bug 1539748 - selinux-policy is blocking the connection to mongodb on port 27017 from tomcat webapp.
Summary: selinux-policy is blocking the connection to mongodb on port 27017 from tomca...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-29 14:39 UTC by deisler
Modified: 2018-10-30 10:02 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-203.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:02:20 UTC
Target Upstream Version:


Attachments (Terms of Use)
MongoConnectionTest-1.0.war (2.19 MB, application/zip)
2018-01-29 14:39 UTC, deisler
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:02:49 UTC

Description deisler 2018-01-29 14:39:28 UTC
Created attachment 1387832 [details]
MongoConnectionTest-1.0.war

Description of problem:
selinux is blocking the connection to mongodb on port 27017 from tomcat webapp.

Version selinux-policy-3.13.1-102.el7_3.16.noarch isn't blocking connect to mongodb.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-166.el7_4.7.noarch

How reproducible:


Steps to Reproduce:
1. add mongodb-org-3.4.repo
------
[mongodb-org-3.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.4.asc
------
2. yum install mongodb-org
3. systemctl start mongod
4. yum install tomcat
5. copy attachment file to /var/lib/tomcat/webapps
6. chown -R tomcat:tomcat /var/lib/tomcat/webapps
7. restorecon -Rv /var/lib/tomcat/webapps
8. systemctl start tomcat
9. see /var/log/message

Actual results:
/var/log/message
---------------
Jan 29 13:45:49 ws server: at java.lang.Thread.run(Thread.java:748)
Jan 29 13:45:50 ws server: 29.01.2018 13:45:50 INFO  [org.mongodb.driver.cluster] - Cluster created with settings {hosts=[localhost:27017], mode=SINGL
E, requiredClusterType=UNKNOWN, serverSelectionTimeout='30000 ms', maxWaitQueueSize=500}
Jan 29 13:45:50 ws server: 29.01.2018 13:45:50 DEBUG [org.mongodb.driver.cluster] - Updating cluster description to  {type=UNKNOWN, servers=[{address=
localhost:27017, type=UNKNOWN, state=CONNECTING}]
Jan 29 13:45:50 ws dbus[737]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jan 29 13:45:50 ws dbus-daemon: dbus[737]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jan 29 13:45:50 ws server: 29.01.2018 13:45:50 INFO  [org.mongodb.driver.cluster] - Cluster description not yet available. Waiting for 30000 ms before
 timing out
Jan 29 13:45:50 ws server: 29.01.2018 13:45:50 DEBUG [org.mongodb.driver.connection] - Closing connection connectionId{localValue:1}
Jan 29 13:45:50 ws server: 29.01.2018 13:45:50 INFO  [org.mongodb.driver.cluster] - Exception in monitor thread while connecting to server localhost:27017
Jan 29 13:45:50 ws server: com.mongodb.MongoSocketOpenException: Exception opening socket
Jan 29 13:45:50 ws server: at com.mongodb.connection.SocketStream.open(SocketStream.java:62)
Jan 29 13:45:50 ws server: at com.mongodb.connection.InternalStreamConnection.open(InternalStreamConnection.java:126)
Jan 29 13:45:50 ws server: at com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:114)
Jan 29 13:45:50 ws server: at java.lang.Thread.run(Thread.java:748)
Jan 29 13:45:50 ws server: Caused by: java.net.ConnectException: Permission denied (connect failed)
Jan 29 13:45:50 ws server: at java.net.PlainSocketImpl.socketConnect(Native Method)
Jan 29 13:45:50 ws server: at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
Jan 29 13:45:50 ws server: at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
Jan 29 13:45:50 ws server: at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
Jan 29 13:45:50 ws server: at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
Jan 29 13:45:50 ws server: at java.net.Socket.connect(Socket.java:589)
Jan 29 13:45:50 ws server: at com.mongodb.connection.SocketStreamHelper.initialize(SocketStreamHelper.java:59)
Jan 29 13:45:50 ws server: at com.mongodb.connection.SocketStream.open(SocketStream.java:57)
Jan 29 13:45:50 ws server: ... 3 more
...
---------------
sealert -a audit.log
---------------
found 2 alerts in audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre/bin/java from write access on the directory tomcat.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow java to have write access on the tomcat directory
Then you need to change the label on tomcat
Do
# semanage fcontext -a -t FILE_TYPE 'tomcat'
where FILE_TYPE is one of the following: pki_common_t, pki_ra_log_t, pki_tomcat_cert_t, pki_tomcat_etc_rw_t, pki_tomcat_log_t, pki_tomcat_var_lib_t, pki_tps_log_t, tmp_t, tomcat_cache_t, tomcat_log_t, tomcat_tmp_t, tomcat_var_lib_t, tomcat_var_run_t, var_lib_t, var_log_t, var_run_t, var_t.
Then execute:
restorecon -v 'tomcat'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that java should be allowed write access on the tomcat directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'java' --raw | audit2allow -M my-java
# semodule -i my-java.pp


Additional Information:
Source Context                system_u:system_r:tomcat_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                tomcat [ dir ]
Source                        java
Source Path                   /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el
                              7_4.x86_64/jre/bin/java
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           java-1.8.0-openjdk-
                              headless-1.8.0.161-0.b14.el7_4.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-166.el7_4.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ws
Platform                      Linux ws 3.10.0-693.17.1.el7.x86_64 #1 SMP Sun Jan
                              14 10:36:03 EST 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-01-29 14:36:19 UTC
Last Seen                     2018-01-29 14:36:19 UTC
Local ID                      44fa733d-0c42-4b9e-8d95-2aed2dd790e0

Raw Audit Messages
type=AVC msg=audit(1517236579.199:146): avc:  denied  { write } for  pid=1880 comm="java" name="tomcat" dev="dm-0" ino=602560 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir


type=SYSCALL msg=audit(1517236579.199:146): arch=x86_64 syscall=open success=no exit=EACCES a0=7f7394148e30 a1=241 a2=1b6 a3=f items=0 ppid=1 pid=1880 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre/bin/java subj=system_u:system_r:tomcat_t:s0 key=(null)

Hash: java,tomcat_t,usr_t,dir,write

--------------------------------------------------------------------------------

SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre/bin/java from name_connect access on the tcp_socket port 27017.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that java should be allowed name_connect access on the port 27017 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'java' --raw | audit2allow -M my-java
# semodule -i my-java.pp


Additional Information:
Source Context                system_u:system_r:tomcat_t:s0
Target Context                system_u:object_r:mongod_port_t:s0
Target Objects                port 27017 [ tcp_socket ]
Source                        java
Source Path                   /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el
                              7_4.x86_64/jre/bin/java
Port                          27017
Host                          <Unknown>
Source RPM Packages           java-1.8.0-openjdk-
                              headless-1.8.0.161-0.b14.el7_4.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-166.el7_4.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ws
Platform                      Linux ws 3.10.0-693.17.1.el7.x86_64 #1 SMP Sun Jan
                              14 10:36:03 EST 2018 x86_64 x86_64
Alert Count                   21
First Seen                    2018-01-29 14:36:25 UTC
Last Seen                     2018-01-29 14:36:34 UTC
Local ID                      dae2fe89-9ee3-425a-8afa-bcab80cb66ce

Raw Audit Messages
type=AVC msg=audit(1517236594.616:166): avc:  denied  { name_connect } for  pid=1880 comm="java" dest=27017 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mongod_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1517236594.616:166): arch=x86_64 syscall=connect success=no exit=EACCES a0=51 a1=7f73844ed490 a2=1c a3=28 items=0 ppid=1 pid=1880 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre/bin/java subj=system_u:system_r:tomcat_t:s0 key=(null)

Hash: java,tomcat_t,mongod_port_t,tcp_socket,name_connect
---------------



Expected results:
selinux-policy allow connect webapp to mongodb localhost:27017

Additional info:

Comment 7 errata-xmlrpc 2018-10-30 10:02:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.