Bug 1565226 - Red Hat Certificate System (RHCS) gets execstack denial during startup
Summary: Red Hat Certificate System (RHCS) gets execstack denial during startup
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-09 16:29 UTC by David Mulford
Modified: 2021-12-10 15:55 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-197.el7
Doc Type: Release Note
Doc Text:
A new SELinux boolean called tomcat_use_execmem was introduced so that system administrator can decide if such use case should be allowed or not.
Clone Of:
Last Closed: 2018-10-30 10:03:16 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Article) 3685231 0 None None None 2018-11-12 14:11:01 UTC
Red Hat Product Errata RHBA-2018:3111 0 None None None 2018-10-30 10:04:01 UTC

Description David Mulford 2018-04-09 16:29:34 UTC
Description of problem:
After upgrading from RHEL 7.3 and RHCS 9.1 to RHEL 7.4 and RHCS 9.2, the following AVC denial is seen when starting RHCS services.

type=AVC msg=audit(1523027312.736:510): avc:  denied  { execstack } for  pid=2642 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process

Version-Release number of selected component (if applicable):
- RHEL 7.4
- RHCS 9.2

Actual results:
RHCS services fail to start with AVC denial listed above.

Expected results:
All RHCS services should start successfully.

Comment 4 Milos Malik 2018-04-13 12:12:13 UTC
Based on the content of the SELinux denial, Tomcat server tries to run java, which behaves differently than Tomcat. Here is the only way to escape from the tomcat_t domain:

# sesearch -s tomcat_t -c process -T
Found 1 semantic te rules:
   type_transition tomcat_t abrt_helper_exec_t : process abrt_helper_t; 


Could this be related to https://bugzilla.redhat.com/show_bug.cgi?id=1432083 ?

Comment 5 Lukas Vrabec 2018-04-13 15:37:11 UTC
I would say we should create new boolean called tomcat_execmem which will allow make stack executable.

Comment 11 errata-xmlrpc 2018-10-30 10:03:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.