1565226 – Red Hat Certificate System (RHCS) gets execstack denial during startup

Bug 1565226 - Red Hat Certificate System (RHCS) gets execstack denial during startup

Summary: Red Hat Certificate System (RHCS) gets execstack denial during startup

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-09 16:29 UTC by David Mulford
Modified:	2018-11-12 14:11 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-197.el7
Doc Type:	Release Note
Doc Text:	A new SELinux boolean called tomcat_use_execmem was introduced so that system administrator can decide if such use case should be allowed or not.
Clone Of:
Environment:
Last Closed:	2018-10-30 10:03:16 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Article)	3685231	0	None	None	None	2018-11-12 14:11:01 UTC
Red Hat Product Errata	RHBA-2018:3111	0	None	None	None	2018-10-30 10:04:01 UTC

Description David Mulford 2018-04-09 16:29:34 UTC

Description of problem:
After upgrading from RHEL 7.3 and RHCS 9.1 to RHEL 7.4 and RHCS 9.2, the following AVC denial is seen when starting RHCS services.

type=AVC msg=audit(1523027312.736:510): avc:  denied  { execstack } for  pid=2642 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process


Version-Release number of selected component (if applicable):
- RHEL 7.4
- RHCS 9.2


Actual results:
RHCS services fail to start with AVC denial listed above.

Expected results:
All RHCS services should start successfully.

Comment 4 Milos Malik 2018-04-13 12:12:13 UTC

Based on the content of the SELinux denial, Tomcat server tries to run java, which behaves differently than Tomcat. Here is the only way to escape from the tomcat_t domain:

# sesearch -s tomcat_t -c process -T
Found 1 semantic te rules:
   type_transition tomcat_t abrt_helper_exec_t : process abrt_helper_t; 

#

Could this be related to https://bugzilla.redhat.com/show_bug.cgi?id=1432083 ?

Comment 5 Lukas Vrabec 2018-04-13 15:37:11 UTC

I would say we should create new boolean called tomcat_execmem which will allow make stack executable.

Comment 11 errata-xmlrpc 2018-10-30 10:03:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.