Description of problem: Jetty Web Application Server cannot read various cgroup limits which are set on the system. Version-Release number of selected component (if applicable): selinux-policy-3.14.3-46.fc30.noarch selinux-policy-targeted-3.14.3-46.fc30.noarch jetty-9.4.15-1.v20190215.fc30.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora 30 machine (targeted policy is active) 2. run following automated TC: * /CoreOS/selinux-policy/Regression/jetty-and-similar 3. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(09/26/2019 07:02:52.960:249) : proctitle=/usr/lib/jvm/java-1.8.0-openjdk/bin/java -Djetty.logs=/var/log/jetty/logs -Djetty.home=/usr/share/jetty -Djetty.base=/usr/share/ type=PATH msg=audit(09/26/2019 07:02:52.960:249) : item=0 name=/sys/fs/cgroup/memory/system.slice/jetty.service/memory.limit_in_bytes nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/26/2019 07:02:52.960:249) : cwd=/usr/share/jetty type=SYSCALL msg=audit(09/26/2019 07:02:52.960:249) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff9eb07f98 a2=O_RDONLY a3=0x0 items=1 ppid=6811 pid=6820 auid=unset uid=jetty gid=jetty euid=jetty suid=jetty fsuid=jetty egid=jetty sgid=jetty fsgid=jetty tty=(none) ses=unset comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.fc30.ppc64le/bin/java subj=system_u:system_r:jetty_t:s0 key=(null) type=AVC msg=audit(09/26/2019 07:02:52.960:249) : avc: denied { search } for pid=6820 comm=java name=/ dev="tmpfs" ino=1131 scontext=system_u:system_r:jetty_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(09/26/2019 07:02:52.960:252) : proctitle=/usr/lib/jvm/java-1.8.0-openjdk/bin/java -Djetty.logs=/var/log/jetty/logs -Djetty.home=/usr/share/jetty -Djetty.base=/usr/share/ type=PATH msg=audit(09/26/2019 07:02:52.960:252) : item=0 name=/sys/fs/cgroup/cpu,cpuacct/cpu.shares nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/26/2019 07:02:52.960:252) : cwd=/usr/share/jetty type=SYSCALL msg=audit(09/26/2019 07:02:52.960:252) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff9eb0c208 a2=O_RDONLY a3=0x0 items=1 ppid=6811 pid=6820 auid=unset uid=jetty gid=jetty euid=jetty suid=jetty fsuid=jetty egid=jetty sgid=jetty fsgid=jetty tty=(none) ses=unset comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.fc30.ppc64le/bin/java subj=system_u:system_r:jetty_t:s0 key=(null) type=AVC msg=audit(09/26/2019 07:02:52.960:252) : avc: denied { search } for pid=6820 comm=java name=/ dev="tmpfs" ino=1131 scontext=system_u:system_r:jetty_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 ---- Expected results: * no SELinux denials Additional info:
Hopefully jetty can handle CgroupsV2 as well as V1.
It will be fixed in SELinux policy package. PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/155
commit 9a04972cef785f47850c4d1674f49c70e1b4e3f4 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Richard Filo <rfilo> Date: Fri Oct 18 11:50:39 2019 +0200 Allow jetty_t domain search and read cgroup_t files. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1760889
FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.