Description of problem: I had a pair of servlets that were correctly operating prior to the recent tomcat upgrade (installed by yum on 22May) that no longer start. I am now getting the following errors in catalina.out (note that there were no matching errors in either /var/log/messages or /var/log/audit/audit.log): SEVERE: IOException while saving persisted sessions: java.io.FileNotFoundException: /usr/share/tomcat5/work/Catalina/localhost/pmei/SESSIONS.ser (permission denied) SEVERE: Exception unloading sessions to persistent storage (same FNFE as above) (see attached log for further details) (one other oddity is the line: ow: ow-ha.cfg -> /usr/share/tomcat5/ow-ha.cfg because, in the previous version of tomcat it was: ow: ow-ha.cfg -> /root/ow-ha.cfg I marked this bug confidential as I am providing my unedited log file and I don't feel like going through the co-ordination process required necessary to make this log file available to the public. Finally, I don't know what the labelling on the directories were prior to the upgrade, but I am also attaching those listings in a follow-up. Version-Release number of selected component (if applicable): tomcat5-5.5.23-0jpp.2.fc6 How reproducible: Every time. Steps to Reproduce: 1. /etc/init.d/tomcat5 restart 2. 3. Actual results: See attached log file Expected results: Servlets start as expected. Additional info:
Created attachment 155692 [details] log file
Created attachment 155693 [details] directory listing Proof that the directories / files exist. Again, note that selinux didn't log anything.
Reverting to tomcat5-5.5.17-6jpp.2 resolved the file / session problems.
You can ignore the comment regarding the ow-ha.cfg oddity. This was caused because one servlet that I have opens a port below 1024 and I was getting a permission error unless TOMCAT_USER was root. The update moved my tomcat5.conf to tomcat5.conf.rpmsave and thus TOMCAT_USER was "tomcat" again and thus created that problem.
(In reply to comment #4) > You can ignore the comment regarding the ow-ha.cfg oddity. This was caused > because one servlet that I have opens a port below 1024 and I was getting a > permission error unless TOMCAT_USER was root. The update moved my tomcat5.conf > to tomcat5.conf.rpmsave and thus TOMCAT_USER was "tomcat" again and thus created > that problem. Did you try running 5.5.23 with TOMCAT_USER set to root as well? From your comments, it doesnt seem like it... The files are clearly owned by root and 5.5.23 (as most previous releases of tomcat on fedora) are run as tomcat by default...
Actually, I reverted in comment 3 (which caused the session problem to resolve) even though TOMCAT_USER=tomcat; then, realizing that I wasn't able to bind to port 53/udp, modified TOMCAT_USER, and later remembered to post comment 4. But, today I reinstalled 5.5.23 and (even though TOMCAT_USER="root"), it didn't work. I'm busy with other things today, but hopefully next week I'll get around to doing what I know I should have done all along (namely use iptables to redirect port 53/udp to a high numbered port and run tomcat as an unprivileged user) and report back.
(In reply to comment #6) > But, > today I reinstalled 5.5.23 and (even though TOMCAT_USER="root"), it didn't work. Sounds like SELinux might be disallowing those accesses. Have you had any AVC denials?
This bug is open for a Fedora version that is no longer maintained and will not be fixed by Fedora. Therefore we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen thus bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.