726031 – tomcat6 can not run successfully under mls policy

Bug 726031 - tomcat6 can not run successfully under mls policy

Summary: tomcat6 can not run successfully under mls policy

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-27 11:19 UTC by benedictziv
Modified:	2011-10-21 13:50 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.7.19-107.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-10-21 13:50:09 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description benedictziv 2011-07-27 11:19:35 UTC

Description of problem:

When i start tomcat6 with command "service tomcat6 start " or "run_init service tomcat6 start" ,the tomcat6 was running under the context of "system_u:system_r:unconfined_java_t" and the web's applications can't run successfully.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.install tomcat
2.deploy a jsp web
3.use run_init to start the tomcat and visit it 
  
Actual results:

can't visit the web page in enforcing mode.

Expected results:


Additional info:

type=AVC msg=audit(1311756591.677:26951): avc:  denied  { search } for  pid=3802 comm="java" name="lib" dev=dm-0 ino=261122 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1311756591.677:26951): avc:  denied  { read } for  pid=3802 comm="java" name="webapps" dev=dm-0 ino=667388 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1311756591.677:26951): avc:  denied  { open } for  pid=3802 comm="java" name="webapps" dev=dm-0 ino=667388 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1311756591.677:26953): avc:  denied  { search } for  pid=3802 comm="java" name="www" dev=dm-0 ino=268005 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1311756591.677:26953): avc:  denied  { getattr } for  pid=3802 comm="java" path="/var/www/html/jsp3/WEB-INF/lib/FCKeditor-2.3.jar" dev=dm-0 ino=300602 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1311756591.678:26954): avc:  denied  { read } for  pid=3802 comm="java" name="FCKeditor-2.3.jar" dev=dm-0 ino=300602 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1311756591.678:26955): avc:  denied  { getattr } for  pid=3802 comm="java" path="/var/www" dev=dm-0 ino=268005 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1311756591.679:26956): avc:  denied  { read } for  pid=3802 comm="java" name="lib" dev=dm-0 ino=302718 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1311756591.679:26957): avc:  denied  { open } for  pid=3802 comm="java" name="lib" dev=dm-0 ino=302718 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1311756591.611:26958): avc:  denied  { rlimitinh } for  pid=4033 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756591.611:26958): avc:  denied  { siginh } for  pid=4033 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756591.611:26958): avc:  denied  { noatsecure } for  pid=4033 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756625.198:26961): avc:  denied  { rlimitinh } for  pid=4104 comm="run_init" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756625.198:26961): avc:  denied  { siginh } for  pid=4104 comm="run_init" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756625.198:26961): avc:  denied  { noatsecure } for  pid=4104 comm="run_init" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756625.614:26962): avc:  denied  { search } for  pid=4104 comm="run_init" name="dbus" dev=dm-0 ino=264528 scontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1311756625.614:26962): avc:  denied  { write } for  pid=4104 comm="run_init" name="system_bus_socket" dev=dm-0 ino=299577 scontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1311756625.614:26962): avc:  denied  { connectto } for  pid=4104 comm="run_init" path="/var/run/dbus/system_bus_socket" scontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1311756626.392:26966): avc:  denied  { rlimitinh } for  pid=4107 comm="unix_chkpwd" scontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756626.392:26966): avc:  denied  { siginh } for  pid=4107 comm="unix_chkpwd" scontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756626.392:26966): avc:  denied  { noatsecure } for  pid=4107 comm="unix_chkpwd" scontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756628.633:26969): avc:  denied  { rlimitinh } for  pid=4104 comm="open_init_pty" scontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756628.633:26969): avc:  denied  { siginh } for  pid=4104 comm="open_init_pty" scontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756628.633:26969): avc:  denied  { noatsecure } for  pid=4104 comm="open_init_pty" scontext=root:sysadm_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756629.370:26972): avc:  denied  { rlimitinh } for  pid=4142 comm="hostname" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:hostname_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756629.370:26972): avc:  denied  { noatsecure } for  pid=4142 comm="hostname" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:hostname_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756629.864:26973): avc:  denied  { read write } for  pid=4158 comm="java" path="/dev/pts/0" dev=devpts ino=3 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1311756629.864:26973): avc:  denied  { rlimitinh } for  pid=4158 comm="java" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756629.864:26973): avc:  denied  { noatsecure } for  pid=4158 comm="java" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756629.948:26974): avc:  denied  { execute_no_trans } for  pid=4158 comm="java" path="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/bin/java" dev=dm-0 ino=158371 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=file
type=AVC msg=audit(1311756630.023:26975): avc:  denied  { search } for  pid=4169 comm="java" name="/" dev=sysfs ino=1 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1311756630.023:26975): avc:  denied  { read } for  pid=4169 comm="java" name="cpu" dev=sysfs ino=22 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1311756630.023:26975): avc:  denied  { open } for  pid=4169 comm="java" name="cpu" dev=sysfs ino=22 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1311756630.023:26976): avc:  denied  { read } for  pid=4169 comm="java" name="meminfo" dev=proc ino=4026532015 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1311756630.023:26976): avc:  denied  { open } for  pid=4169 comm="java" name="meminfo" dev=proc ino=4026532015 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1311756630.023:26977): avc:  denied  { getattr } for  pid=4169 comm="java" path="/proc/meminfo" dev=proc ino=4026532015 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1311756630.054:26978): avc:  denied  { search } for  pid=4169 comm="java" name="nscd" dev=dm-0 ino=270054 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1311756630.054:26979): avc:  denied  { read } for  pid=4169 comm="java" name="nsswitch.conf" dev=dm-0 ino=391770 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1311756630.054:26979): avc:  denied  { open } for  pid=4169 comm="java" name="nsswitch.conf" dev=dm-0 ino=391770 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1311756630.054:26980): avc:  denied  { getattr } for  pid=4169 comm="java" path="/etc/nsswitch.conf" dev=dm-0 ino=391770 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1311756630.054:26981): avc:  denied  { read } for  pid=4169 comm="java" name="hsperfdata_tomcat" dev=dm-0 ino=667278 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1311756630.073:26982): avc:  denied  { signull } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756630.073:26983): avc:  denied  { write } for  pid=4169 comm="java" name="hsperfdata_tomcat" dev=dm-0 ino=667278 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1311756630.073:26983): avc:  denied  { add_name } for  pid=4169 comm="java" name="4168" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1311756630.073:26983): avc:  denied  { create } for  pid=4169 comm="java" name="4168" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1311756630.073:26983): avc:  denied  { read write open } for  pid=4169 comm="java" name="4168" dev=dm-0 ino=660834 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1311756630.073:26984): avc:  denied  { execmem } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756630.100:26985): avc:  denied  { search } for  pid=4169 comm="java" name="locale" dev=dm-0 ino=916954 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir
type=AVC msg=audit(1311756630.100:26985): avc:  denied  { read } for  pid=4169 comm="java" name="locale-archive" dev=dm-0 ino=918297 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=AVC msg=audit(1311756630.100:26985): avc:  denied  { open } for  pid=4169 comm="java" name="locale-archive" dev=dm-0 ino=918297 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=AVC msg=audit(1311756630.100:26986): avc:  denied  { getattr } for  pid=4169 comm="java" path="/usr/lib/locale/locale-archive" dev=dm-0 ino=918297 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=AVC msg=audit(1311756630.130:26987): avc:  denied  { getattr } for  pid=4169 comm="java" path="/usr/share/tomcat6/bin/bootstrap.jar" dev=dm-0 ino=21762 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
type=AVC msg=audit(1311756630.130:26988): avc:  denied  { read } for  pid=4169 comm="java" name="bootstrap.jar" dev=dm-0 ino=21762 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
type=AVC msg=audit(1311756630.130:26989): avc:  denied  { getattr } for  pid=4169 comm="java" path="/usr/share/tomcat6/bin/bootstrap-6.0.24.jar" dev=dm-0 ino=21761 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1311756630.132:26990): avc:  denied  { getattr } for  pid=4169 comm="java" path="/usr/share/java/commons-daemon.jar" dev=dm-0 ino=955750 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
type=AVC msg=audit(1311756630.132:26991): avc:  denied  { read } for  pid=4169 comm="java" name="commons-daemon.jar" dev=dm-0 ino=955750 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
type=AVC msg=audit(1311756630.138:26992): avc:  denied  { read } for  pid=4169 comm="java" name="bootstrap-6.0.24.jar" dev=dm-0 ino=21761 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1311756630.138:26992): avc:  denied  { open } for  pid=4169 comm="java" name="bootstrap-6.0.24.jar" dev=dm-0 ino=21761 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1311756630.150:26993): avc:  denied  { getattr } for  pid=4169 comm="java" path="/dev/random" dev=devtmpfs ino=3597 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=AVC msg=audit(1311756630.150:26994): avc:  denied  { getattr } for  pid=4169 comm="java" path="/dev/urandom" dev=devtmpfs ino=3598 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1311756630.151:26995): avc:  denied  { read } for  pid=4169 comm="java" name="random" dev=devtmpfs ino=3597 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=AVC msg=audit(1311756630.151:26995): avc:  denied  { open } for  pid=4169 comm="java" name="random" dev=devtmpfs ino=3597 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=AVC msg=audit(1311756630.151:26996): avc:  denied  { read } for  pid=4169 comm="java" name="urandom" dev=devtmpfs ino=3598 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1311756630.151:26996): avc:  denied  { open } for  pid=4169 comm="java" name="urandom" dev=devtmpfs ino=3598 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1311756630.534:26997): avc:  denied  { create } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756630.535:26998): avc:  denied  { read } for  pid=4169 comm="java" name="if_inet6" dev=proc ino=4026532410 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1311756630.535:26998): avc:  denied  { open } for  pid=4169 comm="java" name="if_inet6" dev=proc ino=4026532410 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1311756630.535:26999): avc:  denied  { getattr } for  pid=4169 comm="java" path="/proc/4168/net/if_inet6" dev=proc ino=4026532410 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1311756630.537:27000): avc:  denied  { create } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=netlink_route_socket
type=AVC msg=audit(1311756630.537:27001): avc:  denied  { bind } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=netlink_route_socket
type=AVC msg=audit(1311756630.538:27002): avc:  denied  { getattr } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=netlink_route_socket
type=AVC msg=audit(1311756630.538:27003): avc:  denied  { write } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=netlink_route_socket
type=AVC msg=audit(1311756630.538:27003): avc:  denied  { nlmsg_read } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=netlink_route_socket
type=AVC msg=audit(1311756630.539:27004): avc:  denied  { read } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=netlink_route_socket
type=AVC msg=audit(1311756630.576:27005): avc:  denied  { read } for  pid=4169 comm="java" name="resolv.conf" dev=dm-0 ino=428217 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1311756630.576:27005): avc:  denied  { open } for  pid=4169 comm="java" name="resolv.conf" dev=dm-0 ino=428217 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1311756630.576:27006): avc:  denied  { getattr } for  pid=4169 comm="java" path="/etc/resolv.conf" dev=dm-0 ino=428217 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1311756630.609:27007): avc:  denied  { listen } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756630.609:27008): avc:  denied  { getattr } for  pid=4169 comm="java" lport=39503 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756630.609:27009): avc:  denied  { connect } for  pid=4169 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756630.609:27009): avc:  denied  { name_connect } for  pid=4169 comm="java" dest=39503 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1311756630.612:27010): avc:  denied  { accept } for  pid=4169 comm="java" lport=39503 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756630.612:27011): avc:  denied  { shutdown } for  pid=4169 comm="java" laddr=::1 lport=34577 faddr=::1 fport=39503 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756630.618:27012): avc:  denied  { write } for  pid=4169 comm="java" laddr=::ffff:127.0.0.1 lport=46494 faddr=::ffff:127.0.0.1 fport=8005 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756630.618:27013): avc:  denied  { read } for  pid=3790 comm="java" laddr=::ffff:127.0.0.1 lport=8005 faddr=::ffff:127.0.0.1 fport=46494 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756630.620:27014): avc:  denied  { setopt } for  pid=3790 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756630.622:27015): avc:  denied  { name_connect } for  pid=3790 comm="java" dest=8080 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1311756630.624:27016): avc:  denied  { getopt } for  pid=3790 comm="java" laddr=::ffff:127.0.0.1 lport=53194 faddr=::ffff:127.0.0.1 fport=8080 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756630.640:27017): avc:  denied  { name_connect } for  pid=3790 comm="java" dest=8009 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1311756630.646:27018): avc:  denied  { remove_name } for  pid=4169 comm="java" name="4168" dev=dm-0 ino=660834 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1311756630.646:27018): avc:  denied  { unlink } for  pid=4169 comm="java" name="4168" dev=dm-0 ino=660834 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1311756631.645:27021): avc:  denied  { write } for  pid=3790 comm="java" name="_" dev=dm-0 ino=783390 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1311756631.645:27021): avc:  denied  { add_name } for  pid=3790 comm="java" name="SESSIONS.ser" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1311756631.645:27021): avc:  denied  { create } for  pid=3790 comm="java" name="SESSIONS.ser" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1311756631.645:27021): avc:  denied  { write open } for  pid=3790 comm="java" name="SESSIONS.ser" dev=dm-0 ino=783373 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1311756631.647:27022): avc:  denied  { getattr } for  pid=3790 comm="java" path="/var/cache/tomcat6/work/Catalina/localhost/_/SESSIONS.ser" dev=dm-0 ino=783373 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1311756631.718:27023): avc:  denied  { search } for  pid=3790 comm="java" name="www" dev=dm-0 ino=268005 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1311756631.720:27024): avc:  denied  { open } for  pid=3790 comm="java" name="FCKeditor-2.3.jar" dev=dm-0 ino=300602 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1311756632.358:27025): avc:  denied  { write } for  pid=3790 comm="java" name="hsperfdata_tomcat" dev=dm-0 ino=667278 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1311756632.358:27025): avc:  denied  { remove_name } for  pid=3790 comm="java" name="3787" dev=dm-0 ino=667279 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1311756632.358:27025): avc:  denied  { unlink } for  pid=3790 comm="java" name="3787" dev=dm-0 ino=667279 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1311756632.962:27028): avc:  denied  { rlimitinh } for  pid=4210 comm="hostname" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:hostname_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756632.962:27028): avc:  denied  { noatsecure } for  pid=4210 comm="hostname" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:hostname_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1311756632.986:27029): avc:  denied  { read write } for  pid=4226 comm="java" path="/dev/pts/0" dev=devpts ino=3 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1311756632.989:27030): avc:  denied  { execute_no_trans } for  pid=4226 comm="java" path="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/bin/java" dev=dm-0 ino=158371 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=file
type=AVC msg=audit(1311756633.019:27033): avc:  denied  { read } for  pid=4240 comm="java" name="hsperfdata_tomcat" dev=dm-0 ino=667278 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1311756633.021:27034): avc:  denied  { add_name } for  pid=4240 comm="java" name="4236" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1311756633.021:27034): avc:  denied  { create } for  pid=4240 comm="java" name="4236" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1311756633.021:27034): avc:  denied  { read write open } for  pid=4240 comm="java" name="4236" dev=dm-0 ino=660834 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1311756633.097:27035): avc:  denied  { getattr } for  pid=4240 comm="java" path="/dev/random" dev=devtmpfs ino=3597 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=AVC msg=audit(1311756633.097:27036): avc:  denied  { read } for  pid=4240 comm="java" name="random" dev=devtmpfs ino=3597 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=AVC msg=audit(1311756633.097:27036): avc:  denied  { open } for  pid=4240 comm="java" name="random" dev=devtmpfs ino=3597 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=AVC msg=audit(1311756633.124:27037): avc:  denied  { read } for  pid=4240 comm="java" name="zoneinfo" dev=dm-0 ino=914921 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir
type=AVC msg=audit(1311756633.124:27037): avc:  denied  { open } for  pid=4240 comm="java" name="zoneinfo" dev=dm-0 ino=914921 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir
type=AVC msg=audit(1311756633.128:27038): avc:  denied  { getattr } for  pid=4240 comm="java" path="/usr/share/zoneinfo/Canada" dev=dm-0 ino=915162 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir
type=AVC msg=audit(1311756633.130:27039): avc:  denied  { getattr } for  pid=4240 comm="java" path="/usr/share/javazi/ZoneInfoMappings" dev=dm-0 ino=143358 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1311756633.136:27040): avc:  denied  { read } for  pid=4240 comm="java" name="ZoneInfoMappings" dev=dm-0 ino=143358 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1311756633.136:27040): avc:  denied  { open } for  pid=4240 comm="java" name="ZoneInfoMappings" dev=dm-0 ino=143358 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1311756633.146:27041): avc:  denied  { search } for  pid=4240 comm="java" name="log" dev=dm-0 ino=262733 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_log_t:s0-s15:c0.c1023 tclass=dir
type=AVC msg=audit(1311756633.146:27041): avc:  denied  { getattr } for  pid=4240 comm="java" path="/var/log/tomcat6" dev=dm-0 ino=667389 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1311756633.148:27042): avc:  denied  { search } for  pid=4240 comm="java" name="tomcat6" dev=dm-0 ino=667389 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1311756634.599:27043): avc:  denied  { create } for  pid=4240 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756634.599:27044): avc:  denied  { read } for  pid=4240 comm="java" name="if_inet6" dev=proc ino=4026532410 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1311756634.599:27044): avc:  denied  { open } for  pid=4240 comm="java" name="if_inet6" dev=proc ino=4026532410 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1311756634.599:27045): avc:  denied  { getattr } for  pid=4240 comm="java" path="/proc/4236/net/if_inet6" dev=proc ino=4026532410 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1311756634.599:27046): avc:  denied  { listen } for  pid=4240 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756634.599:27047): avc:  denied  { getattr } for  pid=4240 comm="java" lport=43128 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756634.601:27048): avc:  denied  { connect } for  pid=4240 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756634.601:27049): avc:  denied  { accept } for  pid=4240 comm="java" lport=43128 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756634.601:27050): avc:  denied  { shutdown } for  pid=4240 comm="java" laddr=::1 lport=48766 faddr=::1 fport=43128 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756634.603:27051): avc:  denied  { setopt } for  pid=4240 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756634.603:27052): avc:  denied  { bind } for  pid=4240 comm="java" scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756634.603:27052): avc:  denied  { name_bind } for  pid=4240 comm="java" src=8080 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1311756634.603:27052): avc:  denied  { node_bind } for  pid=4240 comm="java" src=8080 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:node_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756634.673:27053): avc:  denied  { getattr } for  pid=4240 comm="java" path="/var/lib" dev=dm-0 ino=261122 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1311756634.677:27054): avc:  denied  { getattr } for  pid=4240 comm="java" path="/var/www" dev=dm-0 ino=268005 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1311756634.716:27055): avc:  denied  { read } for  pid=4240 comm="java" name="jsp3" dev=dm-0 ino=302569 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1311756634.749:27056): avc:  denied  { open } for  pid=4240 comm="java" name="lib" dev=dm-0 ino=302718 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1311756635.023:27057): avc:  denied  { read } for  pid=4240 comm="java" name="SESSIONS.ser" dev=dm-0 ino=783373 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1311756635.083:27058): avc:  denied  { remove_name } for  pid=4240 comm="java" name="SESSIONS.ser" dev=dm-0 ino=783373 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1311756635.083:27058): avc:  denied  { unlink } for  pid=4240 comm="java" name="SESSIONS.ser" dev=dm-0 ino=783373 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1311756635.107:27059): avc:  denied  { read } for  pid=4240 comm="java" name="_" dev=dm-0 ino=783390 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1311756635.202:27060): avc:  denied  { name_bind } for  pid=4240 comm="java" src=8009 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1311756635.240:27061): avc:  denied  { name_bind } for  pid=4240 comm="java" src=8005 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1311756640.017:27062): avc:  denied  { read } for  pid=4255 comm="java" laddr=::ffff:127.0.0.1 lport=8009 faddr=::ffff:127.0.0.1 fport=34097 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756640.246:27063): avc:  denied  { write } for  pid=4255 comm="java" laddr=::ffff:127.0.0.1 lport=8009 faddr=::ffff:127.0.0.1 fport=34097 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1311756697.121:27064): avc:  denied  { write } for  pid=4254 comm="java" name="Image" dev=dm-0 ino=302720 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1311756697.121:27064): avc:  denied  { rename } for  pid=4254 comm="java" name="upload_00000000.tmp" dev=dm-0 ino=667279 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1311756717.174:27065): avc:  denied  { read } for  pid=4261 comm="java" name="work" dev=dm-0 ino=21771 scontext=system_u:system_r:unconfined_java_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file

Comment 2 benedictziv 2011-07-27 11:25:23 UTC

I wonder wether it is needed to write some policy for tomcat like apache.let the tomcat run in the type of tomcat_t or other special type.

Comment 4 Daniel Walsh 2011-07-29 12:50:20 UTC

unconfined_java_t should not even exist on an MLS box.  There should be no unconfined domains.

The proper way to handle this would be to leave java in the initrc_t domain.

Comment 5 Miroslav Grepl 2011-07-29 13:07:18 UTC

Yes, but the problem is we have

type unconfined_java_t;
init_system_domain(unconfined_java_t, java_exec_t)


So this should be only for targeted policy.

Comment 6 Daniel Walsh 2011-07-29 13:30:50 UTC

Yes.

Comment 7 Daniel Walsh 2011-07-29 13:31:52 UTC

I actually think we should start pulling back from running java from init scripts altogether.  And allow initrc_t execmem execstack if the unconfined module is installed.

Comment 9 Miroslav Grepl 2011-08-10 15:57:49 UTC

Fixed in selinux-policy-3.7.19-107.el6

Comment 11 benedictziv 2011-08-26 02:19:43 UTC

I wonder whether it is necessary to write a module for tomcat6 to let tomcat6 run in a domain like tomcat6_t.

Comment 14 Miroslav Grepl 2011-10-21 12:24:24 UTC

tomcat6 is running as initrc_t in MLS which is correct. Which means we don't support it in MLS.

Comment 16 Daniel Walsh 2011-10-21 13:50:09 UTC

We do not support all domains in MLS policy.

Note You need to log in before you can comment on or make changes to this bug.