Bug 837149 - Tomcat 6 runs in initrc_t domain (Missing policies)
Tomcat 6 runs in initrc_t domain (Missing policies)
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-02 21:44 EDT by William Brown
Modified: 2012-07-17 13:28 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-17 13:28:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description William Brown 2012-07-02 21:44:03 EDT
Description of problem:
Tomcat6 in a default install runs in the initrc_t domain. While it may be running as tomcat's user, this is still a suboptimal configuration that should be contained. This is compounded by the fact that tomcat is generally a user facing internet service.

Steps to Reproduce:
1. yum install tomcat6
2. systemctl start tomcat6.service
3. pus auxZ | grep tomcat
  
Actual results:
Tomcat is running in initrc_t domain

Expected results:
Tomcat should be confined to either a tomcat_t domain, or a httpd_t domain. Appropriate booleans should exist to allow database and network access as is similar for httpd. 

Additional info:

system_u:system_r:initrc_t:s0   tomcat   21742  8.8  0.7 3923952 60080 ?       Sl   11:04   0:01 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
Comment 1 Miroslav Grepl 2012-07-03 01:07:23 EDT
It has been fixed in selinux-policy-3.10.0-134.fc17

what is your policy version

# rpm -q selinux-policy
Comment 2 William Brown 2012-07-03 01:14:53 EDT
selinux-policy-3.10.0-132.fc17.noarch

I have a single update awaiting application in yum to

selinux-policy.noarch                                           3.10.0-134.fc17                                               updates

Does that update correct the issue?
Comment 3 William Brown 2012-07-03 01:15:36 EDT
Don't mind my dyslexia - I just noticed that you said the update fixes this issue. I'll apply the update to confirm.
Comment 4 William Brown 2012-07-03 02:02:28 EDT
After update, relable and reboot this issue continues to persist.:

[root@strawberry]~# ps auxZ | grep -i tomcat
system_u:system_r:initrc_t:s0   tomcat    2444 23.0  0.5 3391368 44652 ?       Sl   15:30   0:00 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2470 0.0  0.0 109400 888 pts/0 S+ 15:30   0:00 grep --color=auto -i tomcat
[root@strawberry]~# yum info selinux-policy
Loaded plugins: changelog, langpacks, presto, refresh-packagekit
Installed Packages
Name        : selinux-policy
Arch        : noarch
Version     : 3.10.0
Release     : 134.fc17
Size        : 62  
Repo        : installed
From repo   : updates
Summary     : SELinux policy configuration
URL         : http://oss.tresys.com/repos/refpolicy/
License     : GPLv2+
Description : SELinux Reference Policy - modular.
            : Based off of reference policy: Checked out revision  2.20091117
Comment 5 Miroslav Grepl 2012-07-03 02:22:08 EDT
Ok, probably I see the problem. We have labeling just for

/usr/sbin/tomcat        --  gen_context(system_u:object_r:tomcat_exec_t,s0)


So try to execute

# chcon -t tomcat_exec_t `which tomcat6`
# ls -Z `which tomcat6`
# systemctl restart tomcat6.service
Comment 6 William Brown 2012-07-03 02:26:24 EDT
This has corrected the problem (temporaily). I will wait for the policy update to be shipped for the permanent fix.

system_u:system_r:tomcat_t:s0   tomcat    2970 18.8  0.7 3923952 60816 ?       Sl   15:54   0:01 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

Is this issue also present on RHEL?
Comment 7 Miroslav Grepl 2012-07-03 03:43:44 EDT
Fixed in selinux-policy-3.10.0-137.fc17

We will need to fix it in RHEL6.4 too.
Comment 8 Fedora Update System 2012-07-04 02:42:02 EDT
selinux-policy-3.10.0-137.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-137.fc17
Comment 9 Fedora Update System 2012-07-05 19:37:05 EDT
Package selinux-policy-3.10.0-137.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-137.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10279/selinux-policy-3.10.0-137.fc17
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-07-17 13:28:22 EDT
selinux-policy-3.10.0-137.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.