Bug 837149 - Tomcat 6 runs in initrc_t domain (Missing policies)
Summary: Tomcat 6 runs in initrc_t domain (Missing policies)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-03 01:44 UTC by William Brown
Modified: 2012-07-17 17:28 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-07-17 17:28:22 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description William Brown 2012-07-03 01:44:03 UTC
Description of problem:
Tomcat6 in a default install runs in the initrc_t domain. While it may be running as tomcat's user, this is still a suboptimal configuration that should be contained. This is compounded by the fact that tomcat is generally a user facing internet service.

Steps to Reproduce:
1. yum install tomcat6
2. systemctl start tomcat6.service
3. pus auxZ | grep tomcat
  
Actual results:
Tomcat is running in initrc_t domain

Expected results:
Tomcat should be confined to either a tomcat_t domain, or a httpd_t domain. Appropriate booleans should exist to allow database and network access as is similar for httpd. 

Additional info:

system_u:system_r:initrc_t:s0   tomcat   21742  8.8  0.7 3923952 60080 ?       Sl   11:04   0:01 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

Comment 1 Miroslav Grepl 2012-07-03 05:07:23 UTC
It has been fixed in selinux-policy-3.10.0-134.fc17

what is your policy version

# rpm -q selinux-policy

Comment 2 William Brown 2012-07-03 05:14:53 UTC
selinux-policy-3.10.0-132.fc17.noarch

I have a single update awaiting application in yum to

selinux-policy.noarch                                           3.10.0-134.fc17                                               updates

Does that update correct the issue?

Comment 3 William Brown 2012-07-03 05:15:36 UTC
Don't mind my dyslexia - I just noticed that you said the update fixes this issue. I'll apply the update to confirm.

Comment 4 William Brown 2012-07-03 06:02:28 UTC
After update, relable and reboot this issue continues to persist.:

[root@strawberry]~# ps auxZ | grep -i tomcat
system_u:system_r:initrc_t:s0   tomcat    2444 23.0  0.5 3391368 44652 ?       Sl   15:30   0:00 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2470 0.0  0.0 109400 888 pts/0 S+ 15:30   0:00 grep --color=auto -i tomcat
[root@strawberry]~# yum info selinux-policy
Loaded plugins: changelog, langpacks, presto, refresh-packagekit
Installed Packages
Name        : selinux-policy
Arch        : noarch
Version     : 3.10.0
Release     : 134.fc17
Size        : 62  
Repo        : installed
From repo   : updates
Summary     : SELinux policy configuration
URL         : http://oss.tresys.com/repos/refpolicy/
License     : GPLv2+
Description : SELinux Reference Policy - modular.
            : Based off of reference policy: Checked out revision  2.20091117

Comment 5 Miroslav Grepl 2012-07-03 06:22:08 UTC
Ok, probably I see the problem. We have labeling just for

/usr/sbin/tomcat        --  gen_context(system_u:object_r:tomcat_exec_t,s0)


So try to execute

# chcon -t tomcat_exec_t `which tomcat6`
# ls -Z `which tomcat6`
# systemctl restart tomcat6.service

Comment 6 William Brown 2012-07-03 06:26:24 UTC
This has corrected the problem (temporaily). I will wait for the policy update to be shipped for the permanent fix.

system_u:system_r:tomcat_t:s0   tomcat    2970 18.8  0.7 3923952 60816 ?       Sl   15:54   0:01 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

Is this issue also present on RHEL?

Comment 7 Miroslav Grepl 2012-07-03 07:43:44 UTC
Fixed in selinux-policy-3.10.0-137.fc17

We will need to fix it in RHEL6.4 too.

Comment 8 Fedora Update System 2012-07-04 06:42:02 UTC
selinux-policy-3.10.0-137.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-137.fc17

Comment 9 Fedora Update System 2012-07-05 23:37:05 UTC
Package selinux-policy-3.10.0-137.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-137.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10279/selinux-policy-3.10.0-137.fc17
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2012-07-17 17:28:22 UTC
selinux-policy-3.10.0-137.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.