Description of problem: Tomcat6 in a default install runs in the initrc_t domain. While it may be running as tomcat's user, this is still a suboptimal configuration that should be contained. This is compounded by the fact that tomcat is generally a user facing internet service. Steps to Reproduce: 1. yum install tomcat6 2. systemctl start tomcat6.service 3. pus auxZ | grep tomcat Actual results: Tomcat is running in initrc_t domain Expected results: Tomcat should be confined to either a tomcat_t domain, or a httpd_t domain. Appropriate booleans should exist to allow database and network access as is similar for httpd. Additional info: system_u:system_r:initrc_t:s0 tomcat 21742 8.8 0.7 3923952 60080 ? Sl 11:04 0:01 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
It has been fixed in selinux-policy-3.10.0-134.fc17 what is your policy version # rpm -q selinux-policy
selinux-policy-3.10.0-132.fc17.noarch I have a single update awaiting application in yum to selinux-policy.noarch 3.10.0-134.fc17 updates Does that update correct the issue?
Don't mind my dyslexia - I just noticed that you said the update fixes this issue. I'll apply the update to confirm.
After update, relable and reboot this issue continues to persist.: [root@strawberry]~# ps auxZ | grep -i tomcat system_u:system_r:initrc_t:s0 tomcat 2444 23.0 0.5 3391368 44652 ? Sl 15:30 0:00 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2470 0.0 0.0 109400 888 pts/0 S+ 15:30 0:00 grep --color=auto -i tomcat [root@strawberry]~# yum info selinux-policy Loaded plugins: changelog, langpacks, presto, refresh-packagekit Installed Packages Name : selinux-policy Arch : noarch Version : 3.10.0 Release : 134.fc17 Size : 62 Repo : installed From repo : updates Summary : SELinux policy configuration URL : http://oss.tresys.com/repos/refpolicy/ License : GPLv2+ Description : SELinux Reference Policy - modular. : Based off of reference policy: Checked out revision 2.20091117
Ok, probably I see the problem. We have labeling just for /usr/sbin/tomcat -- gen_context(system_u:object_r:tomcat_exec_t,s0) So try to execute # chcon -t tomcat_exec_t `which tomcat6` # ls -Z `which tomcat6` # systemctl restart tomcat6.service
This has corrected the problem (temporaily). I will wait for the policy update to be shipped for the permanent fix. system_u:system_r:tomcat_t:s0 tomcat 2970 18.8 0.7 3923952 60816 ? Sl 15:54 0:01 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start Is this issue also present on RHEL?
Fixed in selinux-policy-3.10.0-137.fc17 We will need to fix it in RHEL6.4 too.
selinux-policy-3.10.0-137.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-137.fc17
Package selinux-policy-3.10.0-137.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-137.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10279/selinux-policy-3.10.0-137.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-137.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.