Bug 979423 - Tomcat files not relabelled after installation of selinux policy
Tomcat files not relabelled after installation of selinux policy
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: tomcat6, tomcat7 (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: ER03
: 2.1.0
Assigned To: Coty Sutherland
Michal Karm Babacek
Depends On:
  Show dependency treegraph
Reported: 2013-06-28 09:41 EDT by Michal Haško
Modified: 2015-11-03 01:23 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In JBoss Enterprise Web Server, the SELinux configuration files and compiled .pp file are available at $<filename class="directory">confdir/selinux/packages/tomcat7</filename>. The compiled .pp file is provided but not installed. As a result, various things fail when installing the module and error messages are not descriptive. This issue is fixed in JBoss Enterprise Web Server 2.1. The SELinux configuration files are provided and the system administrator must compile and use the policies. For more information, refer the JBoss Enterprise Web Server Installation guide.
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
jclere: needinfo-

Attachments (Terms of Use)

  None (edit)
Description Michal Haško 2013-06-28 09:41:59 EDT
Description of problem:
For tomcat rpms, the selinux policy is installed in the postinstall scriptlet.
That means *after* tomcat files are installed in the system. The scriptlet should also relabel the files so that they get correct context base on the newly installed policy.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install tomcat{6,7} from rpm
2. /var/log/tomcat{6,7} /var/cache/tomcat{6,7}/temp /var/lib/tomcat{6,7}/webapps should have correct labels (as defined in /etc/tomcat{6,7}/selinux/packages/tomcat{6,7}/tomcat{6,7}.fc)
Comment 3 Mandar Joshi 2013-07-01 02:04:15 EDT
Doc Text added.

@lfuka,  can you please review the Doc Text content?
Comment 12 Jean-frederic Clere 2013-10-16 03:46:20 EDT
Do we know why the install fails?
If something is already installed or modified of course we should try to check for it and don't install our stuff.
Comment 13 David Knox 2013-10-21 12:42:08 EDT
The requirements for release 2.0.1 calls for 'providing' or 'including' SELinux. The distinction between 'providing' and 'including' because the requirements don't mention 'installing' the policy.

Previously the %post scriptlet attempted to install the policy but fails easily; the user would assume the policy installation worked.

Best practices by other teams: 
1) don't install the policy
2) provide the selinux compiled config files
4) let the selinux team support the selinux config files.

Comment 14 Libor Fuka 2014-06-27 08:24:36 EDT
Is it ON_QA or not ?
Comment 15 Jean-frederic Clere 2014-07-02 08:11:20 EDT
Actually the package won't install the policy, so some doc must be provided to explain how to install and we must check that the policy installs without problems.
Comment 16 Michal Haško 2014-07-17 08:58:05 EDT
The compiled .pp policy files are no longer provided:

# rpm -ql tomcat6 tomcat7 | grep selinux

# rpm -q tomcat6 tomcat7
Comment 18 Michal Haško 2014-07-17 09:00:46 EDT
What I meant by comment #16 is that the compiled policy files (.pp) are missing, and should be provided.
Comment 20 Jean-frederic Clere 2014-08-12 09:46:03 EDT
According to my notes:
yum install selinux-policy-devel
cd /etc/tomcat7/selinux/packages/tomcat7
make -f /usr/share/selinux/devel/Makefile
should create a tomcat7-selinux.pp
semodule -i tomcat7-selinux.pp
install the policy
semodule -r tomcat7
remove it after testing.
Comment 22 David Knox 2014-08-18 12:16:59 EDT
should be run as root
from what i've seen of other examples and what _was_ in the spec file:

if [ -x "/usr/sbin/selinuxenabled" ]; then

   cd /usr/share/tomcat6/conf/selinux/
   make -f /usr/share/selinux/devel/Makefile
   /usr/sbin/semanage port -a -t %{name}_port_t -p tcp 8080 >/dev/null 2>&1 |
   /usr/sbin/semanage port -a -t %{name}_port_t -p tcp 8005 >/dev/null 2>&1 |
   /usr/sbin/semanage port -a -t %{name}_port_t -p tcp 8009 >/dev/null 2>&1 |
   /usr/sbin/semanage port -a -t %{name}_port_t -p tcp 8443 >/dev/null 2>&1 |
   /usr/sbin/semodule -i /usr/share/tomcat6/conf/selinux/packages/tomcat6/tomcat6.pp
Comment 23 Michal Karm Babacek 2014-08-18 13:22:57 EDT
Hmm, it compiles and loads just fine for me on RHEL6 x86_64 (RHN Stage) both with Tomcat 6 and Tomcat 7:

# cd /etc/tomcat7/selinux/packages/tomcat7
# make -f /usr/share/selinux/devel/Makefile
  Compiling targeted tomcat7 module
  /usr/bin/checkmodule:  loading policy configuration from tmp/tomcat7.tmp
  /usr/bin/checkmodule:  policy configuration loaded
  /usr/bin/checkmodule:  writing binary representation (version 10) to tmp/tomcat7.mod
  Creating targeted tomcat7.pp policy package
  rm tmp/tomcat7.mod tmp/tomcat7.mod.fc
# semodule -i tomcat7.pp
# echo $?

# cd /etc/tomcat6/selinux/packages/tomcat6
# make -f /usr/share/selinux/devel/Makefile
  Compiling targeted tomcat6 module
  /usr/bin/checkmodule:  loading policy configuration from tmp/tomcat6.tmp
  /usr/bin/checkmodule:  policy configuration loaded
  /usr/bin/checkmodule:  writing binary representation (version 10) to tmp/tomcat6.mod
  Creating targeted tomcat6.pp policy package
  rm tmp/tomcat6.mod.fc tmp/tomcat6.mod
# semodule -i tomcat6.pp
# echo $?

/usr/sbin/semanage port -a * stuff from David's comment 22 works as well (i.e. it passes with no error, tomcat starts and one can access 8080 from localhost, that's the whole "test"...)

Question: Do you find it fit for VERIFIED? I guess that the issue somewhat drifted from the original postinstall stuff...
Please, comment...

I didn't test the labels.
Comment 24 David Knox 2014-08-18 16:42:46 EDT
Hi Michal,

yes. let's move this to verified. we have dealt with the pertinent issue, and we have new doc. for completeness, can you post the relevant snip on this bz? if there are any more selinux issues they can each have their own bz.

Comment 25 David Knox 2014-08-18 16:51:21 EDT
labeling should work if the file being labeled exists. we couldn't relabel completely during %install because tomcatX.pid doesn't exist at the time.
Comment 26 Jean-frederic Clere 2014-08-19 02:20:46 EDT
Would a empty tomcatX.pid help?
Comment 27 Michal Karm Babacek 2014-08-19 07:35:05 EDT
@David: Which snippet do you mean?

Switching to VERIFIED as this particular issue is O.K. now, so we won't block EWS 2.1 release.

Note You need to log in before you can comment on or make changes to this bug.