Description of problem: For tomcat rpms, the selinux policy is installed in the postinstall scriptlet. That means *after* tomcat files are installed in the system. The scriptlet should also relabel the files so that they get correct context base on the newly installed policy. Version-Release number of selected component (if applicable): tomcat6-6.0.37-8_patch_01.ep6.el5 tomcat7-7.0.40-9_patch_01.ep6.el5 tomcat6-6.0.37-10_patch_01.ep6.el6 tomcat7-7.0.40-5_patch_01.ep6.el6 How reproducible: Steps to Reproduce: 1. install tomcat{6,7} from rpm 2. /var/log/tomcat{6,7} /var/cache/tomcat{6,7}/temp /var/lib/tomcat{6,7}/webapps should have correct labels (as defined in /etc/tomcat{6,7}/selinux/packages/tomcat{6,7}/tomcat{6,7}.fc)
Doc Text added. @lfuka, can you please review the Doc Text content?
Do we know why the install fails? If something is already installed or modified of course we should try to check for it and don't install our stuff.
The requirements for release 2.0.1 calls for 'providing' or 'including' SELinux. The distinction between 'providing' and 'including' because the requirements don't mention 'installing' the policy. Previously the %post scriptlet attempted to install the policy but fails easily; the user would assume the policy installation worked. Best practices by other teams: 1) don't install the policy 2) provide the selinux compiled config files 4) let the selinux team support the selinux config files. cheers, david
Is it ON_QA or not ?
Actually the package won't install the policy, so some doc must be provided to explain how to install and we must check that the policy installs without problems.
The compiled .pp policy files are no longer provided: # rpm -ql tomcat6 tomcat7 | grep selinux /etc/tomcat6/selinux /etc/tomcat6/selinux/packages /etc/tomcat6/selinux/packages/tomcat6 /etc/tomcat6/selinux/packages/tomcat6/tomcat6.fc /etc/tomcat6/selinux/packages/tomcat6/tomcat6.if /etc/tomcat6/selinux/packages/tomcat6/tomcat6.te /etc/tomcat7/selinux /etc/tomcat7/selinux/packages /etc/tomcat7/selinux/packages/tomcat7 /etc/tomcat7/selinux/packages/tomcat7/tomcat7.fc /etc/tomcat7/selinux/packages/tomcat7/tomcat7.if /etc/tomcat7/selinux/packages/tomcat7/tomcat7.te # rpm -q tomcat6 tomcat7 tomcat6-6.0.41-2_patch_01.ep6.el5 tomcat7-7.0.54-4_patch_01.ep6.el5 tomcat6-6.0.41-1_patch_01.ep6.el6.noarch tomcat7-7.0.54-4_patch_01.ep6.el6.noarch tomcat6-6.0.41-2_patch_01.ep6.el7.noarch tomcat7-7.0.54-2_patch_01.ep6.el7.noarch
What I meant by comment #16 is that the compiled policy files (.pp) are missing, and should be provided.
According to my notes: yum install selinux-policy-devel cd /etc/tomcat7/selinux/packages/tomcat7 make -f /usr/share/selinux/devel/Makefile should create a tomcat7-selinux.pp semodule -i tomcat7-selinux.pp install the policy semodule -r tomcat7 remove it after testing.
should be run as root from what i've seen of other examples and what _was_ in the spec file: if [ -x "/usr/sbin/selinuxenabled" ]; then cd /usr/share/tomcat6/conf/selinux/ make -f /usr/share/selinux/devel/Makefile /usr/sbin/semanage port -a -t %{name}_port_t -p tcp 8080 >/dev/null 2>&1 | /usr/sbin/semanage port -a -t %{name}_port_t -p tcp 8005 >/dev/null 2>&1 | /usr/sbin/semanage port -a -t %{name}_port_t -p tcp 8009 >/dev/null 2>&1 | /usr/sbin/semanage port -a -t %{name}_port_t -p tcp 8443 >/dev/null 2>&1 | /usr/sbin/semodule -i /usr/share/tomcat6/conf/selinux/packages/tomcat6/tomcat6.pp fi
Hmm, it compiles and loads just fine for me on RHEL6 x86_64 (RHN Stage) both with Tomcat 6 and Tomcat 7: # cd /etc/tomcat7/selinux/packages/tomcat7 # make -f /usr/share/selinux/devel/Makefile Compiling targeted tomcat7 module /usr/bin/checkmodule: loading policy configuration from tmp/tomcat7.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/tomcat7.mod Creating targeted tomcat7.pp policy package rm tmp/tomcat7.mod tmp/tomcat7.mod.fc # semodule -i tomcat7.pp # echo $? 0 # cd /etc/tomcat6/selinux/packages/tomcat6 # make -f /usr/share/selinux/devel/Makefile Compiling targeted tomcat6 module /usr/bin/checkmodule: loading policy configuration from tmp/tomcat6.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/tomcat6.mod Creating targeted tomcat6.pp policy package rm tmp/tomcat6.mod.fc tmp/tomcat6.mod # semodule -i tomcat6.pp # echo $? 0 /usr/sbin/semanage port -a * stuff from David's comment 22 works as well (i.e. it passes with no error, tomcat starts and one can access 8080 from localhost, that's the whole "test"...) Question: Do you find it fit for VERIFIED? I guess that the issue somewhat drifted from the original postinstall stuff... Please, comment... I didn't test the labels.
Hi Michal, yes. let's move this to verified. we have dealt with the pertinent issue, and we have new doc. for completeness, can you post the relevant snip on this bz? if there are any more selinux issues they can each have their own bz. thanks!
labeling should work if the file being labeled exists. we couldn't relabel completely during %install because tomcatX.pid doesn't exist at the time.
Would a empty tomcatX.pid help?
@David: Which snippet do you mean? Switching to VERIFIED as this particular issue is O.K. now, so we won't block EWS 2.1 release.