Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 5.2.0.DR1
Affects Version/s: JWS 5.0.0 SP1 CR1
Component/s: selinux, tomcat
Labels:
None

Story Points:
24
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
+
Target Release:

5.2.0.GA
Steps to Reproduce:

Hide

Follow documented SELinux Policies for a ZIP Installation, start tomcat, check process context to see that it's still unconfined.

Show
Follow documented SELinux Policies for a ZIP Installation , start tomcat, check process context to see that it's still unconfined.

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Going through the SELinux Policies for Zip installation, you are instructed to run the `postinstall.selinux` script, then create a policy module file and install it with semodule.

Doing this results in the correct file labels, but the process runs unconfined (unlike the jws5 rpm install which runs with the jws5_tomcat_t domain).

Here is some `ps` output showing the unconfined_t domain:

# ps -eo pid,user,label,args | grep java
 5377 root     unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 //bin/java -Djava.util.logging.config.file=/opt/jws-5.0/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Djava.library.path=/opt/jws-5.0/tomcat/lib -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /opt/jws-5.0/tomcat/bin/bootstrap.jar:/opt/jws-5.0/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/jws-5.0/tomcat -Dcatalina.home=/opt/jws-5.0/tomcat -Djava.io.tmpdir=/opt/jws-5.0/tomcat/temp org.apache.catalina.startup.Bootstrap start

Here is the `ls -lZ` output showing the startup.sh script is labeled with jws5_tomcat_exec_t as expected:

# ls -lZ *.sh
-rwxrwxr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 catalina.sh
-rwxrwxr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 ciphers.sh
-rwxrwxr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 configtest.sh
-rwxrwxr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 daemon.sh
-rwxrwxr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 digest.sh
-rwxrwxr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 setclasspath.sh
-rwxrwxr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 shutdown.sh
-rwxrwxr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 startup.sh
-rwxr-xr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 tomcat-vault.sh
-rwxrwxr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 tool-wrapper.sh
-rwxrwxr-x. tomcat tomcat unconfined_u:object_r:jws5_tomcat_exec_t:s0 version.sh

blocks

JWS-1361 [RFE] Asking for "tomcat_can_network_connect_db" boolean

Closed

incorporates

JWS-1454 SELinux denied errors on start up

Closed

Assignee:: Coty Sutherland

Reporter:: Dave Mulford

Tester:: Jan Onderka

Writer:: Daniel Philips (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2019/04/04 3:38 PM

Updated:: 2023/03/22 8:12 AM

Resolved:: 2019/07/16 4:28 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates