Uploaded image for project: 'JBoss Web Server'
  1. JBoss Web Server
  2. JWS-1454

SELinux denied errors on start up

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 5.2.0.GA
    • 5.1.0.ER1
    • selinux, tomcat
    • None
    • Release Notes
    • +
    • Hide

      Enable repos, install jws5:

      # subscription-manager repos --enable= jws-5-for-rhel-7-server-rpms --enable=jb-coreservices-1-for-rhel-7-server-rpms 

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

# yum groupinstall jws5

# systemctl start jws5-tomcat.service
# systemctl status jws5-tomcat.service
● jws5-tomcat.service - Apache Tomcat Web Application Container
   Loaded: loaded (/usr/lib/systemd/system/jws5-tomcat.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-10-11 07:04:33 IST; 9s ago
 Main PID: 2325 (java)
   CGroup: /system.slice/jws5-tomcat.service
           └─2325 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java -classpath /opt/rh/jws5/root...

Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.315 INFO [main] org.apache.catali... ms
Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.316 INFO [main] org.apache.catali...er]
Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.474 INFO [main] org.apache.jasper.se...
Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.492 INFO [main] org.apache.catali... ms
Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.493 INFO [main] org.apache.catali...er]
Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.618 INFO [main] org.apache.jasper.se...
Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.620 INFO [main] org.apache.catali... ms
Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.643 INFO [main] org.apache.coyote...0"]
Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.652 INFO [main] org.apache.coyote...9"]
Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.654 INFO [main] org.apache.catali... ms
Hint: Some lines were ellipsized, use -l to show in full.

      No java related errors:

      # grep java /var/log/audit/audit.log
#

      As per documentation, install `jws5-tomcat-selinux` and observer audit logs on restart:

      # yum install jws5-tomcat-selinux
# systemctl restart jws5-tomcat.service

grep java /var/log/audit/audit.log
..
.
type=AVC msg=audit(1570758315.029:565): avc:  denied  { search } for  pid=3941 comm="java" name="/" dev="cgroup" ino=6774 scontext=system_u:system_r:jws5_tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=SYSCALL msg=audit(1570758315.029:565): arch=c000003e syscall=2 success=no exit=-13 a0=7f16551ace90 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=3941 auid=4294967295 uid=53 gid=53 euid=53 suid=53 fsuid=53 egid=53 sgid=53 fsgid=53 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java" subj=system_u:system_r:jws5_tomcat_t:s0 key=(null)
..

# ausearch -i -m avc -ts recent | less
..
.
type=PROCTITLE msg=audit(11/10/19 07:15:15.029:563) : proctitle=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java -classpath /opt/rh/jws5/root/usr/share/tomcat/bin/boot 
type=SYSCALL msg=audit(11/10/19 07:15:15.029:563) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f16551ace90 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=1 pid=3941 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java subj=system_u:system_r:jws5_tomcat_t:s0 key=(null) 
type=AVC msg=audit(11/10/19 07:15:15.029:563) : avc:  denied  { search } for  pid=3941 comm=java name=/ dev="cgroup" ino=6774 scontext=system_u:system_r:jws5_tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir 
----
type=PROCTITLE msg=audit(11/10/19 07:15:15.029:564) : proctitle=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java -classpath /opt/rh/jws5/root/usr/share/tomcat/bin/boot 
type=SYSCALL msg=audit(11/10/19 07:15:15.029:564) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f16551ace90 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=1 pid=3941 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java subj=system_u:system_r:jws5_tomcat_t:s0 key=(null) 
type=AVC msg=audit(11/10/19 07:15:15.029:564) : avc:  denied  { search } for  pid=3941 comm=java name=/ dev="cgroup" ino=6774 scontext=system_u:system_r:jws5_tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir 
----
type=PROCTITLE msg=audit(11/10/19 07:15:15.029:565) : proctitle=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java -classpath /opt/rh/jws5/root/usr/share/tomcat/bin/boot 
type=SYSCALL msg=audit(11/10/19 07:15:15.029:565) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f16551ace90 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=1 pid=3941 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java subj=system_u:system_r:jws5_tomcat_t:s0 key=(null) 
type=AVC msg=audit(11/10/19 07:15:15.029:565) : avc:  denied  { search } for  pid=3941 comm=java name=/
      Show
      Enable repos, install jws5: # subscription-manager repos --enable= jws-5- for -rhel-7-server-rpms --enable=jb-coreservices-1- for -rhel-7-server-rpms # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 # yum groupinstall jws5 # systemctl start jws5-tomcat.service # systemctl status jws5-tomcat.service ● jws5-tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/jws5-tomcat.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2019-10-11 07:04:33 IST; 9s ago Main PID: 2325 (java) CGroup: /system.slice/jws5-tomcat.service └─2325 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java -classpath /opt/rh/jws5/root... Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.315 INFO [main] org.apache.catali... ms Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.316 INFO [main] org.apache.catali...er] Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.474 INFO [main] org.apache.jasper.se... Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.492 INFO [main] org.apache.catali... ms Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.493 INFO [main] org.apache.catali...er] Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.618 INFO [main] org.apache.jasper.se... Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.620 INFO [main] org.apache.catali... ms Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.643 INFO [main] org.apache.coyote...0"] Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.652 INFO [main] org.apache.coyote...9"] Oct 11 07:04:35 hostname server[2325]: 11-Oct-2019 07:04:35.654 INFO [main] org.apache.catali... ms Hint: Some lines were ellipsized, use -l to show in full. No java related errors: # grep java / var /log/audit/audit.log # As per documentation , install `jws5-tomcat-selinux` and observer audit logs on restart: # yum install jws5-tomcat-selinux # systemctl restart jws5-tomcat.service grep java / var /log/audit/audit.log .. . type=AVC msg=audit(1570758315.029:565): avc: denied { search } for pid=3941 comm= "java" name= "/" dev= "cgroup" ino=6774 scontext=system_u:system_r:jws5_tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1570758315.029:565): arch=c000003e syscall=2 success=no exit=-13 a0=7f16551ace90 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=3941 auid=4294967295 uid=53 gid=53 euid=53 suid=53 fsuid=53 egid=53 sgid=53 fsgid=53 tty=(none) ses=4294967295 comm= "java" exe= "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java" subj=system_u:system_r:jws5_tomcat_t:s0 key=( null ) .. # ausearch -i -m avc -ts recent | less .. . type=PROCTITLE msg=audit(11/10/19 07:15:15.029:563) : proctitle=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java -classpath /opt/rh/jws5/root/usr/share/tomcat/bin/boot type=SYSCALL msg=audit(11/10/19 07:15:15.029:563) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f16551ace90 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=1 pid=3941 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java subj=system_u:system_r:jws5_tomcat_t:s0 key=( null ) type=AVC msg=audit(11/10/19 07:15:15.029:563) : avc: denied { search } for pid=3941 comm=java name=/ dev= "cgroup" ino=6774 scontext=system_u:system_r:jws5_tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir ---- type=PROCTITLE msg=audit(11/10/19 07:15:15.029:564) : proctitle=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java -classpath /opt/rh/jws5/root/usr/share/tomcat/bin/boot type=SYSCALL msg=audit(11/10/19 07:15:15.029:564) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f16551ace90 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=1 pid=3941 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java subj=system_u:system_r:jws5_tomcat_t:s0 key=( null ) type=AVC msg=audit(11/10/19 07:15:15.029:564) : avc: denied { search } for pid=3941 comm=java name=/ dev= "cgroup" ino=6774 scontext=system_u:system_r:jws5_tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir ---- type=PROCTITLE msg=audit(11/10/19 07:15:15.029:565) : proctitle=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java -classpath /opt/rh/jws5/root/usr/share/tomcat/bin/boot type=SYSCALL msg=audit(11/10/19 07:15:15.029:565) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f16551ace90 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=1 pid=3941 auid=unset uid=tomcat gid=tomcat euid=tomcat suid=tomcat fsuid=tomcat egid=tomcat sgid=tomcat fsgid=tomcat tty=(none) ses=unset comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/jre/bin/java subj=system_u:system_r:jws5_tomcat_t:s0 key=( null ) type=AVC msg=audit(11/10/19 07:15:15.029:565) : avc: denied { search } for pid=3941 comm=java name=/

      SELinux denied errors are seen after installing the `jws5-tomcat-selinux` package.

              rhn-support-csutherl Coty Sutherland
              rhn-support-sjayapra Sandeep MJ
              Jan Onderka Jan Onderka
              Daniel Philips Daniel Philips (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: