Uploaded image for project: 'JBoss Web Server'
  1. JBoss Web Server
  2. JWS-695

tomcat7_t and tomcat8_t domains are in unconfined_domain

XMLWordPrintable

    • Release Notes
    • A bug was discovered in the tomcat7 and tomcat8 selinux policies that was causing tomcat to run in in unconfined_domain.

      +++ This bug was initially created as a clone of Bug #1432083 +++

      Description of problem:

      It seems tomcat_t domain is in unconfined_domain, then any process which is having tomcat_t domain can access to any file. Maybe there is a bug in policy file.

      [root@localhost ~]# seinfo

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)

   Classes:            91    Permissions:       256
   Sensitivities:       1    Categories:       1024
   Types:            4729    Attributes:        251
   Users:               8    Roles:              14
   Booleans:          301    Cond. Expr.:       350
   Allow:          101261    Neverallow:          0
   Auditallow:        157    Dontaudit:        8030
   Type_trans:      17756    Type_change:        74
   Type_member:        35    Role allow:         39
   Role_trans:        416    Range_trans:      5697
   Constraints:       109    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             28
   Genfscon:          105    Portcon:           596
   Netifcon:            0    Nodecon:             0
   Permissives:         6    Polcap:              2
[root@localhost ~]# rpm -qa | grep -i policy
selinux-policy-targeted-3.13.1-102.el7_3.15.noarch
selinux-policy-3.13.1-102.el7_3.15.noarch
policycoreutils-2.5-11.el7_3.x86_64

      How reproducible:

      Steps to Reproduce:
      1. Run sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
      #if you don't have sesearch on your system, install it via "yum install setools-console -y"
      2. Run seinfo -ttomcat_t -x

      Actual results:

      [root@localhost ~]# sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans open audit_access } ; 
[root@localhost ~]# seinfo -ttomcat_t -x
   tomcat_t
      can_change_object_identity
      can_load_kernmodule
      can_load_policy
      can_setbool
      can_setenforce
      corenet_unconfined_type
      corenet_unlabeled_type
      devices_unconfined_type
      domain
      files_unconfined_type
      filesystem_unconfined_type
      kern_unconfined
      kernel_system_state_reader
      process_uncond_exempt
      selinux_unconfined_type
      storage_unconfined_type
      unconfined_domain_type
      dbusd_unconfined
      daemon
      syslog_client_type
      sepgsql_unconfined_type
      tomcat_domain
      userdom_filetrans_type
      x_domain
      xserver_unconfined_type

      Expected results:

      tomcat_t domain should not have unconfined_domain_type.

      Additional info:
      I submitted same issue on Fedora bugzilla.
      https://bugzilla.redhat.com/show_bug.cgi?id=1432055

              rhn-support-csutherl Coty Sutherland
              rhn-support-csutherl Coty Sutherland
              Jan Onderka Jan Onderka
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: