[JWS-724] jws5_tomcat_t domain shouldn't be in unconfined_domain

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: JWS 5.0_RHEL DR1
Affects Version/s: None
Component/s: rpm, selinux, tomcat
Labels:
None

Affects:

Documentation (Ref Guide, User Guide, etc.), User Experience
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Release Note Text:
The JBoss Web Server 5.0 uses the `jws5_tomcat_t` selinux domain, rather than the unconfined `tomcat_t` domain for improved security.
Release Note Status:
Documented as Resolved Issue
Target Release:

JWS 5.0_RHEL_GA
Steps to Reproduce:

Hide

sesearch -ACS -s jws5_tomcat_t -t shadow_t -c file -p read
seinfo -tjws5_tomcat_t -x
check no presence of unconfined_domain_type or any other *unconfined* label

Show
sesearch -ACS -s jws5_tomcat_t -t shadow_t -c file -p read seinfo -tjws5_tomcat_t -x check no presence of unconfined_domain_type or any other *unconfined* label

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

+++ This bug was initially created as a clone of Bug #1432083 +++

Description of problem:

It seems tomcat_t domain is in unconfined_domain, then any process which is having tomcat_t domain can access to any file. Maybe there is a bug in policy file.

JWS5 domain name is : jws5_tomcat_t

There shouldn't be any unconfined_domain_type associated with jws5 domain name

clones

JWS-695 tomcat7_t and tomcat8_t domains are in unconfined_domain

Closed

Coty Sutherland added a comment - 2018/04/17 10:00 AM

We need to document this change.

Also note that the type label for JWS5's tomcat package is jws5_tomcat_t, not tomcat9_t or other derivations.

Coty Sutherland added a comment - 2018/04/17 10:00 AM We need to document this change. Also note that the type label for JWS5's tomcat package is jws5_tomcat_t, not tomcat9_t or other derivations.

Coty Sutherland added a comment - 2018/02/06 9:49 PM

Moving from JWS 4.0.0 GA/"Ready for QA" to JWS 5.0.0 DR1/Resolved. Will verify before moving to "Ready for QA" again.

Coty Sutherland added a comment - 2018/02/06 9:49 PM Moving from JWS 4.0.0 GA/"Ready for QA" to JWS 5.0.0 DR1/Resolved. Will verify before moving to "Ready for QA" again.

Coty Sutherland added a comment - 2017/08/15 8:04 AM

The policy shipped in the zips needs to be updated as well.

Coty Sutherland added a comment - 2017/08/15 8:04 AM The policy shipped in the zips needs to be updated as well.

Assignee:: Coty Sutherland

Reporter:: Coty Sutherland

Tester:: Jan Onderka

Writer:: Tyler Kelly (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2017/05/31 11:52 AM

Updated:: 2018/11/07 7:47 AM

Resolved:: 2017/08/21 5:43 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Coty Sutherland added a comment - 2018/04/17 10:00 AM

Expand comment: Coty Sutherland added a comment - 2018/04/17 10:00 AM

Collapse comment: Coty Sutherland added a comment - 2018/02/06 9:49 PM

Expand comment: Coty Sutherland added a comment - 2018/02/06 9:49 PM

Collapse comment: Coty Sutherland added a comment - 2017/08/15 8:04 AM

Expand comment: Coty Sutherland added a comment - 2017/08/15 8:04 AM

People

Dates