Uploaded image for project: 'JBoss Web Server'
  1. JBoss Web Server
  2. JWS-817

SELinux denies name_bind to jboss_management_port_t for tomcat_t

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • JWS 5.0_RHEL DR1
    • JWS 3.1.0 GA
    • selinux, tomcat
    • None
    • Workaround Exists
    • Hide

      Add port 9999 with semange to the http_port_t, which tomcat is allowed to use:

      semanage port -a -t http_port_t -p tcp 9999
      Show
      Add port 9999 with semange to the http_port_t, which tomcat is allowed to use: semanage port -a -t http_port_t -p tcp 9999

    Description

      +++ This bug was initially created as a clone of Bug #1491039 +++
      SELinux is denying tomcat from binding to port 9999 for JMX, with the following AVC denial in /var/log/audit.log:

      type=AVC msg=audit(1505248782.641:3017): avc:  denied  { name_bind } for  pid=10189 comm="java" src=9999 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket

      This worked without issue in previous versions of the targeted policy.

      Version-Release number of selected component (if applicable):

      • selinux-policy-targeted-3.13.1-166.el7.noarch
      • RHEL 7.4

      How reproducible:
      Always

      Steps to Reproduce:
      1. Create a new RHEL 7.4 machine
      2. yum install tomcat
      3. Add the following to /etc/sysconfig/tomcat
      JAVA_OPTS="-Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.rmi.port=9999 -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false "
      4. systemctl start tomcat.service

      Actual results:
      AVC denial

      Expected results:
      A successful bind, like previous versions of the policy.

      Attachments

        Issue Links

          is caused by

          Bug - A problem that impairs or prevents the functions of the product. JWS-695 tomcat7_t and tomcat8_t domains are in unconfined_domain

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          Web Link RH BZ 1491039

          Activity

            People

              rhn-support-csutherl Coty Sutherland
              rhn-support-csutherl Coty Sutherland
              Jan Onderka Jan Onderka
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: