2017-12-14 09:56 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0014204administrationsecuritypublic2017-11-28 18:12
Reporterdeisler 
PriorityurgentSeverityblockReproducibilityalways
StatusnewResolutionopen 
Platformx86_64OScentosOS Version7
Product Version 
Target VersionFixed in Version 
Summary0014204: selinux-policy blocking oracle java run from tomcat to mongodb and other problems
Description# cat /etc/*release
CentOS Linux release 7.4.1708 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.4.1708 (Core)
CentOS Linux release 7.4.1708 (Core)

# yum info mongodb-org
Installed Packages
Name : mongodb-org
Arch : x86_64
Version : 3.4.10
Release : 1.el7
Size : 0.0
Repo : installed
From repo : mongodb-org-3.4
Summary : MongoDB open source document-oriented database system (metapackage)
URL : http://www.mongodb.org

# yum info jre1.8-1.8.0_152-fcs
Installed Packages
Name : jre1.8
Arch : x86_64
Version : 1.8.0_152
Release : fcs
Size : 141 M
Repo : installed
Summary : Java Platform Standard Edition Runtime Environment
URL : URL_REF

# yum info tomcat
Installed Packages
Name : tomcat
Arch : noarch
Version : 7.0.76
Release : 3.el7_4
Size : 303 k
Repo : installed
From repo : updates
Summary : Apache Servlet/JSP Engine, RI for Servlet 3.0/JSP 2.2 API

# rpm -qa | grep selinux
libselinux-python-2.5-11.el7.x86_64
libselinux-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.5.noarch
selinux-policy-devel-3.13.1-166.el7_4.5.noarch
selinux-policy-targeted-3.13.1-166.el7_4.5.noarch
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-doc-3.13.1-166.el7_4.5.noarch

found 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/java/jre1.8.0_152/bin/java from name_connect access on the tcp_socket port 27017.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that java should be allowed name_connect access on the port 27017 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'java' --raw | audit2allow -M my-java
# semodule -i my-java.pp


Additional Information:
Source Context system_u:system_r:tomcat_t:s0
Target Context system_u:object_r:mongod_port_t:s0
Target Objects port 27017 [ tcp_socket ]
Source java
Source Path /usr/java/jre1.8.0_152/bin/java
Port 27017
Host <Unknown>
Source RPM Packages jre1.8-1.8.0_152-fcs.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-166.el7_4.5.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name test
Platform Linux test 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri
                              Oct 20 20:32:50 UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-11-28 17:54:50 UTC
Last Seen 2017-11-28 17:54:50 UTC
Local ID d9e6de33-106c-4097-a6a2-e90b01e15008

Raw Audit Messages
type=AVC msg=audit(1511891690.157:9799): avc: denied { name_connect } for pid=31475 comm="java" dest=27017 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mongod_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1511891690.157:9799): arch=x86_64 syscall=connect success=no exit=EINPROGRESS a0=b7 a1=7f0178b2c010 a2=1c a3=be items=0 ppid=1 pid=31475 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm=java exe=/usr/java/jre1.8.0_152/bin/java subj=system_u:system_r:tomcat_t:s0 key=(null)

Hash: java,tomcat_t,mongod_port_t,tcp_socket,name_connect

--------------------------------------------------------------------------------

SELinux is preventing /usr/java/jre1.8.0_152/bin/java from write access on the file 5dbdfe0aa5419ad2.timestamp.

***** Plugin catchall_labels (83.8 confidence) suggests *******************

If you want to allow java to have write access on the 5dbdfe0aa5419ad2.timestamp file
Then you need to change the label on 5dbdfe0aa5419ad2.timestamp
Do
# semanage fcontext -a -t FILE_TYPE '5dbdfe0aa5419ad2.timestamp'
where FILE_TYPE is one of the following: afs_cache_t, initrc_tmp_t, pki_common_t, pki_ra_log_t, pki_tomcat_cert_t, pki_tomcat_etc_rw_t, pki_tomcat_log_t, pki_tomcat_var_lib_t, pki_tps_log_t, puppet_tmp_t, tomcat_cache_t, tomcat_log_t, tomcat_tmp_t, tomcat_var_lib_t, tomcat_var_run_t, user_cron_spool_t.
Then execute:
restorecon -v '5dbdfe0aa5419ad2.timestamp'


***** Plugin catchall (17.1 confidence) suggests **************************

If you believe that java should be allowed write access on the 5dbdfe0aa5419ad2.timestamp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'java' --raw | audit2allow -M my-java
# semodule -i my-java.pp


Additional Information:
Source Context system_u:system_r:tomcat_t:s0
Target Context system_u:object_r:usr_t:s0
Target Objects 5dbdfe0aa5419ad2.timestamp [ file ]
Source java
Source Path /usr/java/jre1.8.0_152/bin/java
Port <Unknown>
Host <Unknown>
Source RPM Packages jre1.8-1.8.0_152-fcs.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-166.el7_4.5.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name test
Platform Linux test 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri
                              Oct 20 20:32:50 UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-11-28 17:54:34 UTC
Last Seen 2017-11-28 17:54:34 UTC
Local ID ba4b5201-8fdc-4977-841e-b80e6ed719c1

Raw Audit Messages
type=AVC msg=audit(1511891674.972:9798): avc: denied { write } for pid=31475 comm="java" name="5dbdfe0aa5419ad2.timestamp" dev="dm-0" ino=67228147 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file


type=SYSCALL msg=audit(1511891674.972:9798): arch=x86_64 syscall=open success=yes exit=EINTR a0=7f01980e1ea0 a1=241 a2=1b6 a3=9 items=0 ppid=1 pid=31475 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm=java exe=/usr/java/jre1.8.0_152/bin/java subj=system_u:system_r:tomcat_t:s0 key=(null)

Hash: java,tomcat_t,usr_t,file,write
Tagsselinux
Attached Files

-Relationships
+Relationships

-Notes
There are no notes attached to this issue.
+Notes

-Issue History
Date Modified Username Field Change
2017-11-28 18:12 deisler New Issue
2017-11-28 18:12 deisler Tag Attached: selinux
+Issue History