Hello Coty,
For the sake of others readers, I confirm the behavior you identified from
SELinux:
[root@localhost audit]# grep -P '^type=AVC' audit.log | grep name_bind
type=AVC msg=audit(1513876523.918:145): avc: denied { name_bind } for
pid=10420 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513876981.747:148): avc: denied { name_bind } for
pid=10726 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513877805.970:135): avc: denied { name_bind } for
pid=2376 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513877965.612:138): avc: denied { name_bind } for
pid=2442 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513878056.773:141): avc: denied { name_bind } for
pid=2512 comm="java" src=17777 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513878361.650:185): avc: denied { name_bind } for
pid=2609 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513878699.852:190): avc: denied { name_bind } for
pid=2714 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513878900.757:193): avc: denied { name_bind } for
pid=2803 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513879083.533:196): avc: denied { name_bind } for
pid=2870 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513879865.598:216): avc: denied { name_bind } for
pid=3480 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513885200.245:233): avc: denied { name_bind } for
pid=4385 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513964943.996:108): avc: denied { name_bind } for
pid=1808 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket
[root@localhost audit]#
Since I'm not acquainted with SELinux, I read some introductory documentation
about, so I'm guessing here that the proper way to allow a different port (8090
in your sample of semanage) to be used by Tomcat would be:
semanage port --add -t initrc_t -p tcp 8090
Since the running process of Tomcat is not related to http_port_t:
[root@localhost audit]# ps auxZ | grep -v grep | grep -i jenkins
system_u:system_r:initrc_t:s0 jenkins 1255 3.0 27.0 2417080 274544 ?
Ssl 10:34 0:51 /etc/alternatives/java -Dcom.sun.akuma.Daemon=daemonized
-Djava.awt.headless=true -DJENKINS_HOME=/var/lib/jenkins -jar
/usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log
--webroot=/var/cache/jenkins/war --daemon --httpPort=8090 --debug=5
--handlerCountMax=100 --handlerCountMaxIdle=20
Is that right?
On the other hand, semanage port -l | grep init or semanage port -l | grep 8090
gives me nothing.
Thanks,Alceu
Em quinta-feira, 21 de dezembro de 2017 18:49:48 BRST, Coty Sutherland
<[email protected]> escreveu:
This behavior is due to a fix in the selinux-policy package; see
https://bugzilla.redhat.com/show_bug.cgi?id=1432083 for more details.
If you check /var/log/audit/audit.log you'll see an AVC denial, such
as:
type=AVC msg=audit(1513815897.006:136): avc: denied { name_bind
} for pid=1467 comm="java" src=8090
scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ...
Previous version tomcat were incorrectly labeled unconfined_t and
could do whatever they wanted, that has been address and now tomcat is
confined by selinux as it should be :)
You can fix the problem by adding the port you want to allow to the
system's HTTP port type, http_port_t: `semanage port --add -t
http_port_t -p tcp 8090`
Cheers,
