On Tue, Dec 26, 2017 at 8:12 AM, Alceu R. de Freitas Jr.
<glasswal...@yahoo.com.br.invalid> wrote:
> Hello Coty,
> For the sake of others readers, I confirm the behavior you identified from
> SELinux:
Great, thanks.
> [root@localhost audit]# grep -P '^type=AVC' audit.log | grep name_bind
> type=AVC msg=audit(1513876523.918:145): avc: denied { name_bind } for
> pid=10420 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513876981.747:148): avc: denied { name_bind } for
> pid=10726 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513877805.970:135): avc: denied { name_bind } for
> pid=2376 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513877965.612:138): avc: denied { name_bind } for
> pid=2442 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513878056.773:141): avc: denied { name_bind } for
> pid=2512 comm="java" src=17777 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513878361.650:185): avc: denied { name_bind } for
> pid=2609 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513878699.852:190): avc: denied { name_bind } for
> pid=2714 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513878900.757:193): avc: denied { name_bind } for
> pid=2803 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513879083.533:196): avc: denied { name_bind } for
> pid=2870 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513879865.598:216): avc: denied { name_bind } for
> pid=3480 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513885200.245:233): avc: denied { name_bind } for
> pid=4385 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1513964943.996:108): avc: denied { name_bind } for
> pid=1808 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket
> [root@localhost audit]#
>
> Since I'm not acquainted with SELinux, I read some introductory documentation
> about, so I'm guessing here that the proper way to allow a different port
> (8090 in your sample of semanage) to be used by Tomcat would be:
> semanage port --add -t initrc_t -p tcp 8090
If that works, sure :)
>
> Since the running process of Tomcat is not related to http_port_t:
I'm not sure what you mean by 'is not related to', but tomcat is
related to http_port_t because it's allowed name_bind and name_connect
by the default system policy:
~~~
# sesearch -t http_port_t -AC | grep tomcat
allow tomcat_domain http_port_t : tcp_socket { name_bind name_connect } ;
~~~
> [root@localhost audit]# ps auxZ | grep -v grep | grep -i jenkins
> system_u:system_r:initrc_t:s0 jenkins 1255 3.0 27.0 2417080 274544 ?
> Ssl 10:34 0:51 /etc/alternatives/java -Dcom.sun.akuma.Daemon=daemonized
> -Djava.awt.headless=true -DJENKINS_HOME=/var/lib/jenkins -jar
> /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log
> --webroot=/var/cache/jenkins/war --daemon --httpPort=8090 --debug=5
> --handlerCountMax=100 --handlerCountMaxIdle=20
>
> Is that right?
> On the other hand, semanage port -l | grep init or semanage port -l | grep
> 8090 gives me nothing.
You don't see the port in the list because 8090 is not a port that's
in any port type definition by default, hence my suggestion to add it
to a type that tomcat can use. From what you've noted above though
you're not trying to bind tomcat to 8090, you're trying to bind
jenkins to 8090. Is that right?
By the way, you can check what labels any port has with seinfo:
~~~
# seinfo --portcon=8090
portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
# seinfo --portcon=8080
portcon tcp 8080 system_u:object_r:http_cache_port_t:s0
portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
~~~
Note that a port that works (8080) is labeled http_cache_port_t which
is usable by tomcat_domain and port 8090 is just labeled as an
unreserved_port_t.
> Thanks,Alceu
>
> Em quinta-feira, 21 de dezembro de 2017 18:49:48 BRST, Coty Sutherland
> <csuth...@apache.org> escreveu:
>
> This behavior is due to a fix in the selinux-policy package; see
> https://bugzilla.redhat.com/show_bug.cgi?id=1432083 for more details.
> If you check /var/log/audit/audit.log you'll see an AVC denial, such
> as:
>
> type=AVC msg=audit(1513815897.006:136): avc: denied { name_bind
> } for pid=1467 comm="java" src=8090
> scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ...
>
> Previous version tomcat were incorrectly labeled unconfined_t and
> could do whatever they wanted, that has been address and now tomcat is
> confined by selinux as it should be :)
>
> You can fix the problem by adding the port you want to allow to the
> system's HTTP port type, http_port_t: `semanage port --add -t
> http_port_t -p tcp 8090`
>
> Cheers,
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
