RHEL / CentOS 7.4
With the update to CentOS 7.4, there are a number of changes in the behaviour of SELinux in relation to Tomcat:
- The file context of WAR files is taken into account
- Database connections are prohibited
- Connections to SMTP servers are prohibited
- NFS access is prohibited
- Access to the file system is prohibited
For 1.)
To ensure that all applications continue to work after the update, you must ensure that WAR files are not moved to the webapps directory in the future. They should therefore be copied to the directory.
The problem with moving the files is that the potentially incorrect SELinux file context of the source directory may be retained. When the files are copied, this is not the case.
Alternatively, the command
[root@sds ~]# restorecon -rv /usr/share/tomcat/webapps |
can be used to correct the file context to the directory default.
In the Tomcat logs, an incorrect file context appears as follows:
java.io.FileNotFoundException: /var/lib/tomcat/webapps/oauth.war |
For 2. and 3.)
Option 1 - Create the rules yourself:
The API of DRACOON is again a special case, because it must establish a database connection. Likewise, it must be possible to send e-mails.
To ensure that they are not blocked by SELinux, we set it to permissive following the update to CentOS 7.4 and the subsequent restart and we then restart Tomcat:
[root@sds ~]# setenforce 0 |
Once the application is fully started, a corresponding policy for SELinux must be created (to do so, the “policycoreutils-python” package must be installed):
[root@sds ~]# grep tomcat /var/log/audit/audit.log | audit2allow -m tomcat_mysql require { #============= tomcat_t ============== semodule -i tomcat_mysql.pp |
CAUTION: The DRACOON is not yet fully functional with this rule alone. To generate a complete rule yourself, you must execute each DRACOON function (upload, download, delete, send mail, and so on) once.
SELinux can then be set to enforcing mode again and the start of Tomcat can be tested again:
[root@sds ~]# setenforce 1 |
The procedure is identical for everything else (STMP, NFS, and so on) and can also be combined in a rule.
When using an NFS share, a rule would appear as follows:
[root@sds ~]# grep tomcat /var/log/audit/audit.log | audit2allow -m tomcat_nfs require { #============= tomcat_t ============== |
Option 2 - Copy rules:
The rules below can also be copied and enabled on the system.
The policy below is copied to a corresponding text file on the system.
We then create and enable the policy (to do so, the “policycoreutils-python” package must be installed):
[root@sds ~]# checkmodule -M -m -o policy.mod policy.te |
tomcat_mysql.te:
require { #============= tomcat_t ============== |
tomcat_nfs.te:
require { #============= tomcat_t ============== |
tomcat_mnt.te (if the data is not on an NFS share and under /mnt/ instead, you must ensure that the file context is correct, e.g. 'chcon -R -u system_u -r object_r -t mnt_t /mnt/data'):
require { #============= tomcat_t ============== |
tomcat_smtp.te:
require { #============= tomcat_t ============== |
Comments
0 comments
Article is closed for comments.