Opened 7 years ago
Closed 6 years ago
#1667 closed defect (fixed)
petascope and SELinux on CentOS
| Reported by: | Dimitar Misev | Owned by: | Bang Pham Huu |
|---|---|---|---|
| Priority: | major | Milestone: | 9.7 |
| Component: | petascope | Version: | development |
| Keywords: | Cc: | Peter Baumann, bbell | |
| Complexity: | Medium |
Description
Running petascope on CentOS 7 where SELinux is enabled (can be checked with sestatus) fails, as SELinux prevents java to communicate with rasdaman.
At http://rasdaman.org/wiki/FAQ#PetascopecannotconnecttorasdamaninCentos7 we give two possible solutions:
- disable SELinux completely
- allow the rasdaman ports 7001-7010 in SELinux
Option 2. doesn't work however, it can be tested by running the systemtest; there are audit errors like this:
SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b12.el7_4.x86_64/jre/bin/java from name_connect access on the tcp_socket port 7001. SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b12.el7_4.x86_64/jre/bin/java from execute access on the file /tmp/rasdaman/gdal_java/2017.12.25.09.33.50/libosrjni.so. SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b12.el7_4.x86_64/jre/bin/java from write access on the directory tomcat.
We need to find out how to allow these events in particular without completely disabling SELinux.
Change History (4)
comment:1 by , 7 years ago
| Priority: | critical → major |
|---|
comment:2 by , 7 years ago
| Milestone: | 9.5 → Future |
|---|
comment:3 by , 6 years ago
| Cc: | added |
|---|---|
| Milestone: | Future → 9.7 |
| Owner: | changed from to |
| Status: | new → assigned |
comment:4 by , 6 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
This problem should regard to Administrator as SELinux restricts permission by default and not what Petascope can do anything. Below are 2 solutions to make Petascope work when SELinux is enabled (enforcing):
First, install this package:
yum install policycoreutils-python
Then, either:
- disable SELinux for tomcat (from
enforcingtopermissive) by:
semanage permissive -a tomcat_t
- or create a custom configurable rules for SELinux to allow tomcat can read JNI and connect to rasservers's ports.
- Create a config file first (e.g: test2.te)
module test2 1.0; require { type tomcat_t; type tomcat_var_lib_t; type usr_t; type tomcat_exec_t; type unconfined_service_t; type afs_pt_port_t; type tomcat_tmp_t; type tmpfs_t; type afs3_callback_port_t; class tcp_socket name_connect; class file { append create execute read relabelfrom rename write }; class shm { associate getattr read unix_read unix_write write }; } #============= tomcat_t ============== allow tomcat_t afs3_callback_port_t:tcp_socket name_connect; allow tomcat_t tmpfs_t:file { read write }; allow tomcat_t tomcat_tmp_t:file { execute relabelfrom }; allow tomcat_t tomcat_var_lib_t:file execute; allow tomcat_t unconfined_service_t:shm { associate getattr read unix_read unix_write write }; - Create a bash script to generate a binary package from this config file:
deployse.sh #!/bin/sh set -e MODULE=${1} # this will create a .mod file checkmodule -M -m -o ${MODULE}.mod ${MODULE}.te # this will create a compiled semodule semodule_package -m ${MODULE}.mod -o ${MODULE}.pp # this will install the module semodule -i ${MODULE}.pp - Load this rule module to SELinux
./deployse.sh test2
- Create a config file first (e.g: test2.te)
In both cases, restart Tomcat and check that Tomcat can start normally and import data, query data from rasservers.
Perhaps have a look here, it has a section about JNI as well: https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74