Problem:
SELinux is preventing /usr/lib/jvm/java-11-openjdk-11.0.19.0.7-1.el8_7.x86_64/bin/java from create access on the directory /usr/share/tomcat/.pki.
Expected outcome:
not to have SELinux complaints
Foreman and Proxy versions:
Foreman 3.6 & Katello 4.8
Foreman and Proxy plugin versions:
Ansible
Version
3.5.4
DNS
Version
3.6.1
Domains
int.example.com
Dynflow
Version
0.9.0
Content
Version
3.2.0
Supported Content Types
- ansible_collection
- deb
- docker
- file
- python
- yum
Realm
Version
3.6.1
Realms
INT.EXAMPLE.COM
Script
Version
0.10.1
Distribution and version:
RHEL 8.7
Other relevant data:
SELinux is preventing /usr/lib/jvm/java-11-openjdk-11.0.19.0.7-1.el8_7.x86_64/bin/java from create access on the directory /usr/share/tomcat/.pki. 11
Occurred between Apr 23, 2023, 2:49 AM and May 18, 2023, 9:52 AM
Solutions
Audit log
If you want to allow java to have create access on the .pki directory
You need to change the label on /usr/share/tomcat/.pki
solution details
semanage fcontext -a -t FILE_TYPE ‘/usr/share/tomcat/.pki’
where FILE_TYPE is one of the following: candlepin_var_cache_t, candlepin_var_lib_t, candlepin_var_log_t, pki_common_t, pki_tomcat_etc_rw_t, pki_tomcat_log_t, pki_tomcat_var_lib_t, tomcat_cache_t, tomcat_log_t, tomcat_tmp_t, tomcat_var_lib_t, tomcat_var_run_t.Then execute:restorecon -v ‘/usr/share/tomcat/.pki’
Solution:
recommendation which security type I should set.