SELinux is preventing /usr/lib/jvm/java-11-openjdk-11.0.19.0.7-1.el8_7.x86_64/bin/java from create access on the directory /usr/share/tomcat/.pki

Problem:
SELinux is preventing /usr/lib/jvm/java-11-openjdk-11.0.19.0.7-1.el8_7.x86_64/bin/java from create access on the directory /usr/share/tomcat/.pki.
Expected outcome:
not to have SELinux complaints :slight_smile:
Foreman and Proxy versions:
Foreman 3.6 & Katello 4.8
Foreman and Proxy plugin versions:

Ansible

Version
3.5.4

DNS

Version
3.6.1
Domains
int.example.com

Dynflow

Version
0.9.0

Content

Version
3.2.0
Supported Content Types

  • ansible_collection
  • deb
  • docker
  • file
  • python
  • yum

Realm

Version
3.6.1
Realms
INT.EXAMPLE.COM

Script

Version
0.10.1
Distribution and version:
RHEL 8.7
Other relevant data:
SELinux is preventing /usr/lib/jvm/java-11-openjdk-11.0.19.0.7-1.el8_7.x86_64/bin/java from create access on the directory /usr/share/tomcat/.pki. 11
Occurred between Apr 23, 2023, 2:49 AM and May 18, 2023, 9:52 AM

Solutions

Audit log
If you want to allow java to have create access on the .pki directory
You need to change the label on /usr/share/tomcat/.pki

solution details
semanage fcontext -a -t FILE_TYPE ‘/usr/share/tomcat/.pki’
where FILE_TYPE is one of the following: candlepin_var_cache_t, candlepin_var_lib_t, candlepin_var_log_t, pki_common_t, pki_tomcat_etc_rw_t, pki_tomcat_log_t, pki_tomcat_var_lib_t, tomcat_cache_t, tomcat_log_t, tomcat_tmp_t, tomcat_var_lib_t, tomcat_var_run_t.Then execute:restorecon -v ‘/usr/share/tomcat/.pki’

Solution:
recommendation which security type I should set.

I did see those denials too, but never seen anything not working because of them.

Do you know of any problems?

no, its just bugging me :slight_smile:

Ok, yeah, that’s fair.

@ehelms is that Katello or Candlepin policy to extend here?

I don’t have /usr/share/tomcat/.pki on 3.5.3/4.7.5. Is that new? Unless it contains static files installed from an rpm it, it shouldn’t be under /usr anyway.

You don’t have it, because SELinux prevents the creation :wink:

No. I don’t see any selinux denials at all. For more than two days. I have even restarted tomcat.service and puppetserver.service which are the only services using java on my foreman server. I have also updated foreman and ran foreman-installer during the covered time of my auditlog.