SELinux woes with Tomcat on CentOS 7.6


Following up on my previous hurdles, here’s what happened after upgrading to CentOS 7.6. We use PostgreSQL primarily, but also some MSSQL and MySQL. With 7.6, Red Hat quietly decided it’s no longer a sane default to let Tomcat connect to databases. Because, webapps normally don’t use databases, right?

Anyway, let’s write a proper policy module, shall we?

module sane-tomcat 1.0;

require {
        # process contexts
        type tomcat_t;

        # port contexts
        type mssql_port_t;
        type mysqld_port_t;
        type postgresql_port_t;
        type smtp_port_t;
        type whois_port_t;

        # dir contexts
        type tomcat_cache_t;

        # classes
        class tcp_socket name_connect;
        class file execute;

#============= tomcat_t ==============

# allow tomcat to send emails
allow tomcat_t smtp_port_t:tcp_socket name_connect;

# allow tomcat to execute jar files from cache
allow tomcat_t tomcat_cache_t:file execute;

# allow tomcat to perform whois query
allow tomcat_t whois_port_t:tcp_socket name_connect;

# allow tomcat to connect to postgresql
allow tomcat_t postgresql_port_t:tcp_socket name_connect;

# allow tomcat to connect to mssql
allow tomcat_t mssql_port_t:tcp_socket name_connect;

# allow tomcat to connect to mysql
allow tomcat_t mysqld_port_t:tcp_socket name_connect;

Easy enough. Save this as sane-tomcat.te, then deploy with as explained in the SELinux Crash Course.