Java and tomcat 8

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Java and tomcat 8

Postby PingLord » Tue May 10, 2016 10:53 am

Hello,

Im currently running grsec kernel 4.4.9 on Centos 7.2. I encounter the following odd things :

On the lateset 4.4.9 patch im having some interesting issues regarding the load on the server :

Without grsec the load is around 4-5 load average.

With grsec it starts at around 8-9 load average and after 30 minutes it gets to 26-27.

The second issue im having is a RBAC one. Im using the same policy from the 3.14 patch for RBAC but im seeing the following on the /var/log/messages even if the subject is created :

Code: Select all
May 10 10:43:01 web15 kernel: grsec: (default:D:/) denied access to hidden file /var/log/tomcat/localhost.log by /usr/lib/jvm/java-1.8.0-oracle-1.8.0.40.x86_64/jre/bin/java[<file:1585] uid/euid:982/982 gid/egid:978/978, parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0


The java binary has a subject :

Code: Select all
subject /usr/lib/jvm/java-1.8.0-oracle-1.8.0.40.x86_64/jre/bin/java o {
   /            h
   /dev            h
   /dev/random         r
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/ppp         h
   /etc/samba/smbpasswd      h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /sys            h
   /sys/devices/system/cpu      
   /sys/devices/system/cpu/online   r
   /tmp            rwcd
   /usr            
   /usr/lib         rx
   /usr/lib64         rx
   /usr/share         rwc
   /usr/src         h
   /var            
   /var/backups         h
   /var/cache         rwcd
   /var/lib         rwc
   /var/log/tomcat         w
   -CAP_ALL
   +CAP_DAC_READ_SEARCH
   +CAP_NET_BIND_SERVICE
   bind 0.0.0.0/32:0 dgram ip
   connect 0.0.0.0/0:0 dgram udp
   connect 0.0.0.0/0:53 dgram udp
   sock_allow_family ipv6 netlink
}


Anyone has any ideas or encountered those things ?
PingLord
 
Posts: 6
Joined: Tue Jul 01, 2014 5:26 am

Return to grsecurity support

cron