I performed a Yum update and Tomcat's ability to access file has been broken.
SEVERE: Failed to load keystore type JKS with path /var/websvr/certs/keyfile.jks due to /var/websvr/certs/keyfile.jks (Permission denied)
java.io.FileNotFoundException: /var/websvr/certs/keyfile.jks (Permission denied)
Even though the tomcat user has ownership and full permissions of not only the file, but the entire directory
-rwxrwxrwx. 1 tomcat tomcat 4829 Aug 19 2016 keyfile.jks
and I have verified that Tomcat is running under tomcat user. So, why is access still being prevented?
Red Hat Enterprise Linux Server release 7.4 (Maipo)
Edit
From A.B's comment – the /var/log/audit/audit.log :
type=AVC msg=audit(1511208892.087:392): avc: denied { read } for pid=770 comm="java" name="keyfile.jks" dev="xvda2" ino=9641897 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
So it appears this is SELinux related. I have tried to resolve, but posts like this one require a Red Hat subscription.
Using RH Doc for SELinux & Apache, in conjunction with RH SELinux Doc – I think to resolve this, the keyfile.jks file must be labelled with:
tomcat_t:tomcat_t:tomcat_sys_content_t:s0
which is read-only access for confined user tomcat_t in role tomcat_t. The file is currently labelled:
unconfined_u:object_r:var_t:s0
to get past additional SELinux file restrictions.
Any guidance is appreciated!
Best Answer
If you want to label /var/websvr/certs/keyfile.jks with tomcat_sys_content_t then you can create a customer file context
If that doesn't work because tomcat_sys_content_t doesn't exist then substitute tomcat_t or possibly pki_tomcat_cert_t in the command above.