From 4dc51a6a96283e917df086e08e7b8bd6c562c6c9 Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Fri, 1 Jul 2016 14:14:32 -0400 Subject: [PATCH] Resolves: rhbz#1347835 The security manager doesn't work correctly (JSPs cannot be compiled) --- tomcat-8.0-catalina-policy.patch | 39 ++++++++++++++++++++++++++++++++ tomcat.spec | 1 + 2 files changed, 40 insertions(+) create mode 100644 tomcat-8.0-catalina-policy.patch diff --git a/tomcat-8.0-catalina-policy.patch b/tomcat-8.0-catalina-policy.patch new file mode 100644 index 0000000..3694929 --- /dev/null +++ b/tomcat-8.0-catalina-policy.patch @@ -0,0 +1,39 @@ +--- conf/catalina.policy~ 2016-06-17 10:20:17.649171968 -0400 ++++ conf/catalina.policy 2016-06-17 10:23:35.358309244 -0400 +@@ -50,6 +50,36 @@ grant codeBase "file:${java.home}/lib/ex + permission java.security.AllPermission; + }; + ++// ========== RHEL SPECIFIC CODE PERMISSIONS ======================================= ++ ++// Allowing everything in /usr/share/java allows too many unknowns to be permitted ++// Specifying the individual jars that tomcat needs to function with the security manager ++// is the safest way forward. ++grant codeBase "file:/usr/share/java/tomcat-servlet-3.0-api.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/tomcat-jsp-2.2-api.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/tomcat-el-2.2-api.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/log4j.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/ecj.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/apache-commons-pool.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/apache-commons-dbcp.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/apache-commons-collections.jar" { ++ permission java.security.AllPermission; ++}; ++ + + // ========== CATALINA CODE PERMISSIONS ======================================= + diff --git a/tomcat.spec b/tomcat.spec index e017fa1..258a218 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -687,6 +687,7 @@ fi - Resolves: rhbz#1364056 The command tomcat-digest doesn't work - Resolves: rhbz#1363884 The tomcat-tool-wrapper script is broken - Resolves: rhbz#1347864 The systemd service unit does not allow tomcat to shut down gracefully +- Resolves: rhbz#1347835 The security manager doesn't work correctly (JSPs cannot be compiled) * Wed Mar 2 2016 Ivan Afonichev - 1:8.0.32-4 - Revert sysconfig migration changes, resolves: rhbz#1311771, rhbz#1311905