This is what I see in Fedora
[root@nmoidu ~]# service tomcat status Redirecting to /bin/systemctl status tomcat.service tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/lib/systemd/system/tomcat.service; disabled) Active: inactive (dead) CGroup: name=systemd:/system/tomcat.service [root@nmoidu ~]# service tomcat start Redirecting to /bin/systemctl start tomcat.service [root@nmoidu ~]# ps -efZ | grep tomcat system_u:system_r:unconfined_java_t:s0 tomcat 21783 1 18 17:00 ? 00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21806 21661 0 17:00 pts/0 00:00:00 grep --color=auto tomcat [root@nmoidu ~]# ps -efZ | grep tomcat system_u:system_r:unconfined_java_t:s0 tomcat 21783 1 13 17:00 ? 00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21809 21661 0 17:00 pts/0 00:00:00 grep --color=auto tomcat [root@nmoidu ~]# cat /etc/redhat-release Fedora release 16 (Verne) [root@nmoidu ~]# rpm -qa |grep tomcat tomcat-7.0.25-2.fc16.noarch tomcat6-servlet-2.5-api-6.0.32-19.fc16.noarch tomcat-jsp-2.2-api-7.0.25-2.fc16.noarch tomcat6-jsp-2.1-api-6.0.32-19.fc16.noarch tomcat-servlet-3.0-api-7.0.25-2.fc16.noarch tomcat-lib-7.0.25-2.fc16.noarch tomcat5-jasper-eclipse-5.5.31-3.fc15.noarch tomcat-el-2.2-api-7.0.25-2.fc16.noarch [root@nmoidu ~]# semodule -l | grep -i tomcat [root@nmoidu ~]#
On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl mgrepl@redhat.com wrote:
On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
Hi
Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ?
Are there any known issues with implementing java servers in a confined domain ?
If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ?
-- Thanks and Regards,
What OS?
tomcat should be running as initrc_t on RHEL6. We probably need this also in Fedora. Basically this new domain would end up as unconfined domain, but you can start with writing policy using sepolgen tools.
$ sepolgen -t 0 /usr/bin/tomcat $ sh tomcat.sh
You probably will need to add
java_domtrans(tomcat_t)
to the tomcat.te policy file. Let me look at it also.
Nabeel Moidu Hyderabad, India
-- selinux mailing listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux