This is what I see in Fedora

[root@nmoidu ~]# service tomcat status
Redirecting to /bin/systemctl  status tomcat.service
tomcat.service - Apache Tomcat Web Application Container
 Loaded: loaded (/lib/systemd/system/tomcat.service; disabled)
 Active: inactive (dead)
 CGroup: name=systemd:/system/tomcat.service
[root@nmoidu ~]# service tomcat start
Redirecting to /bin/systemctl  start tomcat.service
[root@nmoidu ~]# ps -efZ  | grep tomcat
system_u:system_r:unconfined_java_t:s0 tomcat 21783 1 18 17:00 ?       00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21806 21661  0 17:00 pts/0 00:00:00 grep --color=auto tomcat
[root@nmoidu ~]# ps -efZ  | grep tomcat
system_u:system_r:unconfined_java_t:s0 tomcat 21783 1 13 17:00 ?       00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21809 21661  0 17:00 pts/0 00:00:00 grep --color=auto tomcat
[root@nmoidu ~]# cat /etc/redhat-release 
Fedora release 16 (Verne)
[root@nmoidu ~]# rpm -qa  |grep tomcat
tomcat-7.0.25-2.fc16.noarch
tomcat6-servlet-2.5-api-6.0.32-19.fc16.noarch
tomcat-jsp-2.2-api-7.0.25-2.fc16.noarch
tomcat6-jsp-2.1-api-6.0.32-19.fc16.noarch
tomcat-servlet-3.0-api-7.0.25-2.fc16.noarch
tomcat-lib-7.0.25-2.fc16.noarch
tomcat5-jasper-eclipse-5.5.31-3.fc15.noarch
tomcat-el-2.2-api-7.0.25-2.fc16.noarch
[root@nmoidu ~]# semodule -l | grep -i tomcat
[root@nmoidu ~]# 







On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl <mgrepl@redhat.com> wrote:
On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
Hi

Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ?

Are there any known issues with implementing java servers in a confined domain ?

If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ?

--
Thanks and Regards,
What OS?

tomcat should be running as initrc_t on RHEL6. We probably need this also in Fedora. Basically this new domain would end up as unconfined domain, but you can start with writing policy using sepolgen tools.

$ sepolgen -t 0 /usr/bin/tomcat
$ sh tomcat.sh

You probably will need to add

java_domtrans(tomcat_t)

to the tomcat.te policy file. Let me look at it also.


Nabeel Moidu
Hyderabad, India



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux




--
Thanks and Regards,

Nabeel Moidu
Hyderabad, India