Hi
Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ?
Are there any known issues with implementing java servers in a confined domain ?
If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ?
On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
Hi
Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ?
Are there any known issues with implementing java servers in a confined domain ?
If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ?
-- Thanks and Regards,
What OS?
tomcat should be running as initrc_t on RHEL6. We probably need this also in Fedora. Basically this new domain would end up as unconfined domain, but you can start with writing policy using sepolgen tools.
$ sepolgen -t 0 /usr/bin/tomcat $ sh tomcat.sh
You probably will need to add
java_domtrans(tomcat_t)
to the tomcat.te policy file. Let me look at it also.
Nabeel Moidu Hyderabad, India
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This is what I see in Fedora
[root@nmoidu ~]# service tomcat status Redirecting to /bin/systemctl status tomcat.service tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/lib/systemd/system/tomcat.service; disabled) Active: inactive (dead) CGroup: name=systemd:/system/tomcat.service [root@nmoidu ~]# service tomcat start Redirecting to /bin/systemctl start tomcat.service [root@nmoidu ~]# ps -efZ | grep tomcat system_u:system_r:unconfined_java_t:s0 tomcat 21783 1 18 17:00 ? 00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21806 21661 0 17:00 pts/0 00:00:00 grep --color=auto tomcat [root@nmoidu ~]# ps -efZ | grep tomcat system_u:system_r:unconfined_java_t:s0 tomcat 21783 1 13 17:00 ? 00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21809 21661 0 17:00 pts/0 00:00:00 grep --color=auto tomcat [root@nmoidu ~]# cat /etc/redhat-release Fedora release 16 (Verne) [root@nmoidu ~]# rpm -qa |grep tomcat tomcat-7.0.25-2.fc16.noarch tomcat6-servlet-2.5-api-6.0.32-19.fc16.noarch tomcat-jsp-2.2-api-7.0.25-2.fc16.noarch tomcat6-jsp-2.1-api-6.0.32-19.fc16.noarch tomcat-servlet-3.0-api-7.0.25-2.fc16.noarch tomcat-lib-7.0.25-2.fc16.noarch tomcat5-jasper-eclipse-5.5.31-3.fc15.noarch tomcat-el-2.2-api-7.0.25-2.fc16.noarch [root@nmoidu ~]# semodule -l | grep -i tomcat [root@nmoidu ~]#
On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl mgrepl@redhat.com wrote:
On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
Hi
Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ?
Are there any known issues with implementing java servers in a confined domain ?
If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ?
-- Thanks and Regards,
What OS?
tomcat should be running as initrc_t on RHEL6. We probably need this also in Fedora. Basically this new domain would end up as unconfined domain, but you can start with writing policy using sepolgen tools.
$ sepolgen -t 0 /usr/bin/tomcat $ sh tomcat.sh
You probably will need to add
java_domtrans(tomcat_t)
to the tomcat.te policy file. Let me look at it also.
Nabeel Moidu Hyderabad, India
-- selinux mailing listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl mgrepl@redhat.com wrote:
On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
Hi
Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ?
Are there any known issues with implementing java servers in a confined domain ?
If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ?
-- Thanks and Regards,
What OS?
tomcat should be running as initrc_t on RHEL6. We probably need this also in Fedora. Basically this new domain would end up as unconfined domain, but you can start with writing policy using sepolgen tools.
I've been working on one that's similar to tomcat in some ways using Eclipse slide. It's been going on well so far. I'm just concerned if there's any possible issue that cannot be worked around for java based servers, because something as basic to the Fedora distribution as tomcat is still in unconfined domain.
$ sepolgen -t 0 /usr/bin/tomcat $ sh tomcat.sh
You probably will need to add
java_domtrans(tomcat_t)
to the tomcat.te policy file. Let me look at it also.
Nabeel Moidu Hyderabad, India
-- selinux mailing listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
On 02/09/2012 12:39 PM, Nabeel Moidu wrote:
On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl <mgrepl@redhat.com mailto:mgrepl@redhat.com> wrote:
On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
Hi Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ? Are there any known issues with implementing java servers in a confined domain ? If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ? -- Thanks and Regards,
What OS? tomcat should be running as initrc_t on RHEL6. We probably need this also in Fedora. Basically this new domain would end up as unconfined domain, but you can start with writing policy using sepolgen tools.
I've been working on one that's similar to tomcat in some ways using Eclipse slide. It's been going on well so far. I'm just concerned if there's any possible issue that cannot be worked around for java based servers, because something as basic to the Fedora distribution as tomcat is still in unconfined domain.
$ sepolgen -t 0 /usr/bin/tomcat $ sh tomcat.sh You probably will need to add java_domtrans(tomcat_t)
Taking back this.
to the tomcat.te policy file. Let me look at it also.
I was able to end up with
# ps -eZ |grep java staff_u:staff_r:staff_java_t:s0 23169 ? 00:00:00 eclipse staff_u:staff_r:staff_java_t:s0 23184 ? 00:00:23 java system_u:system_r:tomcat_t:s0 24372 ? 00:00:01 java
Nabeel Moidu Hyderabad, India -- selinux mailing list selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Thanks and Regards,
Nabeel Moidu Hyderabad, India
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Thu, Feb 9, 2012 at 5:16 PM, Miroslav Grepl mgrepl@redhat.com wrote:
On 02/09/2012 12:39 PM, Nabeel Moidu wrote:
On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl mgrepl@redhat.com wrote:
On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
Hi
Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ?
Are there any known issues with implementing java servers in a confined domain ?
If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ?
-- Thanks and Regards,
What OS?
tomcat should be running as initrc_t on RHEL6. We probably need this also in Fedora. Basically this new domain would end up as unconfined domain, but you can start with writing policy using sepolgen tools.
I've been working on one that's similar to tomcat in some ways using Eclipse slide. It's been going on well so far. I'm just concerned if there's any possible issue that cannot be worked around for java based servers, because something as basic to the Fedora distribution as tomcat is still in unconfined domain.
$ sepolgen -t 0 /usr/bin/tomcat $ sh tomcat.sh
You probably will need to add
java_domtrans(tomcat_t)
Taking back this.
to the tomcat.te policy file. Let me look at it also.
I was able to end up with
# ps -eZ |grep java staff_u:staff_r:staff_java_t:s0 23169 ? 00:00:00 eclipse staff_u:staff_r:staff_java_t:s0 23184 ? 00:00:23 java system_u:system_r:tomcat_t:s0 24372 ? 00:00:01 java
RHEL 6 or Fedora ? Is the .te and .fc for this available anywhere ?
Nabeel Moidu Hyderabad, India
-- selinux mailing listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
-- Thanks and Regards,
Nabeel Moidu Hyderabad, India
-- selinux mailing listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org