[root@nmoidu ~]# service tomcat status
Redirecting to /bin/systemctl status tomcat.service
tomcat.service - Apache Tomcat Web Application Container
Loaded: loaded (/lib/systemd/system/tomcat.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/tomcat.service
[root@nmoidu ~]# service tomcat start
Redirecting to /bin/systemctl start tomcat.service
[root@nmoidu ~]# ps -efZ | grep tomcat
system_u:system_r:unconfined_java_t:s0 tomcat 21783 1 18 17:00 ? 00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21806 21661 0 17:00 pts/0 00:00:00 grep --color=auto tomcat
[root@nmoidu ~]# ps -efZ | grep tomcat
system_u:system_r:unconfined_java_t:s0 tomcat 21783 1 13 17:00 ? 00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21809 21661 0 17:00 pts/0 00:00:00 grep --color=auto tomcat
[root@nmoidu ~]# cat /etc/redhat-release
Fedora release 16 (Verne)
[root@nmoidu ~]# rpm -qa |grep tomcat
tomcat-7.0.25-2.fc16.noarch
tomcat6-servlet-2.5-api-6.0.32-19.fc16.noarch
tomcat-jsp-2.2-api-7.0.25-2.fc16.noarch
tomcat6-jsp-2.1-api-6.0.32-19.fc16.noarch
tomcat-servlet-3.0-api-7.0.25-2.fc16.noarch
tomcat-lib-7.0.25-2.fc16.noarch
tomcat5-jasper-eclipse-5.5.31-3.fc15.noarch
tomcat-el-2.2-api-7.0.25-2.fc16.noarch
[root@nmoidu ~]# semodule -l | grep -i tomcat
[root@nmoidu ~]#
On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote:
What OS?On 02/09/2012 02:52 AM, Nabeel Moidu wrote:Hi
Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ?
Are there any known issues with implementing java servers in a confined domain ?
If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ?
--
Thanks and Regards,
tomcat should be running as initrc_t on RHEL6. We probably need this also in Fedora. Basically this new domain would end up as unconfined domain, but you can start with writing policy using sepolgen tools.
$ sepolgen -t 0 /usr/bin/tomcat
$ sh tomcat.sh
You probably will need to add
java_domtrans(tomcat_t)
to the tomcat.te policy file. Let me look at it also.
Nabeel Moidu
Hyderabad, India
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
Thanks and Regards,
Nabeel Moidu
Hyderabad, India
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
