On 02/09/2012 12:39 PM, Nabeel Moidu wrote:
On Thu, Feb 9, 2012 at 4:57 PM, Miroslav
Grepl <mgrepl@xxxxxxxxxx>
wrote:
On 02/09/2012 02:52 AM, Nabeel Moidu
wrote:
Hi
Is there a tomcat implementation of selinux where
the process runs in its own domain rather than
unconfined_java_t ?
Are there any known issues with implementing java
servers in a confined domain ?
If not tomcat, can somebody point me to any other
java server (jetty/websphere etc) with a selinux
implementation ?
--
Thanks and Regards,
What OS?
tomcat should be running as initrc_t on RHEL6. We probably
need this also in Fedora. Basically this new domain would
end up as unconfined domain, but you can start with writing
policy using sepolgen tools.
I've been working on one that's similar to tomcat in some
ways using Eclipse slide. It's been going on well so far. I'm
just concerned if there's any possible issue that cannot be
worked around for java based servers, because something as
basic to the Fedora distribution as tomcat is still
in unconfined domain.
$ sepolgen -t 0
/usr/bin/tomcat
$ sh tomcat.sh
You probably will need to add
java_domtrans(tomcat_t)
Taking back this.
to the tomcat.te policy file. Let me look at it also.
I was able to end up with
# ps -eZ |grep java
staff_u:staff_r:staff_java_t:s0 23169 ? 00:00:00 eclipse
staff_u:staff_r:staff_java_t:s0 23184 ? 00:00:23 java
system_u:system_r:tomcat_t:s0 24372 ? 00:00:01 java
--
Thanks and Regards,
Nabeel Moidu
Hyderabad, India
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
