On Thu, Feb 9, 2012 at 5:16 PM, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote:
On 02/09/2012 12:39 PM, Nabeel Moidu wrote:Taking back this.
On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote:
What OS?On 02/09/2012 02:52 AM, Nabeel Moidu wrote:Hi
Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ?
Are there any known issues with implementing java servers in a confined domain ?
If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ?
--
Thanks and Regards,
tomcat should be running as initrc_t on RHEL6. We probably need this also in Fedora. Basically this new domain would end up as unconfined domain, but you can start with writing policy using sepolgen tools.
I've been working on one that's similar to tomcat in some ways using Eclipse slide. It's been going on well so far. I'm just concerned if there's any possible issue that cannot be worked around for java based servers, because something as basic to the Fedora distribution as tomcat is still in unconfined domain.$ sepolgen -t 0 /usr/bin/tomcat
$ sh tomcat.sh
You probably will need to add
java_domtrans(tomcat_t)
I was able to end up with
to the tomcat.te policy file. Let me look at it also.
# ps -eZ |grep java
staff_u:staff_r:staff_java_t:s0 23169 ? 00:00:00 eclipse
staff_u:staff_r:staff_java_t:s0 23184 ? 00:00:23 java
system_u:system_r:tomcat_t:s0 24372 ? 00:00:01 java
RHEL 6 or Fedora ? Is the .te and .fc for this available anywhere ?
Nabeel Moidu
Hyderabad, India
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Thanks and Regards,
Nabeel Moidu
Hyderabad, India
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
Thanks and Regards,
Nabeel Moidu
Hyderabad, India
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
