<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/09/2012 12:39 PM, Nabeel Moidu wrote:
<blockquote
cite="mid:CAKTAHSw6wpLgxMVWJ4hQOUws=KkRrvH59hkTO5Dv6o645Rh0ZA@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On Thu, Feb 9, 2012 at 4:57 PM, Miroslav
Grepl <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mgrepl@redhat.com">mgrepl@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5"> On 02/09/2012 02:52 AM, Nabeel Moidu
wrote:
<blockquote type="cite">Hi
<div><br>
</div>
<div>Is there a tomcat implementation of selinux where
the process runs in its own domain rather than
unconfined_java_t ?</div>
<div><br>
</div>
<div>Are there any known issues with implementing java
servers in a confined domain ?</div>
<div><br>
</div>
<div>If not tomcat, can somebody point me to any other
java server (jetty/websphere etc) with a selinux
implementation ?<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">Thanks and Regards,</div>
</div>
</blockquote>
</div>
</div>
What OS? <br>
<br>
tomcat should be running as initrc_t on RHEL6. We probably
need this also in Fedora. Basically this new domain would
end up as unconfined domain, but you can start with writing
policy using sepolgen tools.<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>I've been working on one that's similar to tomcat in some
ways using Eclipse slide. It's been going on well so far. I'm
just concerned if there's any possible issue that cannot be
worked around for java based servers, because something as
basic to the Fedora distribution as tomcat is still
in unconfined domain. </div>
<div> </div>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#FFFFFF" text="#000000"> $ sepolgen -t 0
/usr/bin/tomcat<br>
$ sh tomcat.sh<br>
<br>
You probably will need to add<br>
<br>
java_domtrans(tomcat_t)<br>
</div>
</blockquote>
</div>
</blockquote>
Taking back this.
<blockquote
cite="mid:CAKTAHSw6wpLgxMVWJ4hQOUws=KkRrvH59hkTO5Dv6o645Rh0ZA@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#FFFFFF" text="#000000"> <br>
to the tomcat.te policy file. Let me look at it also.<br>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
I was able to end up with<br>
<br>
# ps -eZ |grep java<br>
staff_u:staff_r:staff_java_t:s0 23169 ? 00:00:00 eclipse<br>
staff_u:staff_r:staff_java_t:s0 23184 ? 00:00:23 java<br>
system_u:system_r:tomcat_t:s0 24372 ? 00:00:01 java<br>
<br>
<br>
<blockquote
cite="mid:CAKTAHSw6wpLgxMVWJ4hQOUws=KkRrvH59hkTO5Dv6o645Rh0ZA@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite">
<div>
<div dir="ltr"> <br>
Nabeel Moidu<br>
Hyderabad, India</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">Thanks and Regards,</div>
<div dir="ltr"><br>
Nabeel Moidu<br>
Hyderabad, India</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>