Tomcat selinux

Nabeel Moidu nabeelmoidu at gmail.com
Thu Feb 9 11:34:40 UTC 2012 

This is what I see in Fedora

[root at nmoidu ~]# service tomcat status
Redirecting to /bin/systemctl  status tomcat.service
tomcat.service - Apache Tomcat Web Application Container
  Loaded: loaded (/lib/systemd/system/tomcat.service; disabled)
  Active: inactive (dead)
  CGroup: name=systemd:/system/tomcat.service
[root at nmoidu ~]# service tomcat start
Redirecting to /bin/systemctl  start tomcat.service
[root at nmoidu ~]# ps -efZ  | grep tomcat
system_u:system_r:unconfined_java_t:s0 tomcat 21783 1 18 17:00 ?
00:00:01 /usr/lib/jvm/jre/bin/java -classpath
:/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp
-Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21806 21661  0
17:00 pts/0 00:00:00 grep --color=auto tomcat
[root at nmoidu ~]# ps -efZ  | grep tomcat
system_u:system_r:unconfined_java_t:s0 tomcat 21783 1 13 17:00 ?
00:00:01 /usr/lib/jvm/jre/bin/java -classpath
:/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp
-Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21809 21661  0
17:00 pts/0 00:00:00 grep --color=auto tomcat
[root at nmoidu ~]# cat /etc/redhat-release
Fedora release 16 (Verne)
[root at nmoidu ~]# rpm -qa  |grep tomcat
tomcat-7.0.25-2.fc16.noarch
tomcat6-servlet-2.5-api-6.0.32-19.fc16.noarch
tomcat-jsp-2.2-api-7.0.25-2.fc16.noarch
tomcat6-jsp-2.1-api-6.0.32-19.fc16.noarch
tomcat-servlet-3.0-api-7.0.25-2.fc16.noarch
tomcat-lib-7.0.25-2.fc16.noarch
tomcat5-jasper-eclipse-5.5.31-3.fc15.noarch
tomcat-el-2.2-api-7.0.25-2.fc16.noarch
[root at nmoidu ~]# semodule -l | grep -i tomcat
[root at nmoidu ~]#







On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl <mgrepl at redhat.com> wrote:

>  On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
>
> Hi
>
>  Is there a tomcat implementation of selinux where the process runs in
> its own domain rather than unconfined_java_t ?
>
>  Are there any known issues with implementing java servers in a confined
> domain ?
>
>  If not tomcat, can somebody point me to any other java server
> (jetty/websphere etc) with a selinux implementation ?
>
>  --
> Thanks and Regards,
>
> What OS?
>
> tomcat should be running as initrc_t on RHEL6. We probably need this also
> in Fedora. Basically this new domain would end up as unconfined domain, but
> you can start with writing policy using sepolgen tools.
>
> $ sepolgen -t 0 /usr/bin/tomcat
> $ sh tomcat.sh
>
> You probably will need to add
>
> java_domtrans(tomcat_t)
>
> to the tomcat.te policy file. Let me look at it also.
>
>
> Nabeel Moidu
> Hyderabad, India
>
>
>
> --
> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>


-- 
Thanks and Regards,

Nabeel Moidu
Hyderabad, India
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120209/ec0f8a0c/attachment.html>

More information about the selinux mailing list