Tomcat selinux

Miroslav Grepl mgrepl at redhat.com
Thu Feb 9 11:46:01 UTC 2012 

On 02/09/2012 12:39 PM, Nabeel Moidu wrote:
>
>
> On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl <mgrepl at redhat.com 
> <mailto:mgrepl at redhat.com>> wrote:
>
>     On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
>>     Hi
>>
>>     Is there a tomcat implementation of selinux where the process
>>     runs in its own domain rather than unconfined_java_t ?
>>
>>     Are there any known issues with implementing java servers in a
>>     confined domain ?
>>
>>     If not tomcat, can somebody point me to any other java server
>>     (jetty/websphere etc) with a selinux implementation ?
>>
>>     -- 
>>     Thanks and Regards,
>     What OS?
>
>     tomcat should be running as initrc_t on RHEL6. We probably need
>     this also in Fedora. Basically this new domain would end up as
>     unconfined domain, but you can start with writing policy using
>     sepolgen tools.
>
>
>
> I've been working on one that's similar to tomcat in some ways using 
> Eclipse slide. It's been going on well so far. I'm just concerned if 
> there's any possible issue that cannot be worked around for java based 
> servers, because something as basic to the Fedora distribution as 
> tomcat is still in unconfined domain.
>
>     $ sepolgen -t 0 /usr/bin/tomcat
>     $ sh tomcat.sh
>
>     You probably will need to add
>
>     java_domtrans(tomcat_t)
>
Taking back this.
>
>
>     to the tomcat.te policy file. Let me look at it also.
>

I was able to end up with

# ps -eZ |grep java
staff_u:staff_r:staff_java_t:s0 23169 ?        00:00:00 eclipse
staff_u:staff_r:staff_java_t:s0 23184 ?        00:00:23 java
system_u:system_r:tomcat_t:s0   24372 ?        00:00:01 java


>>
>>     Nabeel Moidu
>>     Hyderabad, India
>>
>>
>>
>>     --
>>     selinux mailing list
>>     selinux at lists.fedoraproject.org  <mailto:selinux at lists.fedoraproject.org>
>>     https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> -- 
> Thanks and Regards,
>
> Nabeel Moidu
> Hyderabad, India
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120209/1233e81a/attachment.html>

More information about the selinux mailing list