FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-31-2007, 02:44 PM
Christoph Höger
 
Default Feature request: Tomcat5-Policy

Hi,

here is a sample policy for Tomcat5. Could we integrate this (or a
reviewed and much better version) into fedora?

regards

christoph
/usr/bin/tomcat5 -- gen_context(system_ubject_r:tomcat5_exec_t,s0)
/usr/bin/dtomcat5 -- gen_context(system_ubject_r:tomcat5_exec_t,s0)
/var/log/tomcat5 -d gen_context(system_ubject_r:tomcat5_log_t,s0)
/var/log/tomcat5/.* -- gen_context(system_ubject_r:tomcat5_log_t,s0)
policy_module(tomcat5,0.3)

########################################
#
# Declarations
#

type tomcat5_t;
type tomcat5_exec_t;
type tomcat5_java_t;

domain_type(tomcat5_t)
domain_type(tomcat5_java_t)

domain_entry_file(tomcat5_t, tomcat5_exec_t)

gen_require(` type java_exec_t; ')

domain_entry_file(tomcat5_java_t, java_exec_t)

type tomcat5_log_t;
logging_log_file(tomcat5_log_t)

type tomcat5_tmp_t;
files_tmp_file(tomcat5_tmp_t)

role system_r types tomcat5_java_t;
########################################
#
# local policy
#

init_daemon_domain(tomcat5_t, tomcat5_exec_t)

allow tomcat5_t tomcat5_log_t:file ra_file_perms;
manage_files_pattern(tomcat5_t, tomcat5_log_t, tomcat5_log_t)

allow tomcat5_t tomcat5_tmp_t:file manage_file_perms;
files_tmp_filetrans(tomcat5_t,tomcat5_tmp_t,file)

# neccessary for startup
files_search_etc(tomcat5_t)
files_search_usr(tomcat5_t)
libs_search_lib(tomcat5_t)
libs_use_shared_libs(tomcat5_t)
miscfiles_read_localization(tomcat5_t)
libs_use_ld_so(tomcat5_t)
kernel_read_system_state(tomcat5_t)
corecmd_search_bin(tomcat5_t)
corecmd_getattr_bin_files(tomcat5_t)
corecmd_exec_bin(tomcat5_t)
init_write_utmp(tomcat5_t)
files_read_usr_files(tomcat5_t)
corecmd_exec_shell(tomcat5_t)
rw_fifo_files_pattern(tomcat5_t, tomcat5_t, tomcat5_t)
files_read_etc_files(tomcat5_t)
logging_search_logs(tomcat5_t)

# run java as tomcat5_java_t
#java_spec_domtrans(tomcat5_t, tomcat5_java_t)
domain_auto_trans(tomcat5_t, java_exec_t, tomcat5_java_t)

# privileges for tomcat java applications
allow tomcat5_t tomcat5_java_trocess { rlimitinh siginh noatsecure };
allow tomcat5_java_t tomcat5_trocess { sigchld getsched sigkill execheap execmem execstack rlimitinh siginh noatsecure };
allow tomcat5_java_t tomcat5_java_trocess { signull sigchld getsched sigkill execheap execmem execstack rlimitinh siginh noatsecure};
manage_files_pattern(tomcat5_java_t, tomcat5_log_t, tomcat5_log_t)
create_files_pattern(tomcat5_java_t, tomcat5_log_t, tomcat5_log_t)
libs_search_lib(tomcat5_java_t)
libs_use_shared_libs(tomcat5_java_t)
libs_read_lib_files(tomcat5_java_t)
files_search_usr(tomcat5_java_t)
files_read_usr_files(tomcat5_java_t)
files_read_usr_symlinks(tomcat5_java_t)
files_search_etc(tomcat5_java_t)
files_manage_etc_files(tomcat5_java_t)
files_search_var_lib(tomcat5_java_t)
files_read_var_lib_files(tomcat5_java_t)
files_read_var_lib_symlinks(tomcat5_java_t)
files_manage_var_files(tomcat5_java_t)

logging_search_logs(tomcat5_java_t)
rw_fifo_files_pattern(tomcat5_java_t,tomcat5_t,tom cat5_t)
libs_use_ld_so(tomcat5_java_t)
write_files_pattern(tomcat5_java_t, tomcat5_log_t, tomcat5_log_t)
unconfined_dontaudit_use_terminals(tomcat5_java_t)
corecmd_search_bin(tomcat5_java_t)
corecmd_getattr_bin_files(tomcat5_java_t)
corecmd_read_bin_files(tomcat5_java_t)
kernel_read_system_state(tomcat5_java_t)
dev_read_sysfs(tomcat5_java_t)
files_manage_generic_tmp_files(tomcat5_java_t)
files_manage_generic_tmp_dirs(tomcat5_java_t)
files_read_var_lib_files(tomcat5_java_t)
miscfiles_read_localization(tomcat5_java_t)
nscd_read_pid(tomcat5_java_t)
dev_read_urand(tomcat5_java_t)
dev_read_rand(tomcat5_java_t)
kernel_search_network_state(tomcat5_java_t)
kernel_read_network_state(tomcat5_java_t)

allow tomcat5_java_t java_exec_t:file execute_no_trans;
allow tomcat5_java_t tomcat5_java_trocess { signal getsched execstack execmem };
allow tomcat5_java_t tomcat5_java_t:tcp_socket { create ioctl bind setopt listen accept read write getattr setattr connect shutdown };
allow tomcat5_java_t tomcat5_java_t:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
corenet_tcp_bind_all_ports(tomcat5_java_t)
corenet_tcp_connect_all_ports(tomcat5_java_t)
corenet_tcp_sendrecv_all_ports(tomcat5_java_t)
corenet_tcp_bind_mapped_ipv4_node(tomcat5_java_t)
corenet_tcp_sendrecv_mapped_ipv4_node(tomcat5_java _t)
corenet_tcp_sendrecv_unspec_node(tomcat5_java_t)
corenet_tcp_bind_unspec_node(tomcat5_java_t)
sysnet_read_config(tomcat5_java_t)
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-16-2008, 06:53 PM
Christoph Höger
 
Default Feature request: Tomcat5-Policy

has no one a comment?

I'd never thought, that tomcat was _that_ secure.

Am Montag, den 31.12.2007, 16:44 +0100 schrieb Christoph Höger:
> Hi,
>
> here is a sample policy for Tomcat5. Could we integrate this (or a
> reviewed and much better version) into fedora?
>
> regards
>
> christoph
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:58 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org