FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 02-09-2012, 12:52 AM
Nabeel Moidu
 
Default Tomcat selinux

Hi
Is there a tomcat implementation of selinux where the process runs in its own domain rather than unconfined_java_t ?
Are there any known issues with implementing java servers in a confined domain ?

If not tomcat, can somebody point me to any other java server (jetty/websphere etc) with a selinux implementation ?
--
Thanks and Regards,

Nabeel Moidu
Hyderabad, India


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-09-2012, 10:27 AM
Miroslav Grepl
 
Default Tomcat selinux

On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
Hi



Is there a tomcat implementation of selinux where the process
runs in its own domain rather than unconfined_java_t ?



Are there any known issues with implementing java servers in
a confined domain ?



If not tomcat, can somebody point me to any other java server
(jetty/websphere etc) with a selinux implementation ?



--

Thanks and Regards,


What OS?



tomcat should be running as initrc_t on RHEL6. We probably need this
also in Fedora. Basically this new domain would end up as unconfined
domain, but you can start with writing policy using sepolgen tools.



$ sepolgen -t 0 /usr/bin/tomcat

$ sh tomcat.sh



You probably will need to add



java_domtrans(tomcat_t)



to the tomcat.te policy file. Let me look at it also.








Nabeel Moidu

Hyderabad, India








--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-09-2012, 10:34 AM
Nabeel Moidu
 
Default Tomcat selinux

This is what I see in Fedora
[root@nmoidu ~]# service tomcat statusRedirecting to /bin/systemctl *status tomcat.servicetomcat.service - Apache Tomcat Web Application Container
*Loaded: loaded (/lib/systemd/system/tomcat.service; disabled) *Active: inactive (dead)
*CGroup: name=systemd:/system/tomcat.service[root@nmoidu ~]# service tomcat startRedirecting to /bin/systemctl *start tomcat.service
[root@nmoidu ~]# ps -efZ *| grep tomcatsystem_u:system_r:unconfined_java_t:s0 tomcat 21783 1 18 17:00 ? * * * 00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLo aderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21806 21661 *0 17:00 pts/0 00:00:00 grep --color=auto tomcat[root@nmoidu ~]# ps -efZ *| grep tomcatsystem_u:system_r:unconfined_java_t:s0 tomcat 21783 1 13 17:00 ? * * * 00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLo aderLogManager org.apache.catalina.startup.Bootstrap start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21809 21661 *0 17:00 pts/0 00:00:00 grep --color=auto tomcat[root@nmoidu ~]# cat /etc/redhat-release*Fedora release 16 (Verne)
[root@nmoidu ~]# rpm -qa *|grep tomcattomcat-7.0.25-2.fc16.noarchtomcat6-servlet-2.5-api-6.0.32-19.fc16.noarchtomcat-jsp-2.2-api-7.0.25-2.fc16.noarchtomcat6-jsp-2.1-api-6.0.32-19.fc16.noarch
tomcat-servlet-3.0-api-7.0.25-2.fc16.noarchtomcat-lib-7.0.25-2.fc16.noarchtomcat5-jasper-eclipse-5.5.31-3.fc15.noarchtomcat-el-2.2-api-7.0.25-2.fc16.noarch[root@nmoidu ~]# semodule -l | grep -i tomcat
[root@nmoidu ~]#*






On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl <mgrepl@redhat.com> wrote:






On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
Hi



Is there a tomcat implementation of selinux where the process
runs in its own domain rather than unconfined_java_t ?



Are there any known issues with implementing java servers in
a confined domain ?



If not tomcat, can somebody point me to any other java server
(jetty/websphere etc) with a selinux implementation ?



--

Thanks and Regards,


What OS?



tomcat should be running as initrc_t on RHEL6. We probably need this
also in Fedora. Basically this new domain would end up as unconfined
domain, but you can start with writing policy using sepolgen tools.



$ sepolgen -t 0 /usr/bin/tomcat

$ sh tomcat.sh



You probably will need to add



java_domtrans(tomcat_t)



to the tomcat.te policy file. Let me look at it also.








Nabeel Moidu

Hyderabad, India








--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux







--
Thanks and Regards,
Nabeel Moidu
Hyderabad, India


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-09-2012, 10:39 AM
Nabeel Moidu
 
Default Tomcat selinux

On Thu, Feb 9, 2012 at 4:57 PM, Miroslav Grepl <mgrepl@redhat.com> wrote:






On 02/09/2012 02:52 AM, Nabeel Moidu wrote:
Hi



Is there a tomcat implementation of selinux where the process
runs in its own domain rather than unconfined_java_t ?



Are there any known issues with implementing java servers in
a confined domain ?



If not tomcat, can somebody point me to any other java server
(jetty/websphere etc) with a selinux implementation ?



--

Thanks and Regards,


What OS?



tomcat should be running as initrc_t on RHEL6. We probably need this
also in Fedora. Basically this new domain would end up as unconfined
domain, but you can start with writing policy using sepolgen tools.




I've been working on one that's similar to tomcat in some ways using Eclipse slide. It's been going on well so far. I'm just concerned if there's any possible issue that cannot be worked around for java based servers, because something as basic to the Fedora distribution as tomcat is still in*unconfined*domain.*
*
$ sepolgen -t 0 /usr/bin/tomcat

$ sh tomcat.sh



You probably will need to add



java_domtrans(tomcat_t)



to the tomcat.te policy file. Let me look at it also.








Nabeel Moidu

Hyderabad, India








--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux







--
Thanks and Regards,
Nabeel Moidu
Hyderabad, India

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-09-2012, 10:46 AM
Miroslav Grepl
 
Default Tomcat selinux

On 02/09/2012 12:39 PM, Nabeel Moidu wrote:




On Thu, Feb 9, 2012 at 4:57 PM, Miroslav
Grepl <mgrepl@redhat.com>
wrote:




On 02/09/2012 02:52 AM, Nabeel Moidu
wrote:
Hi



Is there a tomcat implementation of selinux where
the process runs in its own domain rather than
unconfined_java_t ?



Are there any known issues with implementing java
servers in a confined domain ?



If not tomcat, can somebody point me to any other
java server (jetty/websphere etc) with a selinux
implementation ?



--

Thanks and Regards,




What OS?



tomcat should be running as initrc_t on RHEL6. We probably
need this also in Fedora. Basically this new domain would
end up as unconfined domain, but you can start with writing
policy using sepolgen tools.











I've been working on one that's similar to tomcat in some
ways using Eclipse slide. It's been going on well so far. I'm
just concerned if there's any possible issue that cannot be
worked around for java based servers, because something as
basic to the Fedora distribution as tomcat is still
in*unconfined*domain.*
*

$ sepolgen -t 0
/usr/bin/tomcat

$ sh tomcat.sh



You probably will need to add



java_domtrans(tomcat_t)





Taking back this.





to the tomcat.te policy file. Let me look at it also.









I was able to end up with



# ps -eZ |grep java

staff_u:staff_r:staff_java_t:s0 23169 ?******* 00:00:00 eclipse

staff_u:staff_r:staff_java_t:s0 23184 ?******* 00:00:23 java

system_u:system_r:tomcat_t:s0** 24372 ?******* 00:00:01 java













Nabeel Moidu

Hyderabad, India








--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux












--

Thanks and Regards,


Nabeel Moidu

Hyderabad, India







--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-09-2012, 11:19 AM
Nabeel Moidu
 
Default Tomcat selinux

On Thu, Feb 9, 2012 at 5:16 PM, Miroslav Grepl <mgrepl@redhat.com> wrote:






On 02/09/2012 12:39 PM, Nabeel Moidu wrote:




On Thu, Feb 9, 2012 at 4:57 PM, Miroslav
Grepl <mgrepl@redhat.com>
wrote:




On 02/09/2012 02:52 AM, Nabeel Moidu
wrote:
Hi



Is there a tomcat implementation of selinux where
the process runs in its own domain rather than
unconfined_java_t ?



Are there any known issues with implementing java
servers in a confined domain ?



If not tomcat, can somebody point me to any other
java server (jetty/websphere etc) with a selinux
implementation ?



--

Thanks and Regards,




What OS?



tomcat should be running as initrc_t on RHEL6. We probably
need this also in Fedora. Basically this new domain would
end up as unconfined domain, but you can start with writing
policy using sepolgen tools.











I've been working on one that's similar to tomcat in some
ways using Eclipse slide. It's been going on well so far. I'm
just concerned if there's any possible issue that cannot be
worked around for java based servers, because something as
basic to the Fedora distribution as tomcat is still
in*unconfined*domain.*
*

$ sepolgen -t 0
/usr/bin/tomcat

$ sh tomcat.sh



You probably will need to add



java_domtrans(tomcat_t)





Taking back this.





to the tomcat.te policy file. Let me look at it also.









I was able to end up with



# ps -eZ |grep java

staff_u:staff_r:staff_java_t:s0 23169 ?******* 00:00:00 eclipse

staff_u:staff_r:staff_java_t:s0 23184 ?******* 00:00:23 java

system_u:system_r:tomcat_t:s0** 24372 ?******* 00:00:01 java
RHEL 6 or Fedora ? Is the .te and .fc for this available anywhere ?













Nabeel Moidu

Hyderabad, India








--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux












--

Thanks and Regards,


Nabeel Moidu

Hyderabad, India







--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux







--
Thanks and Regards,
Nabeel Moidu
Hyderabad, India

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:58 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org