From: Nick Gray <nick-lists@austin.rr.com>
To: SELinux ML <selinux@tycho.nsa.gov>
Subject: Tomcat policy
Date: Thu, 16 Dec 2004 13:08:47 -0600 [thread overview]
Message-ID: <1103224127.32688.49.camel@hawaii.grays-systems.com> (raw)
I have written a policy for Tomcat that works. And surprise it actually
works (on my development system) If anyone is interested, I can post it
up to the list after giving myself a chance to smooth it out a bit.
I have a few questions. regarding policies in general and how they
applied to my case in point.
#1
The installation of tree for tomcat looks something like
/usr/local/tomcat/5.0.28
/usr/local/tomcat/5.0.28/conf
/usr/local/tomcat/5.0.28/logs
/usr/local/tomcat/5.0.28/...
I also defined
daemon_domain(tomcat)
type tomcat_config_t, file_type, sysadmfile;
type tomcat_log_t, file_type, sysadmfile;
If I am correct in my assumption that the "daemon_domain(tomcat)"
defines the tomcat_t type, I thought I could do the following in
the tomcat.fc
/usr/local/tomcat/5.0.28/logs(/.*)? system_u:object_r:tomcat_log_t
/usr/local/tomcat/5.0.28/conf(/.*)? system_u:object_r:tomcat_config_t
# This does not work ??
#/usr/local/tomcat/5.0.28(/.*)? system_u:object_r:tomcat_t
The logs and conf work like I thought, but when the system trys to label
the others it gets permission denied. I don't believe it is a permision
problem since I accidentally tried this and it worked
/usr/local/tomcat/5.0.28(/.*)? system_u:object_r:tomcat_log_t
So why can't I use tomcat_t to label directories?
#2
I think I understand how to protect the daemon from the system, how do I
protect the system from the daemon.
The example I can come up with is a jsp page that opens
the /etc/passwd/file and prints it. I want to keep the tomcat process
encapsulated in it own space
It seems I would want a restricted user "tomcat"! Since daemon does a
check that it is being started by the unix user "tomcat", a natural
extension of this would be to ensure that the user process has no access
to the system other than what I have determined,
Thanks
--
Nick Gray
Senior Systems Engineer
Bruzenak Inc
Office: 512-331-7998
Cell: 512-630-7009
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2004-12-16 19:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-16 19:08 Nick Gray [this message]
2004-12-16 20:46 ` Tomcat policy Stephen Smalley
2004-12-17 14:56 ` Nick Gray
2004-12-17 15:09 ` Stephen Smalley
2004-12-17 16:36 ` Nick Gray
2004-12-16 21:39 ` Colin Walters
2004-12-16 21:47 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1103224127.32688.49.camel@hawaii.grays-systems.com \
--to=nick-lists@austin.rr.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.