On Thu, 2004-12-16 at 13:08 -0600, Nick Gray wrote:

> #/usr/local/tomcat/5.0.28(/.*)?         system_u:object_r:tomcat_t

You want tomcat_exec_t.

> I think I understand how to protect the daemon from the system, how do I
> protect the system from the daemon.
> 
> The example I can come up with is a jsp page that opens
> the /etc/passwd/file and prints it. I want to keep the tomcat process
> encapsulated in it own space

Simply don't allow tomcat_t access to passwd_t.