[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-selinux-list
Subject:    need module advice
From:       Christoph =?ISO-8859-1?Q?H=F6ger?= <choeger () cs ! tu-berlin ! de>
Date:       2007-12-27 18:57:33
Message-ID: 1198781853.4234.4.camel () choeger4
[Download RAW message or body]

Hi,

I am writing a selinux module for tomcat5.

This is what I currently got:

type tomcat5_log_t;
logging_log_file(tomcat5_log_t)

type tomcat5_tmp_t;
files_tmp_file(tomcat5_tmp_t)

role system_r types tomcat5_java_t;
########################################
#
# local policy
#

init_daemon_domain(tomcat5_t, tomcat5_exec_t)

allow tomcat5_t tomcat5_log_t:file ra_file_perms;
manage_files_pattern(tomcat5_t, tomcat5_log_t, tomcat5_log_t)

allow tomcat5_t tomcat5_tmp_t:file manage_file_perms;
files_tmp_filetrans(tomcat5_t,tomcat5_tmp_t,file)

# neccessary for startup 
files_search_etc(tomcat5_t)
files_search_usr(tomcat5_t)
libs_search_lib(tomcat5_t)
libs_use_shared_libs(tomcat5_t)
miscfiles_read_localization(tomcat5_t)
libs_use_ld_so(tomcat5_t)
kernel_read_system_state(tomcat5_t)
corecmd_search_bin(tomcat5_t)
corecmd_getattr_bin_files(tomcat5_t)
corecmd_exec_bin(tomcat5_t)
init_write_utmp(tomcat5_t)
files_read_usr_files(tomcat5_t)
corecmd_exec_shell(tomcat5_t)
rw_fifo_files_pattern(tomcat5_t, tomcat5_t, tomcat5_t)
files_read_etc_files(tomcat5_t)
logging_search_logs(tomcat5_t)

# run java as tomcat5_java_t
#java_spec_domtrans(tomcat5_t, tomcat5_java_t)
domain_auto_trans(tomcat5_t, java_exec_t, tomcat5_java_t)

# privileges for tomcat java applications
allow tomcat5_t tomcat5_java_t:process { rlimitinh siginh noatsecure };
allow tomcat5_java_t tomcat5_t:process { sigchld getsched sigkill
execheap execmem execstack };
libs_search_lib(tomcat5_java_t)
libs_use_shared_libs(tomcat5_java_t)
files_search_usr(tomcat5_java_t)
files_read_usr_files(tomcat5_java_t)
files_search_etc(tomcat5_java_t)
files_read_etc_files(tomcat5_java_t)
rw_fifo_files_pattern(tomcat5_java_t,tomcat5_t,tomcat5_t)
libs_use_ld_so(tomcat5_java_t)
write_files_pattern(tomcat5_java_t, tomcat5_log_t, tomcat5_log_t)
unconfined_dontaudit_use_terminals(tomcat5_java_t)



The idea is to 'sandbox' all java applications run by tomcat5 to avoid
damage by exploits in webservices and stuff.
The problem is, when I try to start tomcat I got the error that
libjli.so is not found, which seems to occur because the environment
variable ORIGIN is not resolved (I find a lot of
open($ORIGIN/../libjli.so in strace). I have no idea what causes this
behavior and I have no audits even with dontaudit disabled.

Has anyone any advise please? I'm running really out of ideas here!

regards

christoph 

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[prev in list] [next in list] [prev in thread] [next in thread]