Bug 863393

Summary: Chapter 12. SELinux Policies
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Jan Martiska <jmartisk>
Component: doc-Installation-GuideAssignee: Misha H. Ali <mhusnain>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.0.0   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-08 22:10:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Martiska 2012-10-05 10:52:43 UTC 
http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Web_Server/2/html/HTTP_Connectors_Load_Balancing_Guide/selinux_introduction.html

First of all, I don't think SELinux should be listed under HTTP Connectors Load Balancing Guide at all, it should be moved to Installation Guide, most likely.

I went through the text and invented some improvements for it:

>>>>> I would add this to the end of the page:
This is just a small subset of the most important changes that JBoss Enterprise Web Server's RPM installation makes to SELinux configuration.

Warning: No SELinux configuration is provided (or supported) for installation from ZIP files. In this case, httpd and tomcat processes will usually run in httpd_t or unconfined_java_t domains, which do not confine the processes from a SELinux perspective, therefore the administrator is advised to take security precautions, like
- running httpd through apachectl script, this will ensure that the owner of the process will be apache, not root
- confining the tomcat/apache users' access to files and directories which are unnecessary for Enterprise Web Server's runtime
- not running tomcat as root (this is definitely wrong)
or use the RPM installation if possible.

>>>> and these are changes I suggest to make in the table in the page:
>>>>>>>>>>>>>>>>>>>>>> OLD
A mod_cluster policy is installed which allows httpd to write in /var/cache/mod_cluster. 

<<<<<<<<<<<<<<<<<<<<<< NEW
A post-install script sets the context mapping of /var/cache/mod_cluster so that httpd process can write into it.

>>>>>>>>>>>>>>>>>>>>>> OLD
A mod_snmp policy is installed which allows httpd to write in /var/cache/mod_snmp. 

<<<<<<<<<<<<<<<<<<<<<< NEW
A post-install script sets the context mapping of /var/cache/mod_snmp so that httpd process can write into it.

>>>>>>>>>>>>>>>>>>>>>> OLD
Two ports (6666/tcp and 23364/udp) are allowed for httpd.

<<<<<<<<<<<<<<<<<<<<<< NEW 
Two ports are added to http_port_t (TCP port 6666 and UDP port 23364) so that httpd process can use them. 

>>>>>>>>>>>>>>>>>>>>>> OLD
Four ports are added to http_port_t (ports 8080, 8005, 8009 and 8443). 

<<<<<<<<<<<<<<<<<<<<<< NEW
Four ports are added to http_port_t (TCP ports 8080, 8005, 8009 and 8443) so that httpd process can use them. 

>>>>>>>>>>>>>>>>>>>>>> OLD
The snmp port (161i/upd) is allowed for httpd. 

<<<<<<<<<<<<<<<<<<<<<< NEW
The installed mod_snmp policy allows httpd process to bind to snmp_port_t ports, that means 161 and 162 (both TCP and UDP).

>>>>>>>>>>>>>>>>>>>>>> OLD
The tomcat policy is installed, which allows tomcat to execute in /usr/sbin/tomcat and to write in dis /var/cache/tomcat{version}, /var/lib/tomcat{version}, /var/log/tomcat{version} and /var/run/tomcat{version}.pid.

<<<<<<<<<<<<<<<<<<<<<< NEW
The tomcat{version} policy is installed, which sets the appropriate SELinux domain for the process when tomcat is executed. It also sets appropriate contexts for /var/lib/tomcat{version}, /var/log/tomcat{version}, /var/cache/tomcat{version} and /var/run/tomcat{version}.pid so that running tomcat process can write to them.
Comment 1 Misha H. Ali 2012-10-07 23:40:13 UTC 
(In reply to comment #0)
> http://documentation-devel.engineering.redhat.com/docs/en-US/
> JBoss_Enterprise_Web_Server/2/html/HTTP_Connectors_Load_Balancing_Guide/
> selinux_introduction.html
> 
> First of all, I don't think SELinux should be listed under HTTP Connectors
> Load Balancing Guide at all, it should be moved to Installation Guide, most
> likely.

Moved. Changing component for this bug accordingly so we can keep track of where the changes are.

> 
> I went through the text and invented some improvements for it:
> 
> >>>>> I would add this to the end of the page:
> This is just a small subset of the most important changes that JBoss
> Enterprise Web Server's RPM installation makes to SELinux configuration.
> 
> Warning: No SELinux configuration is provided (or supported) for
> installation from ZIP files. In this case, httpd and tomcat processes will
> usually run in httpd_t or unconfined_java_t domains, which do not confine
> the processes from a SELinux perspective, therefore the administrator is
> advised to take security precautions, like
> - running httpd through apachectl script, this will ensure that the owner of
> the process will be apache, not root
> - confining the tomcat/apache users' access to files and directories which
> are unnecessary for Enterprise Web Server's runtime
> - not running tomcat as root (this is definitely wrong)
> or use the RPM installation if possible.
> 

Added as a new section. Link to follow.

> >>>> and these are changes I suggest to make in the table in the page:
> >>>>>>>>>>>>>>>>>>>>>> OLD
> A mod_cluster policy is installed which allows httpd to write in
> /var/cache/mod_cluster. 
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW
> A post-install script sets the context mapping of /var/cache/mod_cluster so
> that httpd process can write into it.
> 

Done.

> >>>>>>>>>>>>>>>>>>>>>> OLD
> A mod_snmp policy is installed which allows httpd to write in
> /var/cache/mod_snmp. 
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW
> A post-install script sets the context mapping of /var/cache/mod_snmp so
> that httpd process can write into it.
> 

Done.

> >>>>>>>>>>>>>>>>>>>>>> OLD
> Two ports (6666/tcp and 23364/udp) are allowed for httpd.
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW 
> Two ports are added to http_port_t (TCP port 6666 and UDP port 23364) so
> that httpd process can use them. 
> 

Done.

> >>>>>>>>>>>>>>>>>>>>>> OLD
> Four ports are added to http_port_t (ports 8080, 8005, 8009 and 8443). 
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW
> Four ports are added to http_port_t (TCP ports 8080, 8005, 8009 and 8443) so
> that httpd process can use them. 
> 

Done.

> >>>>>>>>>>>>>>>>>>>>>> OLD
> The snmp port (161i/upd) is allowed for httpd. 
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW
> The installed mod_snmp policy allows httpd process to bind to snmp_port_t
> ports, that means 161 and 162 (both TCP and UDP).
> 

Done.

> >>>>>>>>>>>>>>>>>>>>>> OLD
> The tomcat policy is installed, which allows tomcat to execute in
> /usr/sbin/tomcat and to write in dis /var/cache/tomcat{version},
> /var/lib/tomcat{version}, /var/log/tomcat{version} and
> /var/run/tomcat{version}.pid.
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW
> The tomcat{version} policy is installed, which sets the appropriate SELinux
> domain for the process when tomcat is executed. It also sets appropriate
> contexts for /var/lib/tomcat{version}, /var/log/tomcat{version},
> /var/cache/tomcat{version} and /var/run/tomcat{version}.pid so that running
> tomcat process can write to them.

Done.

This bug will be set to ON_QA with a link once it appears on the stage.
Comment 3 Jan Martiska 2012-10-10 09:52:29 UTC 
Okay! Thanks.
Comment 4 Misha H. Ali 2012-11-08 22:10:49 UTC 
This bug is set to CLOSED CURRENT RELEASE to indicate that this fix is now released and available at access.redhat.com.