Bug 863393
Summary: | Chapter 12. SELinux Policies | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Web Server 2 | Reporter: | Jan Martiska <jmartisk> |
Component: | doc-Installation-Guide | Assignee: | Misha H. Ali <mhusnain> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 2.0.0 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-11-08 22:10:49 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Martiska
2012-10-05 10:52:43 UTC
(In reply to comment #0) > http://documentation-devel.engineering.redhat.com/docs/en-US/ > JBoss_Enterprise_Web_Server/2/html/HTTP_Connectors_Load_Balancing_Guide/ > selinux_introduction.html > > First of all, I don't think SELinux should be listed under HTTP Connectors > Load Balancing Guide at all, it should be moved to Installation Guide, most > likely. Moved. Changing component for this bug accordingly so we can keep track of where the changes are. > > I went through the text and invented some improvements for it: > > >>>>> I would add this to the end of the page: > This is just a small subset of the most important changes that JBoss > Enterprise Web Server's RPM installation makes to SELinux configuration. > > Warning: No SELinux configuration is provided (or supported) for > installation from ZIP files. In this case, httpd and tomcat processes will > usually run in httpd_t or unconfined_java_t domains, which do not confine > the processes from a SELinux perspective, therefore the administrator is > advised to take security precautions, like > - running httpd through apachectl script, this will ensure that the owner of > the process will be apache, not root > - confining the tomcat/apache users' access to files and directories which > are unnecessary for Enterprise Web Server's runtime > - not running tomcat as root (this is definitely wrong) > or use the RPM installation if possible. > Added as a new section. Link to follow. > >>>> and these are changes I suggest to make in the table in the page: > >>>>>>>>>>>>>>>>>>>>>> OLD > A mod_cluster policy is installed which allows httpd to write in > /var/cache/mod_cluster. > > <<<<<<<<<<<<<<<<<<<<<< NEW > A post-install script sets the context mapping of /var/cache/mod_cluster so > that httpd process can write into it. > Done. > >>>>>>>>>>>>>>>>>>>>>> OLD > A mod_snmp policy is installed which allows httpd to write in > /var/cache/mod_snmp. > > <<<<<<<<<<<<<<<<<<<<<< NEW > A post-install script sets the context mapping of /var/cache/mod_snmp so > that httpd process can write into it. > Done. > >>>>>>>>>>>>>>>>>>>>>> OLD > Two ports (6666/tcp and 23364/udp) are allowed for httpd. > > <<<<<<<<<<<<<<<<<<<<<< NEW > Two ports are added to http_port_t (TCP port 6666 and UDP port 23364) so > that httpd process can use them. > Done. > >>>>>>>>>>>>>>>>>>>>>> OLD > Four ports are added to http_port_t (ports 8080, 8005, 8009 and 8443). > > <<<<<<<<<<<<<<<<<<<<<< NEW > Four ports are added to http_port_t (TCP ports 8080, 8005, 8009 and 8443) so > that httpd process can use them. > Done. > >>>>>>>>>>>>>>>>>>>>>> OLD > The snmp port (161i/upd) is allowed for httpd. > > <<<<<<<<<<<<<<<<<<<<<< NEW > The installed mod_snmp policy allows httpd process to bind to snmp_port_t > ports, that means 161 and 162 (both TCP and UDP). > Done. > >>>>>>>>>>>>>>>>>>>>>> OLD > The tomcat policy is installed, which allows tomcat to execute in > /usr/sbin/tomcat and to write in dis /var/cache/tomcat{version}, > /var/lib/tomcat{version}, /var/log/tomcat{version} and > /var/run/tomcat{version}.pid. > > <<<<<<<<<<<<<<<<<<<<<< NEW > The tomcat{version} policy is installed, which sets the appropriate SELinux > domain for the process when tomcat is executed. It also sets appropriate > contexts for /var/lib/tomcat{version}, /var/log/tomcat{version}, > /var/cache/tomcat{version} and /var/run/tomcat{version}.pid so that running > tomcat process can write to them. Done. This bug will be set to ON_QA with a link once it appears on the stage. Okay! Thanks. This bug is set to CLOSED CURRENT RELEASE to indicate that this fix is now released and available at access.redhat.com. |