Bug 863393 - Chapter 12. SELinux Policies
Chapter 12. SELinux Policies
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: doc-Installation-Guide (Show other bugs)
2.0.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Misha H. Ali
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-05 06:52 EDT by Jan Martiska
Modified: 2012-11-08 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-11-08 17:10:49 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Martiska 2012-10-05 06:52:43 EDT
http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Web_Server/2/html/HTTP_Connectors_Load_Balancing_Guide/selinux_introduction.html

First of all, I don't think SELinux should be listed under HTTP Connectors Load Balancing Guide at all, it should be moved to Installation Guide, most likely.

I went through the text and invented some improvements for it:

>>>>> I would add this to the end of the page:
This is just a small subset of the most important changes that JBoss Enterprise Web Server's RPM installation makes to SELinux configuration.

Warning: No SELinux configuration is provided (or supported) for installation from ZIP files. In this case, httpd and tomcat processes will usually run in httpd_t or unconfined_java_t domains, which do not confine the processes from a SELinux perspective, therefore the administrator is advised to take security precautions, like
- running httpd through apachectl script, this will ensure that the owner of the process will be apache, not root
- confining the tomcat/apache users' access to files and directories which are unnecessary for Enterprise Web Server's runtime
- not running tomcat as root (this is definitely wrong)
or use the RPM installation if possible.

>>>> and these are changes I suggest to make in the table in the page:
>>>>>>>>>>>>>>>>>>>>>> OLD
A mod_cluster policy is installed which allows httpd to write in /var/cache/mod_cluster. 

<<<<<<<<<<<<<<<<<<<<<< NEW
A post-install script sets the context mapping of /var/cache/mod_cluster so that httpd process can write into it.

>>>>>>>>>>>>>>>>>>>>>> OLD
A mod_snmp policy is installed which allows httpd to write in /var/cache/mod_snmp. 

<<<<<<<<<<<<<<<<<<<<<< NEW
A post-install script sets the context mapping of /var/cache/mod_snmp so that httpd process can write into it.

>>>>>>>>>>>>>>>>>>>>>> OLD
Two ports (6666/tcp and 23364/udp) are allowed for httpd.

<<<<<<<<<<<<<<<<<<<<<< NEW 
Two ports are added to http_port_t (TCP port 6666 and UDP port 23364) so that httpd process can use them. 

>>>>>>>>>>>>>>>>>>>>>> OLD
Four ports are added to http_port_t (ports 8080, 8005, 8009 and 8443). 

<<<<<<<<<<<<<<<<<<<<<< NEW
Four ports are added to http_port_t (TCP ports 8080, 8005, 8009 and 8443) so that httpd process can use them. 

>>>>>>>>>>>>>>>>>>>>>> OLD
The snmp port (161i/upd) is allowed for httpd. 

<<<<<<<<<<<<<<<<<<<<<< NEW
The installed mod_snmp policy allows httpd process to bind to snmp_port_t ports, that means 161 and 162 (both TCP and UDP).

>>>>>>>>>>>>>>>>>>>>>> OLD
The tomcat policy is installed, which allows tomcat to execute in /usr/sbin/tomcat and to write in dis /var/cache/tomcat{version}, /var/lib/tomcat{version}, /var/log/tomcat{version} and /var/run/tomcat{version}.pid.

<<<<<<<<<<<<<<<<<<<<<< NEW
The tomcat{version} policy is installed, which sets the appropriate SELinux domain for the process when tomcat is executed. It also sets appropriate contexts for /var/lib/tomcat{version}, /var/log/tomcat{version}, /var/cache/tomcat{version} and /var/run/tomcat{version}.pid so that running tomcat process can write to them.
Comment 1 Misha H. Ali 2012-10-07 19:40:13 EDT
(In reply to comment #0)
> http://documentation-devel.engineering.redhat.com/docs/en-US/
> JBoss_Enterprise_Web_Server/2/html/HTTP_Connectors_Load_Balancing_Guide/
> selinux_introduction.html
> 
> First of all, I don't think SELinux should be listed under HTTP Connectors
> Load Balancing Guide at all, it should be moved to Installation Guide, most
> likely.

Moved. Changing component for this bug accordingly so we can keep track of where the changes are.

> 
> I went through the text and invented some improvements for it:
> 
> >>>>> I would add this to the end of the page:
> This is just a small subset of the most important changes that JBoss
> Enterprise Web Server's RPM installation makes to SELinux configuration.
> 
> Warning: No SELinux configuration is provided (or supported) for
> installation from ZIP files. In this case, httpd and tomcat processes will
> usually run in httpd_t or unconfined_java_t domains, which do not confine
> the processes from a SELinux perspective, therefore the administrator is
> advised to take security precautions, like
> - running httpd through apachectl script, this will ensure that the owner of
> the process will be apache, not root
> - confining the tomcat/apache users' access to files and directories which
> are unnecessary for Enterprise Web Server's runtime
> - not running tomcat as root (this is definitely wrong)
> or use the RPM installation if possible.
> 

Added as a new section. Link to follow.

> >>>> and these are changes I suggest to make in the table in the page:
> >>>>>>>>>>>>>>>>>>>>>> OLD
> A mod_cluster policy is installed which allows httpd to write in
> /var/cache/mod_cluster. 
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW
> A post-install script sets the context mapping of /var/cache/mod_cluster so
> that httpd process can write into it.
> 

Done.

> >>>>>>>>>>>>>>>>>>>>>> OLD
> A mod_snmp policy is installed which allows httpd to write in
> /var/cache/mod_snmp. 
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW
> A post-install script sets the context mapping of /var/cache/mod_snmp so
> that httpd process can write into it.
> 

Done.

> >>>>>>>>>>>>>>>>>>>>>> OLD
> Two ports (6666/tcp and 23364/udp) are allowed for httpd.
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW 
> Two ports are added to http_port_t (TCP port 6666 and UDP port 23364) so
> that httpd process can use them. 
> 

Done.

> >>>>>>>>>>>>>>>>>>>>>> OLD
> Four ports are added to http_port_t (ports 8080, 8005, 8009 and 8443). 
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW
> Four ports are added to http_port_t (TCP ports 8080, 8005, 8009 and 8443) so
> that httpd process can use them. 
> 

Done.

> >>>>>>>>>>>>>>>>>>>>>> OLD
> The snmp port (161i/upd) is allowed for httpd. 
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW
> The installed mod_snmp policy allows httpd process to bind to snmp_port_t
> ports, that means 161 and 162 (both TCP and UDP).
> 

Done.

> >>>>>>>>>>>>>>>>>>>>>> OLD
> The tomcat policy is installed, which allows tomcat to execute in
> /usr/sbin/tomcat and to write in dis /var/cache/tomcat{version},
> /var/lib/tomcat{version}, /var/log/tomcat{version} and
> /var/run/tomcat{version}.pid.
> 
> <<<<<<<<<<<<<<<<<<<<<< NEW
> The tomcat{version} policy is installed, which sets the appropriate SELinux
> domain for the process when tomcat is executed. It also sets appropriate
> contexts for /var/lib/tomcat{version}, /var/log/tomcat{version},
> /var/cache/tomcat{version} and /var/run/tomcat{version}.pid so that running
> tomcat process can write to them.

Done.

This bug will be set to ON_QA with a link once it appears on the stage.
Comment 3 Jan Martiska 2012-10-10 05:52:29 EDT
Okay! Thanks.
Comment 4 Misha H. Ali 2012-11-08 17:10:49 EST
This bug is set to CLOSED CURRENT RELEASE to indicate that this fix is now released and available at access.redhat.com.

Note You need to log in before you can comment on or make changes to this bug.