I'm running Glassfish 3.1 on a CentOS 6 solution and by default SELinux is enabled. I have installed Sun's JDK version 1.6.0_29 on the server and extracted the Glassfish 3.1.1 to /opt/glassfish-3.1.1 with a link /opt/glassfish pointing to the latest Glassfish version. I've also created a system user named glassfish with a home directory /home/glassfish.
When running with SELinux enabled I get all sorts of errors. For instance I'm not able to create the domain. I kind of like the concept of SELinux, and would like to be able to have SELinux enabled. I have the following requirements for the Glassfish server:
- Listening to port 8080 and 8081
- Other ports 7676: JMS 8686: JMX monitoring, 4848: Admin console
- Forwarding from apache to Glassfish through
mod_jkand port 8009 - Starting OpenMQ as an separate process which listens to 7676 and it's JMX monitoring port 7776
- Able to read and write files at a specified area (different from home directory)
- Able to use /tmp/ for temporary files
I am aware of the audit2allow tool when running in permissive mode, but I struggle with understanding the rules that is generated from this tool, and thought that setting up these rule manually the first time would help me understand the SELinux rules better than the simplistic examples that I've seen so far.
Can someone with SELinux experience help me form these SELinux rules with comments describing each part of the rules?
Best Answer
As Mlfe said, java is user-installed and runs unconfined, since the policies don't know about them.
The rule-building is quite a process, I suggest you read the RHEL guide at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html for general information.
There is the "selinux-polgengui" command (fedora/rhel/centos in the policycoreutils-gui package) that can create additional policies for your application. It works step by step which can cover your requirements, but I guess it won't be easy for java and glassfish because of all the files involved.
Another line of defense for your application could be a java policy which is managed by the security manager of java vm. See http://blogs.oracle.com/monzillo/entry/policy_files_the_securitymanager_and as a starting point.