Skip top menus
National Security Agency and Central Security Service with agency logos.NSA/CSS Memorial Wall
Home    About NSA    Research    Business    Careers    Public Info    History
Introduction to Research    Security-Enhanced Linux    Information Assurance Research    Technology Transfer    Publications    Related Links

>>SELinux Mailing List: by thread

Search
What's new?
Contents
Overview
What's New
Frequently Asked Questions
Background
Documentation
License
Download
Participating
Mail List
Archive Summary
Archive by Thread
Archive by Author
Archive by Date
Archive by Subject
Remaining Work
Contributors
Related Work
Press Releases
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
From: Justin R. Smith <jsmith_at_mcs.drexel.edu>
subject: Additions to file_contexts
Date: 08 Oct 2001 16:02:13 -0400
  • This message: [ Message body ]
  • Next message: Justin R. Smith: "ssh, ad nauseum"
  • Previous message: Stephen Smalley: "Re: Compiling for SuSE 7.2"
  • Next in thread: Stephen Smalley: "Re: Additions to file_contexts"
  • Reply: Stephen Smalley: "Re: Additions to file_contexts"


I run Java servlets (using the Jakarta Tomcat engine) from my web site, so I added the following lines to the setfiles/file_context file, since servlets are LIKE scripts (sort of):

/var/www/tomcat(|/.*) system_u:object_r:httpd_user_script_rw_t
/var/www/classes(|/.*) system_u:object_r:httpd_user_script_rw_t

Note: /var/www/classes is a directory containing classes used by all servlets and is in the Java CLASSPATH. /var/www/tomcat contains tomcat and all deployed web applications.

I also had to make my html content writable because my cgi scripts and servlets frequently write to it.

In addition, Tomcat likes to compile jsp into servlets and, therefore, must be able to write to its work directory. 

-- 



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: Additions to file_contexts
Date: Tue, 9 Oct 2001 11:34:37 -0400 (EDT)
  • This message: [ Message body ]
  • Next message: Stephen Smalley: "Re: ssh, ad nauseum"
  • Previous message: Stephen Smalley: "Re: SE-Linux versions, features, stability?"
  • In reply to: Justin R. Smith: "Additions to file_contexts"

On 8 Oct 2001, Justin R. Smith wrote:

> I run Java servlets (using the Jakarta Tomcat engine) from my web site,
> so I added the following lines to the setfiles/file_context file, since
> servlets are LIKE scripts (sort of):
>
> /var/www/tomcat(|/.*) system_u:object_r:httpd_user_script_rw_t
> /var/www/classes(|/.*) system_u:object_r:httpd_user_script_rw_t
>
> Note: /var/www/classes is a directory containing classes used by all
> servlets and is in the Java CLASSPATH. /var/www/tomcat contains tomcat
> and all deployed web applications.

Shouldn't you be using the httpd_user_script_t type (or the httpd_sys_script_t type)? The httpd_user_script_rw_t type is a type for files that are readable and writeable by user CGI scripts. Is that what you want?

> I also had to make my html content writable because my cgi scripts and
> servlets frequently write to it.
>
> In addition, Tomcat likes to compile jsp into servlets and, therefore,
> must be able to write to its work directory.

Hopefully you can separate the content that should be writeable from the content that is static, and use different types in order to still protect some of your content against corruption. 

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT

Information Assurance | Signals & Intelligence        Links | Accessibility | Privacy & Security