-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/06/2013 11:55 AM, Les Mikesell wrote:
On Wed, Nov 6, 2013 at 9:23 AM, Daniel J Walsh dwalsh@redhat.com wrote:
SELinux blocks "confined" processes, but usually does not block the administrator who is running as unconfined_t, and is allowed to do everything he could do if SELinux was disabled.
Confined processes are targeted to system services. Stuff that is started at boot versus processes started by a logged in user.
Is there a way to configure things so tomcat or other java web containers can unpack the war files used for code deployment and compile/cache jsp code on the fly but not be able to write anything else (like from the several instances of struts vulnerabilities)?
We can control the directory that an application can write to and directories that they can execute. We can do this at the process level.
Not sure if we can do what you describe.