On Wed, Nov 6, 2013 at 9:23 AM, Daniel J Walsh <dwalsh at redhat.com> wrote: > > SELinux blocks "confined" processes, but usually does not block the > administrator who is running as unconfined_t, and is allowed to do everything > he could do if SELinux was disabled. > > Confined processes are targeted to system services. Stuff that is started at > boot versus processes started by a logged in user. Is there a way to configure things so tomcat or other java web containers can unpack the war files used for code deployment and compile/cache jsp code on the fly but not be able to write anything else (like from the several instances of struts vulnerabilities)? -- Les Mikesell lesmikesell at gmail.com