On Wed, Nov 6, 2013 at 11:01 AM, Daniel J Walsh <dwalsh at redhat.com> wrote: >>> SELinux blocks "confined" processes, but usually does not block the >>> administrator who is running as unconfined_t, and is allowed to do >>> everything he could do if SELinux was disabled. >>> >>> Confined processes are targeted to system services. Stuff that is started >>> at boot versus processes started by a logged in user. >> >> Is there a way to configure things so tomcat or other java web containers >> can unpack the war files used for code deployment and compile/cache jsp >> code on the fly but not be able to write anything else (like from the >> several instances of struts vulnerabilities)? >> > We can control the directory that an application can write to and directories > that they can execute. We can do this at the process level. > > Not sure if we can do what you describe. The problem is that web developers normally package sites as war files to deploy/update (basically a zip of the configs/jars/jsps, etc.) and the servers unpack them directly into the working locations, then execute them. Also as jsp pages are hit the first time, they are compiled into java byte code and cached for repeated executions. So unless you do some extra work like pre-building things on a host that isn't on line and rsyncing the results over to the live servers, the running process needs to be able to write in the same location where it will execute code. So, things like the vulnerabilities in the struts framework that let you execute more or less arbitrary code would let you add new sites or pages to a server that remain even after a restart. -- Les Mikesell lesmikesell at gmail.com