-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/06/2013 12:55 PM, Les Mikesell wrote: > On Wed, Nov 6, 2013 at 11:01 AM, Daniel J Walsh <dwalsh at redhat.com> wrote: > >>>> SELinux blocks "confined" processes, but usually does not block the >>>> administrator who is running as unconfined_t, and is allowed to do >>>> everything he could do if SELinux was disabled. >>>> >>>> Confined processes are targeted to system services. Stuff that is >>>> started at boot versus processes started by a logged in user. >>> >>> Is there a way to configure things so tomcat or other java web >>> containers can unpack the war files used for code deployment and >>> compile/cache jsp code on the fly but not be able to write anything >>> else (like from the several instances of struts vulnerabilities)? >>> >> We can control the directory that an application can write to and >> directories that they can execute. We can do this at the process level. >> >> Not sure if we can do what you describe. > > The problem is that web developers normally package sites as war files to > deploy/update (basically a zip of the configs/jars/jsps, etc.) and the > servers unpack them directly into the working locations, then execute them. > Also as jsp pages are hit the first time, they are compiled into java byte > code and cached for repeated executions. So unless you do some extra work > like pre-building things on a host that isn't on line and rsyncing the > results over to the live servers, the running process needs to be able to > write in the same location where it will execute code. So, things like > the vulnerabilities in the struts framework that let you execute more or > less arbitrary code would let you add new sites or pages to a server that > remain even after a restart. > yes that would be a problem. We have similar problems with python, but ship the compiled python inside the rpms. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJ7luwACgkQrlYvE4MpobOIQwCgh24U3TaDG6i+cGGHap9pwUvy NlsAniDIcyAUmdGZu3F4U6Raduk83J8b =UCsW -----END PGP SIGNATURE-----