[CentOS] echo 0> /selinux/enforce

Daniel J Walsh dwalsh at redhat.com
Wed Nov 6 17:01:53 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/06/2013 11:55 AM, Les Mikesell wrote:
> On Wed, Nov 6, 2013 at 9:23 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> 
>> SELinux blocks "confined" processes, but usually does not block the 
>> administrator who is running as unconfined_t, and is allowed to do
>> everything he could do if SELinux was disabled.
>> 
>> Confined processes are targeted to system services. Stuff that is started
>> at boot versus processes started by a logged in user.
> 
> Is there a way to configure things so tomcat or other java web containers
> can unpack the war files used for code deployment and compile/cache jsp
> code on the fly but not be able to write anything else (like from the
> several instances of struts vulnerabilities)?
> 
We can control the directory that an application can write to and directories
that they can execute.  We can do this at the process level.

Not sure if we can do what you describe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJ6dgEACgkQrlYvE4MpobO/PgCfTiqY3nZQRMDJu5EFBV+R/hIm
SREAoID7lpD1bx5zcoe7IMMnJ1nNeLMU
=1Pck
-----END PGP SIGNATURE-----



More information about the CentOS mailing list