[CentOS] echo 0> /selinux/enforce
Daniel J Walsh
dwalsh at redhat.com
Thu Nov 7 13:34:36 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/06/2013 12:55 PM, Les Mikesell wrote:
> On Wed, Nov 6, 2013 at 11:01 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>>>> SELinux blocks "confined" processes, but usually does not block the
>>>> administrator who is running as unconfined_t, and is allowed to do
>>>> everything he could do if SELinux was disabled.
>>>>
>>>> Confined processes are targeted to system services. Stuff that is
>>>> started at boot versus processes started by a logged in user.
>>>
>>> Is there a way to configure things so tomcat or other java web
>>> containers can unpack the war files used for code deployment and
>>> compile/cache jsp code on the fly but not be able to write anything
>>> else (like from the several instances of struts vulnerabilities)?
>>>
>> We can control the directory that an application can write to and
>> directories that they can execute. We can do this at the process level.
>>
>> Not sure if we can do what you describe.
>
> The problem is that web developers normally package sites as war files to
> deploy/update (basically a zip of the configs/jars/jsps, etc.) and the
> servers unpack them directly into the working locations, then execute them.
> Also as jsp pages are hit the first time, they are compiled into java byte
> code and cached for repeated executions. So unless you do some extra work
> like pre-building things on a host that isn't on line and rsyncing the
> results over to the live servers, the running process needs to be able to
> write in the same location where it will execute code. So, things like
> the vulnerabilities in the struts framework that let you execute more or
> less arbitrary code would let you add new sites or pages to a server that
> remain even after a restart.
>
yes that would be a problem. We have similar problems with python, but ship
the compiled python inside the rpms.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJ7luwACgkQrlYvE4MpobOIQwCgh24U3TaDG6i+cGGHap9pwUvy
NlsAniDIcyAUmdGZu3F4U6Raduk83J8b
=UCsW
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list