[CentOS] echo 0> /selinux/enforce

Wed Nov 6 17:55:52 UTC 2013
Les Mikesell <lesmikesell at gmail.com>

On Wed, Nov 6, 2013 at 11:01 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:

>>> SELinux blocks "confined" processes, but usually does not block the
>>> administrator who is running as unconfined_t, and is allowed to do
>>> everything he could do if SELinux was disabled.
>>> Confined processes are targeted to system services. Stuff that is started
>>> at boot versus processes started by a logged in user.
>> Is there a way to configure things so tomcat or other java web containers
>> can unpack the war files used for code deployment and compile/cache jsp
>> code on the fly but not be able to write anything else (like from the
>> several instances of struts vulnerabilities)?
> We can control the directory that an application can write to and directories
> that they can execute.  We can do this at the process level.
> Not sure if we can do what you describe.

The problem is that web developers normally package sites as war files
to deploy/update (basically a zip of the configs/jars/jsps, etc.) and
the servers unpack them directly into the working locations, then
execute them.  Also as jsp pages are hit the first time, they are
compiled into java byte code and cached for repeated executions.  So
unless you do some extra work like  pre-building things on a host that
isn't on line and rsyncing the results over to the live servers, the
running process needs to be able to write in the same location where
it will execute code.   So, things like the vulnerabilities in the
struts framework that let you execute more or less arbitrary code
would let you add new sites or pages to a server that remain even
after a restart.

   Les Mikesell
     lesmikesell at gmail.com