[CentOS] echo 0> /selinux/enforce

Thu Nov 7 13:34:36 UTC 2013
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/06/2013 12:55 PM, Les Mikesell wrote:
> On Wed, Nov 6, 2013 at 11:01 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
>>>> SELinux blocks "confined" processes, but usually does not block the 
>>>> administrator who is running as unconfined_t, and is allowed to do 
>>>> everything he could do if SELinux was disabled.
>>>> 
>>>> Confined processes are targeted to system services. Stuff that is
>>>> started at boot versus processes started by a logged in user.
>>> 
>>> Is there a way to configure things so tomcat or other java web
>>> containers can unpack the war files used for code deployment and
>>> compile/cache jsp code on the fly but not be able to write anything
>>> else (like from the several instances of struts vulnerabilities)?
>>> 
>> We can control the directory that an application can write to and
>> directories that they can execute.  We can do this at the process level.
>> 
>> Not sure if we can do what you describe.
> 
> The problem is that web developers normally package sites as war files to
> deploy/update (basically a zip of the configs/jars/jsps, etc.) and the
> servers unpack them directly into the working locations, then execute them.
> Also as jsp pages are hit the first time, they are compiled into java byte
> code and cached for repeated executions.  So unless you do some extra work
> like  pre-building things on a host that isn't on line and rsyncing the
> results over to the live servers, the running process needs to be able to
> write in the same location where it will execute code.   So, things like
> the vulnerabilities in the struts framework that let you execute more or
> less arbitrary code would let you add new sites or pages to a server that
> remain even after a restart.
> 
yes that would be a problem.  We have similar problems with python, but ship
the compiled python inside the rpms.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJ7luwACgkQrlYvE4MpobOIQwCgh24U3TaDG6i+cGGHap9pwUvy
NlsAniDIcyAUmdGZu3F4U6Raduk83J8b
=UCsW
-----END PGP SIGNATURE-----