* Additions to file_contexts
@ 2001-10-08 20:02 Justin R. Smith
2001-10-09 15:34 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Justin R. Smith @ 2001-10-08 20:02 UTC (permalink / raw)
To: selinux
I run Java servlets (using the Jakarta Tomcat engine) from my web site,
so I added the following lines to the setfiles/file_context file, since
servlets are LIKE scripts (sort of):
/var/www/tomcat(|/.*) system_u:object_r:httpd_user_script_rw_t
/var/www/classes(|/.*) system_u:object_r:httpd_user_script_rw_t
Note: /var/www/classes is a directory containing classes used by all
servlets and is in the Java CLASSPATH. /var/www/tomcat contains tomcat
and all deployed web applications.
I also had to make my html content writable because my cgi scripts and
servlets frequently write to it.
In addition, Tomcat likes to compile jsp into servlets and, therefore,
must be able to write to its work directory.
--
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Additions to file_contexts
2001-10-08 20:02 Additions to file_contexts Justin R. Smith
@ 2001-10-09 15:34 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2001-10-09 15:34 UTC (permalink / raw)
To: Justin R. Smith; +Cc: selinux
On 8 Oct 2001, Justin R. Smith wrote:
> I run Java servlets (using the Jakarta Tomcat engine) from my web site,
> so I added the following lines to the setfiles/file_context file, since
> servlets are LIKE scripts (sort of):
>
> /var/www/tomcat(|/.*) system_u:object_r:httpd_user_script_rw_t
> /var/www/classes(|/.*) system_u:object_r:httpd_user_script_rw_t
>
> Note: /var/www/classes is a directory containing classes used by all
> servlets and is in the Java CLASSPATH. /var/www/tomcat contains tomcat
> and all deployed web applications.
Shouldn't you be using the httpd_user_script_t type (or the
httpd_sys_script_t type)? The httpd_user_script_rw_t type is a type for
files that are readable and writeable by user CGI scripts. Is that what
you want?
> I also had to make my html content writable because my cgi scripts and
> servlets frequently write to it.
>
> In addition, Tomcat likes to compile jsp into servlets and, therefore,
> must be able to write to its work directory.
Hopefully you can separate the content that should be writeable from the
content that is static, and use different types in order to still protect
some of your content against corruption.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2001-10-09 15:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-10-08 20:02 Additions to file_contexts Justin R. Smith
2001-10-09 15:34 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.