SELinux 和 Java

Question

Are there any best practices to handle Java applications with SELinux? Is it able to configure SELinux for each Java App or can only the VM be handled because it makes the finale system calls?

Answer 1

If you are asking will Java and SELinux work it depends on how the policy is defined. You will be mostly concerned with what domain the java process is running in, how it got to that domain and what that domain is allowed to do.

A domain is just an SELinux context to see what context/domain a process is running as try the -Z option for ps (ie ps -Z). Likewise for seeing the context of files try the -Z option for ls (ie ls -Z)

You would be interested in looking at the SELinux policy source or using an analysis tool like sesearch or apol (from setools) to see what policy allows and how java got into a particular domain.

From there you would care about fixing/writing the policy which can be an involved process but tools have been written such as SLIDE (eclipse plugin), seedit (though I have no experience with this one) for example.

Answer 2

You can have any number of JVM and any number of versions of JVM as well. You can configure them all independently if you wish.

I would suggest keeping the number of JVMs to around the number of cores you have or less. If you start having hundreds of JVMs it can be difficult to manage and configure.

Answer 3

It's not just the executables you have to worry about, its all the files it touches. This is the REAL power behind SElinux. I oppose turning off this valuable tool. What I have discerned from Redhat's Dan Walsh is that the unconfined_u is going to disappear. Well, that means you have to realign the data files including those in.eclipse in your home directory. I have reduced my main login to staff_u, where I have sudo access but have changed the fcontext to /HOME_DIR/.eclipse(/.*)+ to staff_java_t