1tomcat_selinux(8)            SELinux Policy tomcat           tomcat_selinux(8)
2
3
4

NAME

6       tomcat_selinux  -  Security  Enhanced  Linux Policy for the tomcat pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  tomcat  processes  via  flexible
11       mandatory access control.
12
13       The  tomcat  processes  execute with the tomcat_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep tomcat_t
20
21
22

ENTRYPOINTS

24       The  tomcat_t  SELinux  type  can be entered via the tomcat_exec_t file
25       type.
26
27       The default entrypoint paths for the tomcat_t domain are the following:
28
29       /usr/sbin/tomcat(6)?, /usr/libexec/tomcat/server
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       tomcat policy is very flexible allowing users  to  setup  their  tomcat
39       processes in as secure a method as possible.
40
41       The following process types are defined for tomcat:
42
43       tomcat_t
44
45       Note:  semanage  permissive -a tomcat_t can be used to make the process
46       type tomcat_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   tomcat
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run tomcat with the tightest access possible.
55
56
57
58       If you want to allow tomcat to use  executable  memory  and  executable
59       stack, you must turn on the tomcat_use_execmem boolean. Disabled by de‐
60       fault.
61
62       setsebool -P tomcat_use_execmem 1
63
64
65
66       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
67       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
68       Enabled by default.
69
70       setsebool -P daemons_dontaudit_scheduling 1
71
72
73
74       If you want to control the ability to mmap a low area  of  the  address
75       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
76       the mmap_low_allowed boolean. Disabled by default.
77
78       setsebool -P mmap_low_allowed 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you want to disable kernel module loading, you must turn on the se‐
90       cure_mode_insmod boolean. Disabled by default.
91
92       setsebool -P secure_mode_insmod 1
93
94
95
96       If you want to allow unconfined executables to make their  heap  memory
97       executable.   Doing  this  is  a  really bad idea. Probably indicates a
98       badly coded executable, but could indicate an attack.  This  executable
99       should  be  reported  in bugzilla, you must turn on the selinuxuser_ex‐
100       echeap boolean. Disabled by default.
101
102       setsebool -P selinuxuser_execheap 1
103
104
105
106       If you want to allow unconfined executables to make  their  stack  exe‐
107       cutable.   This  should  never, ever be necessary. Probably indicates a
108       badly coded executable, but could indicate an attack.  This  executable
109       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
110       stack boolean. Enabled by default.
111
112       setsebool -P selinuxuser_execstack 1
113
114
115

MANAGED FILES

117       The SELinux process type tomcat_t can manage  files  labeled  with  the
118       following file types.  The paths listed are the default paths for these
119       file types.  Note the processes UID still need to have DAC permissions.
120
121       file_type
122
123            all files on the system
124
125

FILE CONTEXTS

127       SELinux requires files to have an extended attribute to define the file
128       type.
129
130       You can see the context of a file using the -Z option to ls
131
132       Policy  governs  the  access  confined  processes  have to these files.
133       SELinux tomcat policy is very flexible allowing users  to  setup  their
134       tomcat processes in as secure a method as possible.
135
136       STANDARD FILE CONTEXT
137
138       SELinux defines the file context types for the tomcat, if you wanted to
139       store files with these types in a different paths, you need to  execute
140       the  semanage  command  to  specify alternate labeling and then use re‐
141       storecon to put the labels on disk.
142
143       semanage fcontext -a -t tomcat_exec_t '/srv/tomcat/content(/.*)?'
144       restorecon -R -v /srv/mytomcat_content
145
146       Note: SELinux often uses regular expressions  to  specify  labels  that
147       match multiple files.
148
149       The following file types are defined for tomcat:
150
151
152
153       tomcat_cache_t
154
155       -  Set  files  with  the  tomcat_cache_t type, if you want to store the
156       files under the /var/cache directory.
157
158
159
160       tomcat_exec_t
161
162       - Set files with the tomcat_exec_t type, if you want to  transition  an
163       executable to the tomcat_t domain.
164
165
166       Paths:
167            /usr/sbin/tomcat(6)?, /usr/libexec/tomcat/server
168
169
170       tomcat_log_t
171
172       -  Set  files with the tomcat_log_t type, if you want to treat the data
173       as tomcat log data, usually stored under the /var/log directory.
174
175
176
177       tomcat_tmp_t
178
179       - Set files with the tomcat_tmp_t type, if you  want  to  store  tomcat
180       temporary files in the /tmp directories.
181
182
183
184       tomcat_unit_file_t
185
186       -  Set files with the tomcat_unit_file_t type, if you want to treat the
187       files as tomcat unit content.
188
189
190
191       tomcat_var_lib_t
192
193       - Set files with the tomcat_var_lib_t type, if you want  to  store  the
194       tomcat files under the /var/lib directory.
195
196
197       Paths:
198            /var/lib/tomcat6?(/.*)?, /var/lib/tomcats?(/.*)?
199
200
201       tomcat_var_run_t
202
203       -  Set  files  with the tomcat_var_run_t type, if you want to store the
204       tomcat files under the /run or /var/run directory.
205
206
207
208       Note: File context can be temporarily modified with the chcon  command.
209       If  you want to permanently change the file context you need to use the
210       semanage fcontext command.  This will modify the SELinux labeling data‐
211       base.  You will need to use restorecon to apply the labels.
212
213

COMMANDS

215       semanage  fcontext  can also be used to manipulate default file context
216       mappings.
217
218       semanage permissive can also be used to manipulate  whether  or  not  a
219       process type is permissive.
220
221       semanage  module can also be used to enable/disable/install/remove pol‐
222       icy modules.
223
224       semanage boolean can also be used to manipulate the booleans
225
226
227       system-config-selinux is a GUI tool available to customize SELinux pol‐
228       icy settings.
229
230

AUTHOR

232       This manual page was auto-generated using sepolicy manpage .
233
234

SEE ALSO

236       selinux(8),  tomcat(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
237       icy(8), setsebool(8)
238
239
240
241tomcat                             23-10-20                  tomcat_selinux(8)
Impressum