Ce contenu n'est pas disponible dans la langue sélectionnée.

2.4. SELinux Policies


2.4.1. Default SELinux Policies for an RPM Installation

For each of the RPMs listed in the table below, specific SELinux policies are available. See Section 2.4.1.1, “Compile SELinux Policies” for an example of compiling and installing the Tomcat policy.
Expand
Table 2.1. RPMs and Default SELinux Policies
Name Port Information Policy Information
mod_cluster Two ports (6666 for TCP and 23364 for UDP) are added for httpd_port_t to allow the httpd process to use them. A post installation script configures the context mapping for /var/cache/mod_cluster to enable the httpd process to write at this location.
tomcat Four ports are added to http_port_t (TCP ports 8080, 8005, 8009 and 8443) to allow the httpd process to use them. The Tomcat<VERSION> policy is installed, which sets the appropriate SELinux domain for the process when Tomcat executes. It also sets the appropriate contexts to allow tomcat to write to /var/lib/tomcat<VERSION>, /var/log/tomcat<VERSION>, /var/cache/tomcat<VERSION> and /var/run/tomcat<VERSION>.pid.
For more information about using SELinux and other Red Hat Enterprise Linux security information, see the Red Hat Enterprise Linux Security Guide.

2.4.1.1. Compile SELinux Policies

You can compile your own Tomcat 7/8 SELinux policies as the root user.
Prerequisites

Before compiling SELinux policies ensure the following prerequisites:

  • selinux-policy-devel package is installed.
  • Tomcat 7 or 8 is installed using the RPM installation method.
Below is an example of a SELinux policy compilation from RPM distributed sources.
Tomcat 7:

# cd /etc/tomcat7/selinux/packages/tomcat7
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted tomcat7 module
/usr/bin/checkmodule:  loading policy configuration from tmp/tomcat7.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to 

tmp/tomcat7.mod
Creating targeted tomcat7.pp policy package
rm tmp/tomcat7.mod tmp/tomcat7.mod.fc

# semodule -i tomcat7.pp
Copy to Clipboard Toggle word wrap
Tomcat 8:

# cd /etc/tomcat8/selinux/packages/tomcat8
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted tomcat8 module
/usr/bin/checkmodule:  loading policy configuration from tmp/tomcat8.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to 

tmp/tomcat8.mod
Creating targeted tomcat8.pp policy package
rm tmp/tomcat8.mod.fc tmp/tomcat8.mod

# semodule -i tomcat8.pp
Copy to Clipboard Toggle word wrap

2.4.2. SELinux Policies for a ZIP Installation

No SELinux configuration is provided or supported as a default for a Red Hat JBoss Web Server ZIP installation. For a ZIP installation, httpd and Tomcat processes run in httpd_t or unconfined_java_t domains. These domains do not confine the processes, and it is recommended that you undertake the following security precautions:
  • Always start httpd using the apachectl script. This ensures that the apache user owns the process instead of the root user .
  • Restrict file access for the tomcat and apache users to only the files and directories that are necessary to the JBoss Web Server runtime.
  • Do not run Tomcat as the root user.
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat