How to construct SELinux rules for a Glassfish server

Posted by tronda on Server Fault See other posts from Server Fault or by tronda
Published on 2011-11-17T08:38:16Z Indexed on 2011/11/17 9:56 UTC
Read the original article Hit count: 702

Filed under:
|
|
|
|

I'm running Glassfish 3.1 on a CentOS 6 solution and by default SELinux is enabled. I have installed Sun's JDK version 1.6.0_29 on the server and extracted the Glassfish 3.1.1 to /opt/glassfish-3.1.1 with a link /opt/glassfish pointing to the latest Glassfish version. I've also created a system user named glassfish with a home directory /home/glassfish.

When running with SELinux enabled I get all sorts of errors. For instance I'm not able to create the domain. I kind of like the concept of SELinux, and would like to be able to have SELinux enabled. I have the following requirements for the Glassfish server:

  • Listening to port 8080 and 8081
  • Other ports 7676: JMS 8686: JMX monitoring, 4848: Admin console
  • Forwarding from apache to Glassfish through mod_jk and port 8009
  • Starting OpenMQ as an separate process which listens to 7676 and it's JMX monitoring port 7776
  • Able to read and write files at a specified area (different from home directory)
  • Able to use /tmp/ for temporary files

I am aware of the audit2allow tool when running in permissive mode, but I struggle with understanding the rules that is generated from this tool, and thought that setting up these rule manually the first time would help me understand the SELinux rules better than the simplistic examples that I've seen so far.

Can someone with SELinux experience help me form these SELinux rules with comments describing each part of the rules?

© Server Fault or respective owner

Related posts about security

Related posts about centos