How to construct SELinux rules for a Glassfish server
- by tronda
I'm running Glassfish 3.1 on a CentOS 6 solution and by default SELinux is enabled. I have installed Sun's JDK version 1.6.0_29 on the server and extracted the Glassfish 3.1.1 to /opt/glassfish-3.1.1 with a link /opt/glassfish pointing to the latest Glassfish version. I've also created a system user named glassfish with a home directory /home/glassfish.
When running with SELinux enabled I get all sorts of errors. For instance I'm not able to create the domain. I kind of like the concept of SELinux, and would like to be able to have SELinux enabled. I have the following requirements for the Glassfish server:
Listening to port 8080 and 8081
Other ports 7676: JMS 8686: JMX monitoring, 4848: Admin console
Forwarding from apache to Glassfish through mod_jk and port 8009
Starting OpenMQ as an separate process which listens to 7676 and it's JMX monitoring port 7776
Able to read and write files at a specified area (different from home directory)
Able to use /tmp/ for temporary files
I am aware of the audit2allow tool when running in permissive mode, but I struggle with understanding the rules that is generated from this tool, and thought that setting up these rule manually the first time would help me understand the SELinux rules better than the simplistic examples that I've seen so far.
Can someone with SELinux experience help me form these SELinux rules with comments describing each part of the rules?