SELinux 和 Java

发布于 2024-07-24 23:34:43 字数 94 浏览 9 评论 0原文

是否有使用 SELinux 处理 Java 应用程序的最佳实践? 是否能够为每个 Java 应用程序配置 SELinux,或者只能处理 VM,因为它会进行最后的系统调用?

Are there any best practices to handle Java applications with SELinux?
Is it able to configure SELinux for each Java App or can only the VM be handled because it makes the finale system calls?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

待天淡蓝洁白时 2024-07-31 23:34:43

如果您询问 Java 和 SELinux 是否可以工作,这取决于策略的定义方式。 您最关心的是 java 进程在哪个域中运行、它如何到达该域以及允许该域执行哪些操作。

域只是一个 SELinux 上下文,用于查看进程正在运行的上下文/域,请尝试 ps 的 -Z 选项(即 ps -Z)。 同样,要查看文件的上下文,请尝试 ls 的 -Z 选项(即 ls -Z)

您可能有兴趣查看 SELinux 策略源或使用 sesearch 或 apol(来自 setools)等分析工具来查看策略允许和java是如何进入特定领域的。

从那里你会关心修复/编写策略,这可能是一个复杂的过程,但是已经编写了一些工具,例如 SLIDE(eclipse 插件)、seedit(尽管我对此没有经验)。

If you are asking will Java and SELinux work it depends on how the policy is defined. You will be mostly concerned with what domain the java process is running in, how it got to that domain and what that domain is allowed to do.

A domain is just an SELinux context to see what context/domain a process is running as try the -Z option for ps (ie ps -Z). Likewise for seeing the context of files try the -Z option for ls (ie ls -Z)

You would be interested in looking at the SELinux policy source or using an analysis tool like sesearch or apol (from setools) to see what policy allows and how java got into a particular domain.

From there you would care about fixing/writing the policy which can be an involved process but tools have been written such as SLIDE (eclipse plugin), seedit (though I have no experience with this one) for example.

你与清晨阳光 2024-07-31 23:34:43

您可以拥有任意数量的 JVM 以及任意数量的 JVM 版本。 如果您愿意,您可以独立配置它们。

我建议将 JVM 的数量保持在您拥有的核心数量左右或更少。 如果您开始拥有数百个 JVM,那么管理和配置可能会很困难。

You can have any number of JVM and any number of versions of JVM as well. You can configure them all independently if you wish.

I would suggest keeping the number of JVMs to around the number of cores you have or less. If you start having hundreds of JVMs it can be difficult to manage and configure.

穿越时光隧道 2024-07-31 23:34:43

您不仅需要担心可执行文件,还需要担心它涉及的所有文件。 这就是 SElinux 背后的真正力量。 我反对关闭这个有价值的工具。 我从 Redhat 的 Dan Walsh 那里看到的是,unconfined_u 将会消失。 嗯,这意味着您必须重新调整数据文件,包括主目录中 .eclipse 中的数据文件。 我已将主登录减少到 Staff_u,其中我具有 sudo 访问权限,但已将 fcontext 更改为 /HOME_DIR/.eclipse(/.*)+ 到 Staff_java_t

It's not just the executables you have to worry about, its all the files it touches. This is the REAL power behind SElinux. I oppose turning off this valuable tool. What I have discerned from Redhat's Dan Walsh is that the unconfined_u is going to disappear. Well, that means you have to realign the data files including those in .eclipse in your home directory. I have reduced my main login to staff_u, where I have sudo access but have changed the fcontext to /HOME_DIR/.eclipse(/.*)+ to staff_java_t

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文