tags:

views:

285

answers:

2

Are there any best practices to handle Java applications with SELinux? Is it able to configure SELinux for each Java App or can only the VM be handled because it makes the finale system calls?

thanks

+1  A: 

You can have any number of JVM and any number of versions of JVM as well. You can configure them all independently if you wish.

I would suggest keeping the number of JVMs to around the number of cores you have or less. If you start having hundreds of JVMs it can be difficult to manage and configure.

Peter Lawrey
+1  A: 

If you are asking will Java and SELinux work it depends on how the policy is defined. You will be mostly concerned with what domain the java process is running in, how it got to that domain and what that domain is allowed to do.

A domain is just an SELinux context to see what context/domain a process is running as try the -Z option for ps (ie ps -Z). Likewise for seeing the context of files try the -Z option for ls (ie ls -Z)

You would be interested in looking at the SELinux policy source or using an analysis tool like sesearch or apol (from setools) to see what policy allows and how java got into a particular domain.

From there you would care about fixing/writing the policy which can be an involved process but tools have been written such as SLIDE (eclipse plugin), seedit (though I have no experience with this one) for example.

rev