Introduction
SELinux is an extension to the Linux kernel that provides elaborated access control and support for security policies.
- For compliance with SELinux users should consider use of specific directories for operation of Controller, Agent and JOC Cockpit.
- SELinux suggests the following locations for storing PID files and log files:
- Log files:
/var/log
- PID files:
/var/run
- Log files:
- There is no need using specific SELinux security policies as the JS7 components can be operated in compliance with standard SELinux security policies.
Controller
The location of directories used for the Controller is specified with the Controller Start Script controller_instance.sh
.
- For details about the Controller Start Script see JS7 - Controller - Command Line Operation
- For general installation instructions see JS7 - Controller - Headless Installation on Linux and Windows
For SELinux compliance the following settings in the controller_instance.sh
script have to be adjusted, see chapter Controller Environment Variables::
Environment Variable | Default Value | SELinux compliant Value | Notes | |
---|---|---|---|---|
Log Files | JS7_CONTROLLER_LOGS | $JS7_CONTROLLER_DATA/logs | /var/log/controller | The sub-directory controller has to be created and assigned permissions for write access by the Controller's run-time account. |
PID File |
| $JS7_CONTROLLER_LOGS | /var/run/controller | The sub-directory controller has to be created and assigned permissions for write access by the Controller's run-time account. |
Agent
The location of directories used for the Agent is specified with the Agent Start Script agent_<port>.sh
with <port>
being the HTTP port that the Agent is operated for.
- For details about the Agent Start Script see JS7 - Agent Command Line Operation
- For general installation instructions see JS7 - Agent - Headless Installation on Unix and Windows
For SELinux compliance the following settings in the agent_<port>.sh
script have to be adjusted, see chapter Agent Environment Variables:
Environment Variable | Default Value | SELinux compliant Value | Notes | |
---|---|---|---|---|
Log Files | JS7_AGENT_LOGS | $JS7_AGENT_DATA/logs | /var/log/agent | The sub-directory agent has to be created and assigned permissions for write access by the Agent's run-time account. |
PID File |
| $JS7_AGENT_LOGS | /var/run/agent | The sub-directory agent has to be created and assigned permissions for write access by the Agent's run-time account. |
JOC Cockpit
The location of SELinux related directories is determined by the JOC Cockpit installer.
FEATURE AVAILABILITY STARTING FROM RELEASE 2.5.0
- For details about the Agent Start Script see JS7 - JOC Cockpit - Command Line Operation
- For general installation instructions see
Users have to perform installation of JOC Cockpit on Unix systems from a user account that can acquire root
permissions:
# login as the user account (not as root) ./setup.sh joc_install.xml
Explanation:
- The installer will use
sudo
to acquireroot
permissions. Execution of the above command by theroot
account is denied. - Files in the installation directory will be owned by the
root
account, Files in the data directory will be owned by the JOC Cockpit run-time account. - Location of log files
- The installer will try to look up the
/var/log
directory:- If the directory is available then
- the
/var/log/sos-berlin.com/js7/joc
directory will be created and will be assigned read/write permissions for the JOC Cockpit run-time account. - the
$JETTY_BASE/logs
symlink will be created that points to the/var/log/sos-berlin.com/js7/joc
directory.
- the
- If the directory is not available then log files will be written to the
$JETTY_BASE/logs
directory.
- If the directory is available then
- Alternative configuration
- Users can manually create the
$JETTY_BASE/logs
symlink that points to the directory where log files should be stored. The directory should offer read/write permissions to the JOC Cockpit run-time account.
- Users can manually create the
- The installer will try to look up the
- Location of the PID file
- The installer will try to look up the
/var/run
directory. If this is not available then it will look up the/usr/var/run
directory.- If the directory is available then the
/var/run/joc
directory or/usr/var/run/joc
directory will be created and will be assigned read/write permissions for the JOC Cockpit run-time account. - If the directory is not available then the PID file will be written to the
$JETTY_BASE/joc.pid
file.
- If the directory is available then the
- Alternative configuration
- The installer will create the
~/.jocrc
file in the home directory of the JOC Cockpit run-time account. - This file can be added the
JETTY_RUN
environment variable that is assigned the directory to which the PID file will be written. The directory should offer read/write permissions to the JOC Cockpit run-time account.
- The installer will create the
- The installer will try to look up the