Skip to end of metadata
Go to start of metadata

Introduction

SELinux is an extension to the Linux kernel that provides elaborated access control and support for security policies.

  • For compliance with SELinux users should consider use of specific directories for operation of Controller, Agent and JOC Cockpit.
  • SELinux suggests the following locations for storing PID files and log files:
    • Log files: /var/log
    • PID files: /var/run
  • There is no need using specific SELinux security policies as the JS7 components can be operated in compliance with standard SELinux security policies.

Controller

The location of directories used for the Controller is specified with the Controller Start Script controller_instance.sh.

For SELinux compliance the following settings in the controller_instance.sh script have to be adjusted, see chapter Controller Environment Variables::


Environment Variable Default ValueSELinux compliant ValueNotes
Log FilesJS7_CONTROLLER_LOGS$JS7_CONTROLLER_DATA/logs/var/log/controllerThe sub-directory controller has to be created and assigned permissions for write access by the Controller's run-time account.
PID File

JS7_CONTROLLER_PID_FILE_DIR

$JS7_CONTROLLER_LOGS/var/run

JS7_CONTROLLER_PID_FILE_NAMEcontroller.pid
If a common directory such as /var/run is used then users might choose a more speaking name for the Controller's PID file.

Agent

The location of directories used for the Agent is specified with the Agent Start Script agent_<port>.sh with <port> being the HTTP port that the Agent is operated for.

For SELinux compliance the following settings in the agent_<port>.sh script have to be adjusted, see chapter Agent Environment Variables:


Environment Variable Default ValueSELinux compliant ValueNotes
Log FilesJS7_AGENT_LOGS$JS7_AGENT_DATA/logs/var/log/agentThe sub-directory agent has to be created and assigned permissions for write access by the Agent's run-time account.
PID File

JS7_AGENT_PID_FILE_DIR

$JS7_AGENT_LOGS/var/run

JS7_AGENT_PID_FILE_NAMEagent.pid
If a common directory such as /var/run is used then users might choose a more speaking name for the Agent's PID file.

JOC Cockpit

The location of SELinux related directories is determined by the JOC Cockpit installer.

FEATURE AVAILABILITY STARTING FROM RELEASE 2.5.0

Users have to perform installation of JOC Cockpit on Unix systems from a user account that can acquire root permissions:

Starting headless installation of the JOC Cockpit on Unix systems with root permissions
# login as the user account (not as root)
./setup.sh joc_install.xml


Explanation:

  • The installer will use sudo to acquire root permissions. Execution of the above command by the root account is denied.
  • Files in the installation directory will be owned by the root account, Files in the data directory will be owned by the JOC Cockpit run-time account.
  • Location of log files
    • The installer will try to look up the /var/log directory:
      • If the directory is available then
        • the/var/log/sos-berlin.com/js7/joc directory will be created and will be assigned read/write permissions for the JOC Cockpit run-time account.
        • the $JETTY_BASE/logs symlink will be created that points to the /var/log/sos-berlin.com/js7/joc directory.
      • If the directory is not available then log files will be written to the $JETTY_BASE/logs directory.
    • Alternative configuration
      • Users can manually create the $JETTY_BASE/logs symlink that points to the directory where log files should be stored. The directory should offer read/write permissions to the JOC Cockpit run-time account.
  • Location of the PID file
    • The installer will check the JOC Cockpit's run-time account using the following precedence:
      • The run-time account can be specified with the <entry key="runningUser" value=""/> setting in the joc_install.xml response file during installation.
      • The run-time account is identified from the account running the installer.
    • If JOC Cockpit's run-time account is identified to be
      • the root account then the installer will check if the /var/run directory is writeable to the JOC Cockpit's run-time account and otherwise it will look up the /usr/var/run directory and finally the JETTY_BASE directory.
      • a non-root account then the PID file will be written to the JETTY_BASE directory.
      • JOC Cockpit will write the joc.pid file to the respective directory.
    • Alternative configuration
      • The installer will create the ~/.jocrc file in the home directory of JOC Cockpit's run-time account.
      • This file can be added
        • the JETTY_RUN environment variable that is assigned the directory to which the joc.pid PID file will be written. The directory should offer read/write permissions to the JOC Cockpit's run-time account.
        • the JETTY_PID environment variable that holds an individual path to the PID file, for example /var/run/js7_joc.pid.
      • Consider that use of sub-directories to /var/run is discouraged as this is an ephemeral directory that is reverted on server start-up.
      • Consider to check the JETTY_HOME/jetty/bin/joc.service systemd Service File template that is created by the installer and that has to reflect modifications of the PID file location applied after installation. For details see JS7 - systemd Service Files for automated Startup and Shutdown with Unix Systems.



  • No labels