Introduction

SELinux is an extension to the Linux kernel that provides elaborated access control and support for security policies.

For compliance with SELinux users should consider use of specific directories for operation of Controller, Agent and JOC Cockpit.
SELinux suggests the following locations for storing PID files and log files:
- Log files: /var/log
- PID files: /var/run
There is no need using specific SELinux security policies as the JS7 components can be operated in compliance with standard SELinux security policies.

Controller

The location of directories used for the Controller is specified with the Controller Start Script controller_instance.sh.

For details about the Controller Start Script see JS7 - Controller - Command Line Operation
For general installation instructions see JS7 - Controller - Headless Installation on Linux and Windows

For SELinux compliance the following settings in the controller_instance.sh script have to be adjusted, see chapter Controller Environment Variables::

	Environment Variable	Default Value	SELinux compliant Value	Notes
Log Files	`JS7_CONTROLLER_LOGS`	`$JS7_CONTROLLER_DATA/logs`	`/var/log/controller`	The sub-directory `controller` has to be created and assigned permissions for write access by the Controller's run-time account.
PID File	`JS7_CONTROLLER_PID_FILE_DIR`	`$JS7_CONTROLLER_LOGS`	`/var/run`

Agent

The location of directories used for the Agent is specified with the Agent Start Script agent_<port>.sh with <port> being the HTTP port that the Agent is operated for.

For details about the Agent Start Script see JS7 - Agent Command Line Operation
For general installation instructions see JS7 - Agent - Headless Installation on Unix and Windows

For SELinux compliance the following settings in the agent_<port>.sh script have to be adjusted, see chapter Agent Environment Variables:

	Environment Variable	Default Value	SELinux compliant Value	Notes
Log Files	`JS7_AGENT_LOGS`	`$JS7_AGENT_DATA/logs`	`/var/log/agent`	The sub-directory `agent` has to be created and assigned permissions for write access by the Agent's run-time account.
PID File	`JS7_AGENT_PID_FILE_DIR`	`$JS7_AGENT_LOGS`	`/var/run`

JOC Cockpit

The location of SELinux related directories is determined by the JOC Cockpit installer.

FEATURE AVAILABILITY STARTING FROM RELEASE 2.5.0

For details about the Agent Start Script see JS7 - JOC Cockpit - Command Line Operation
For general installation instructions see
- JS7 - JOC Cockpit - Headless Installation on Linux and Windows
- JS7 - JOC Cockpit - Installation Using the Graphical Installer for Linux and Windows

Users have to perform installation of JOC Cockpit on Unix systems from a user account that can acquire root permissions:

Starting headless installation of the JOC Cockpit on Unix systems with root permissions

# login as the user account (not as root)
./setup.sh joc_install.xml

Explanation:

The installer will use sudo to acquire root permissions. Execution of the above command by the root account is denied.
Files in the installation directory will be owned by the root account, Files in the data directory will be owned by the JOC Cockpit run-time account.
Location of log files
- The installer will try to look up the /var/log directory:
  - If the directory is available then
    - the/var/log/sos-berlin.com/js7/joc directory will be created and will be assigned read/write permissions for the JOC Cockpit run-time account.
    - the $JETTY_BASE/logs symlink will be created that points to the /var/log/sos-berlin.com/js7/joc directory.
  - If the directory is not available then log files will be written to the $JETTY_BASE/logs directory.
- Alternative configuration
  - Users can manually create the $JETTY_BASE/logs symlink that points to the directory where log files should be stored. The directory should offer read/write permissions to the JOC Cockpit run-time account.
Location of the PID file
- The installer will check the JOC Cockpit's run-time account using the following precedence:
  - The run-time account can be specified with the <entry key="runningUser" value=""/> setting in the joc_install.xml response file during installation.
  - The run-time account is identified from the account running the installer.
- If JOC Cockpit's run-time account is identified
  - to be the root account then the installer will check if the /var/run directory is writeable to the JOC Cockpit's run-time account and otherwise it will look up the /usr/var/run directory and finally the JETTY_BASE directory.
  - to be a non-root account then the PID file will be written to the JETTY_BASE directory.
- Alternative configuration
  - The installer will create the ~/.jocrc file in the home directory of JOC Cockpit's run-time account.
  - This file can be added the JETTY_RUN environment variable that is assigned the directory to which the PID file will be written. The directory should offer read/write permissions to the JOC Cockpit's run-time account.
  - Consider that use of sub-directories to /var/run is discouraged as this is an ephemeral directory that is reverted on server start-up.
  - Consider to check the JETTY_HOME/jetty/bin/joc.service systemd Service File template that is created by the installer and that has to reflect modifications of the PID file location applied after installation.

Space shortcuts

Page tree

Introduction

Controller

Agent

JOC Cockpit

Space shortcuts

Page tree

JS7 - How to install for SELinux

Introduction

Controller

Agent

JOC Cockpit