how do i configure selinux unconfined state to confined for processes ? [closed]

asked 2014-08-13 08:11:03 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hi ,

i am beginner , in selinux. pls dont mind if you find this question as silly. but i am stuck up in selinux. here is querry:

how do i configure selinux unconfined state to confined for processes ?

pls suggest.

edit retag flag offensive reopen merge delete

Closed for the following reason question is off-topic or not relevant by randomuser
close date 2014-08-14 11:30:00.020843

Comments

What exactly do you want to achieve? You can set the desired SELinux label for the process binary file using chcon; e.g.: chcon <SELINUX_CONTEXT> /path/to/binary/file where <selinux_context> is the desired SELinux context. </selinux_context>

However, it works if there is already a suitable context for the binary, in which case the binary should already have that label. If you want to create a new context for your custom application, you should learn how to write SELinux policies so that you can define a policy for the new context.

hedayat gravatar imagehedayat ( 2014-08-13 12:00:51 -0500 )edit

Many applications have a predefined policy set that you only need to turn on, or apply a context to the files they use. Tell us specifically what processes you are having trouble with.

randomuser gravatar imagerandomuser ( 2014-08-13 17:39:03 -0500 )edit

We are running RHEL 6.5 .We need to configure some application to confined state in SElinux Like presently java, jboss are in unconfined state in SElinux, we want to make it in confined state , kindly suggest – how to do it

rums_tm gravatar imagerums_tm ( 2014-08-14 01:19:01 -0500 )edit

@hedayat - Perfect! (everyone really appreciates your answers, so please convert to answer.) @rums_tm, do you mean applications or processes. BTW, RHEL != Fedora :P

abadrinath gravatar imageabadrinath ( 2014-08-14 02:57:29 -0500 )edit

@hello Thanks, that's kind of you. I'm still unsure what @rums_tm wants.

@rums_tm What is their current SELinux label now (ls -Z output for them)? And what exactly do you want to achieve? Are you sure that they are 'unconfined' right now? Notice that SELinux is a "everything is denied be default unless permitted" system.

hedayat gravatar imagehedayat ( 2014-08-14 06:43:24 -0500 )edit