Does anyone have a (partial?) policy for Tomcat on SELinux “strict”? It’s definitely something I’d like to confine, however Java needs tons of permissions. Multiple ports, execmem, log files, fifos, on-demand extracted webapps and so on. :-(

Has anyone started on writing a policy for this beast? If there is any way to confine it actually, given that it’s pretty much a system on it’s own.

[Update: I’d like to point out that running tomcat on a SELinux ‘targeted’ system works fine by running tomcat in an ‘unconfined’ domain. Since tomcat usually isn’t run with root privileges anyway, it’s not that risky]