Unconfined services with Elasticsearch

redplastic · January 5, 2021, 2:49am

I'm attempting to use Elasticsearch on Centos but have some concerns over the unconfined java and controller services that Elasticsearch uses. With the system's initial blocking of unconfined services due to security concerns, Elasticsearch will not be able to work as java and controller will not be able to start up.

Does Elasticsearch requires that the java and controller be run on unconfined services or are there ways to run the services in a confined type and still allowing Elasticsearch to work?
Thanks

warkolm · January 5, 2021, 2:50am

Welcome to our community!

Can you clarify what you mean by "unconfined services"?

redplastic · January 5, 2021, 3:08am

I meant that they run as unconfined processes. For example when running ps -eZ | grep unconfined_service_t it will flag out the 2 processes, java and controller that is used by elasticsearch.

warkolm · January 5, 2021, 3:09am

Are you referring to something in SELinux here? That's the only reference I can see to what you are asking, which is why I was looking for clarification

redplastic · January 5, 2021, 3:11am

Yes, sorry. I forgot to mention that. I'm running Centos with SELinux enabled.

redplastic · January 14, 2021, 4:01pm

Since unconfined services in SELinux is supposed to be able to do nearly anything, is there a security concern regarding having elasticsearch run java and controller as unconfined services?