Fix unconfined_r use of unconfined_java_t.
The unconfined role is running java in the unconfined_java_t. The current policy only has a domtrans interface, so the unconfined_java_t domain is not added to unconfined_r. Add a run interface and change the unconfined module to use this new interface.
This commit is contained in:
parent
0bf2bc9156
commit
b2648249d9
@ -1,3 +1,4 @@
|
||||
- Fix unconfined_r use of unconfined_java_t.
|
||||
- Add missing x_device rules for XI2 functions, from Eamon Walsh.
|
||||
- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
|
||||
- Add btrfs and ext4 to labeling targets.
|
||||
|
@ -68,3 +68,27 @@ interface(`java_domtrans_unconfined',`
|
||||
domtrans_pattern($1, java_exec_t, unconfined_java_t)
|
||||
corecmd_search_bin($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the java program in the unconfined java domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`java_run_unconfined',`
|
||||
gen_require(`
|
||||
type unconfined_java_t;
|
||||
')
|
||||
|
||||
java_domtrans_unconfined($1)
|
||||
role $2 types unconfined_java_t;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(java, 2.1.0)
|
||||
policy_module(java, 2.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(unconfined, 3.0.0)
|
||||
policy_module(unconfined, 3.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -123,7 +123,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
java_domtrans_unconfined(unconfined_t)
|
||||
java_run_unconfined(unconfined_t, unconfined_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
Loading…
Reference in New Issue
Block a user