## Java virtual machine
########################################
##
## Role access for java
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
interface(`java_role',`
gen_require(`
type java_t, java_exec_t;
')
role $1 types java_t;
# The user role is authorized for this domain.
domtrans_pattern($2, java_exec_t, java_t)
allow java_t $2:process signull;
# Unrestricted inheritance from the caller.
allow $2 java_t:process { noatsecure siginh rlimitinh };
allow java_t $2:unix_stream_socket connectto;
allow java_t $2:unix_stream_socket { read write };
')
########################################
##
## Run java in javaplugin domain.
##
##
##
## Domain allowed access.
##
##
#
template(`java_domtrans',`
gen_require(`
type java_t, java_exec_t;
')
domtrans_pattern($1, java_exec_t, java_t)
')
########################################
##
## Execute the java program in the unconfined java domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`java_domtrans_unconfined',`
gen_require(`
type unconfined_java_t, java_exec_t;
')
domtrans_pattern($1, java_exec_t, unconfined_java_t)
corecmd_search_bin($1)
')
########################################
##
## Execute the java program in the unconfined java domain.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
#
interface(`java_run_unconfined',`
gen_require(`
type unconfined_java_t;
')
java_domtrans_unconfined($1)
role $2 types unconfined_java_t;
')