84940a0995
Additional java context unconfined_Java apps needs to execmod any file since we do not know where the jave content will be labeled We want unconfined java apps to transition to rpm when they execute rpm_exec_t. To maintain proper labeling.
161 lines
4.4 KiB
Plaintext
161 lines
4.4 KiB
Plaintext
|
|
policy_module(java, 2.2.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow java executable stack
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_java_execstack, false)
|
|
|
|
type java_t;
|
|
type java_exec_t;
|
|
application_domain(java_t, java_exec_t)
|
|
ubac_constrained(java_t)
|
|
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
|
|
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
|
|
role system_r types java_t;
|
|
|
|
type java_tmp_t;
|
|
files_tmp_file(java_tmp_t)
|
|
ubac_constrained(java_tmp_t)
|
|
typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
|
|
typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
|
|
|
|
type java_tmpfs_t;
|
|
ubac_constrained(java_tmpfs_t)
|
|
files_tmpfs_file(java_tmpfs_t)
|
|
typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
|
|
typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
|
|
|
|
type unconfined_java_t;
|
|
init_system_domain(unconfined_java_t, java_exec_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow java_t self:process { signal_perms getsched setsched execmem };
|
|
allow java_t self:fifo_file rw_fifo_file_perms;
|
|
allow java_t self:tcp_socket create_socket_perms;
|
|
allow java_t self:udp_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
|
|
manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
|
|
files_tmp_filetrans(java_t, java_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
|
|
manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
|
|
manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
|
|
manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
|
|
fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
|
|
|
|
can_exec(java_t, java_exec_t)
|
|
|
|
kernel_read_all_sysctls(java_t)
|
|
kernel_search_vm_sysctl(java_t)
|
|
kernel_read_network_state(java_t)
|
|
kernel_read_system_state(java_t)
|
|
|
|
# Search bin directory under java for java executable
|
|
corecmd_search_bin(java_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(java_t)
|
|
corenet_all_recvfrom_netlabel(java_t)
|
|
corenet_tcp_sendrecv_generic_if(java_t)
|
|
corenet_udp_sendrecv_generic_if(java_t)
|
|
corenet_tcp_sendrecv_generic_node(java_t)
|
|
corenet_udp_sendrecv_generic_node(java_t)
|
|
corenet_tcp_sendrecv_all_ports(java_t)
|
|
corenet_udp_sendrecv_all_ports(java_t)
|
|
corenet_tcp_connect_all_ports(java_t)
|
|
corenet_sendrecv_all_client_packets(java_t)
|
|
|
|
dev_read_sound(java_t)
|
|
dev_write_sound(java_t)
|
|
dev_read_urand(java_t)
|
|
dev_read_rand(java_t)
|
|
dev_dontaudit_append_rand(java_t)
|
|
|
|
files_read_etc_files(java_t)
|
|
files_read_usr_files(java_t)
|
|
files_search_home(java_t)
|
|
files_search_var_lib(java_t)
|
|
files_read_etc_runtime_files(java_t)
|
|
# Read global fonts and font config
|
|
files_read_etc_files(java_t)
|
|
|
|
fs_getattr_xattr_fs(java_t)
|
|
fs_dontaudit_rw_tmpfs_files(java_t)
|
|
|
|
logging_send_syslog_msg(java_t)
|
|
|
|
miscfiles_read_localization(java_t)
|
|
# Read global fonts and font config
|
|
miscfiles_read_fonts(java_t)
|
|
|
|
sysnet_read_config(java_t)
|
|
|
|
userdom_dontaudit_use_user_terminals(java_t)
|
|
userdom_dontaudit_setattr_user_home_content_files(java_t)
|
|
userdom_dontaudit_exec_user_home_content_files(java_t)
|
|
userdom_manage_user_home_content_dirs(java_t)
|
|
userdom_manage_user_home_content_files(java_t)
|
|
userdom_manage_user_home_content_symlinks(java_t)
|
|
userdom_manage_user_home_content_pipes(java_t)
|
|
userdom_manage_user_home_content_sockets(java_t)
|
|
userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
|
|
userdom_write_user_tmp_sockets(java_t)
|
|
|
|
tunable_policy(`allow_java_execstack',`
|
|
allow java_t self:process execstack;
|
|
|
|
allow java_t java_tmp_t:file execute;
|
|
|
|
libs_legacy_use_shared_libs(java_t)
|
|
libs_legacy_use_ld_so(java_t)
|
|
|
|
miscfiles_legacy_read_localization(java_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(java_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(java_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Unconfined java local policy
|
|
#
|
|
|
|
optional_policy(`
|
|
# execheap is needed for itanium/BEA jrocket
|
|
allow unconfined_java_t self:process { execstack execmem execheap };
|
|
|
|
init_dbus_chat_script(unconfined_java_t)
|
|
|
|
files_execmod_all_files(unconfined_java_t)
|
|
|
|
init_dbus_chat_script(unconfined_java_t)
|
|
|
|
unconfined_domain_noaudit(unconfined_java_t)
|
|
unconfined_dbus_chat(unconfined_java_t)
|
|
|
|
optional_policy(`
|
|
rpm_domtrans(unconfined_java_t)
|
|
')
|
|
')
|