selinux-policy/policy/modules/apps/java.te
Chris PeBenito 84940a0995 Java patch from Dan Walsh.
Additional java context

unconfined_Java apps needs to execmod any file since we do not know where the jave content will be labeled

We want unconfined java apps to transition to rpm when they execute rpm_exec_t.  To maintain proper labeling.
2010-05-14 10:40:59 -04:00

161 lines
4.4 KiB
Plaintext

policy_module(java, 2.2.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow java executable stack
## </p>
## </desc>
gen_tunable(allow_java_execstack, false)
type java_t;
type java_exec_t;
application_domain(java_t, java_exec_t)
ubac_constrained(java_t)
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
role system_r types java_t;
type java_tmp_t;
files_tmp_file(java_tmp_t)
ubac_constrained(java_tmp_t)
typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
type java_tmpfs_t;
ubac_constrained(java_tmpfs_t)
files_tmpfs_file(java_tmpfs_t)
typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
type unconfined_java_t;
init_system_domain(unconfined_java_t, java_exec_t)
########################################
#
# Local policy
#
allow java_t self:process { signal_perms getsched setsched execmem };
allow java_t self:fifo_file rw_fifo_file_perms;
allow java_t self:tcp_socket create_socket_perms;
allow java_t self:udp_socket create_socket_perms;
manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
files_tmp_filetrans(java_t, java_tmp_t, { file dir })
manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
can_exec(java_t, java_exec_t)
kernel_read_all_sysctls(java_t)
kernel_search_vm_sysctl(java_t)
kernel_read_network_state(java_t)
kernel_read_system_state(java_t)
# Search bin directory under java for java executable
corecmd_search_bin(java_t)
corenet_all_recvfrom_unlabeled(java_t)
corenet_all_recvfrom_netlabel(java_t)
corenet_tcp_sendrecv_generic_if(java_t)
corenet_udp_sendrecv_generic_if(java_t)
corenet_tcp_sendrecv_generic_node(java_t)
corenet_udp_sendrecv_generic_node(java_t)
corenet_tcp_sendrecv_all_ports(java_t)
corenet_udp_sendrecv_all_ports(java_t)
corenet_tcp_connect_all_ports(java_t)
corenet_sendrecv_all_client_packets(java_t)
dev_read_sound(java_t)
dev_write_sound(java_t)
dev_read_urand(java_t)
dev_read_rand(java_t)
dev_dontaudit_append_rand(java_t)
files_read_etc_files(java_t)
files_read_usr_files(java_t)
files_search_home(java_t)
files_search_var_lib(java_t)
files_read_etc_runtime_files(java_t)
# Read global fonts and font config
files_read_etc_files(java_t)
fs_getattr_xattr_fs(java_t)
fs_dontaudit_rw_tmpfs_files(java_t)
logging_send_syslog_msg(java_t)
miscfiles_read_localization(java_t)
# Read global fonts and font config
miscfiles_read_fonts(java_t)
sysnet_read_config(java_t)
userdom_dontaudit_use_user_terminals(java_t)
userdom_dontaudit_setattr_user_home_content_files(java_t)
userdom_dontaudit_exec_user_home_content_files(java_t)
userdom_manage_user_home_content_dirs(java_t)
userdom_manage_user_home_content_files(java_t)
userdom_manage_user_home_content_symlinks(java_t)
userdom_manage_user_home_content_pipes(java_t)
userdom_manage_user_home_content_sockets(java_t)
userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
userdom_write_user_tmp_sockets(java_t)
tunable_policy(`allow_java_execstack',`
allow java_t self:process execstack;
allow java_t java_tmp_t:file execute;
libs_legacy_use_shared_libs(java_t)
libs_legacy_use_ld_so(java_t)
miscfiles_legacy_read_localization(java_t)
')
optional_policy(`
nis_use_ypbind(java_t)
')
optional_policy(`
nscd_socket_use(java_t)
')
optional_policy(`
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')
########################################
#
# Unconfined java local policy
#
optional_policy(`
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
init_dbus_chat_script(unconfined_java_t)
files_execmod_all_files(unconfined_java_t)
init_dbus_chat_script(unconfined_java_t)
unconfined_domain_noaudit(unconfined_java_t)
unconfined_dbus_chat(unconfined_java_t)
optional_policy(`
rpm_domtrans(unconfined_java_t)
')
')