[people/stevee/selinux-policy.git] / policy / modules / apps / java.te


policy_module(java, 2.3.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow java executable stack
## </p>
## </desc>
gen_tunable(allow_java_execstack, false)

type java_t;
type java_exec_t;
application_domain(java_t, java_exec_t)
ubac_constrained(java_t)
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
role system_r types java_t;

type java_tmp_t;
files_tmp_file(java_tmp_t)
ubac_constrained(java_tmp_t)
typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };

type java_tmpfs_t;
ubac_constrained(java_tmpfs_t)
files_tmpfs_file(java_tmpfs_t)
typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };

type unconfined_java_t;
init_system_domain(unconfined_java_t, java_exec_t)

########################################
#
# Local policy
#

allow java_t self:process { signal_perms getsched setsched execmem };
allow java_t self:fifo_file rw_fifo_file_perms;
allow java_t self:tcp_socket create_socket_perms;
allow java_t self:udp_socket create_socket_perms;

manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
files_tmp_filetrans(java_t, java_tmp_t, { file dir })

manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })

can_exec(java_t, java_exec_t)

kernel_read_all_sysctls(java_t)
kernel_search_vm_sysctl(java_t)
kernel_read_network_state(java_t)
kernel_read_system_state(java_t)

# Search bin directory under java for java executable
corecmd_search_bin(java_t)

corenet_all_recvfrom_unlabeled(java_t)
corenet_all_recvfrom_netlabel(java_t)
corenet_tcp_sendrecv_generic_if(java_t)
corenet_udp_sendrecv_generic_if(java_t)
corenet_tcp_sendrecv_generic_node(java_t)
corenet_udp_sendrecv_generic_node(java_t)
corenet_tcp_sendrecv_all_ports(java_t)
corenet_udp_sendrecv_all_ports(java_t)
corenet_tcp_connect_all_ports(java_t)
corenet_sendrecv_all_client_packets(java_t)

dev_read_sound(java_t)
dev_write_sound(java_t)
dev_read_urand(java_t)
dev_read_rand(java_t)
dev_dontaudit_append_rand(java_t)

files_read_etc_files(java_t)
files_read_usr_files(java_t)
files_search_home(java_t)
files_search_var_lib(java_t)
files_read_etc_runtime_files(java_t)
# Read global fonts and font config
files_read_etc_files(java_t)

fs_getattr_xattr_fs(java_t)
fs_dontaudit_rw_tmpfs_files(java_t)

logging_send_syslog_msg(java_t)

miscfiles_read_localization(java_t)
# Read global fonts and font config
miscfiles_read_fonts(java_t)

sysnet_read_config(java_t)

userdom_dontaudit_use_user_terminals(java_t)
userdom_dontaudit_setattr_user_home_content_files(java_t)
userdom_dontaudit_exec_user_home_content_files(java_t)
userdom_manage_user_home_content_dirs(java_t)
userdom_manage_user_home_content_files(java_t)
userdom_manage_user_home_content_symlinks(java_t)
userdom_manage_user_home_content_pipes(java_t)
userdom_manage_user_home_content_sockets(java_t)
userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
userdom_write_user_tmp_sockets(java_t)

tunable_policy(`allow_java_execstack',`
	allow java_t self:process execstack;

	allow java_t java_tmp_t:file execute;

	libs_legacy_use_shared_libs(java_t)
	libs_legacy_use_ld_so(java_t)

	miscfiles_legacy_read_localization(java_t)
')

optional_policy(`
	nis_use_ypbind(java_t)
')

optional_policy(`
	nscd_socket_use(java_t)
')

optional_policy(`
	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')

########################################
#
# Unconfined java local policy
#

optional_policy(`
	# execheap is needed for itanium/BEA jrocket
	allow unconfined_java_t self:process { execstack execmem execheap };

	init_dbus_chat_script(unconfined_java_t)

	files_execmod_all_files(unconfined_java_t)

	init_dbus_chat_script(unconfined_java_t)

	unconfined_domain_noaudit(unconfined_java_t)
	unconfined_dbus_chat(unconfined_java_t)

	optional_policy(`
		rpm_domtrans(unconfined_java_t)
	')
')
Commit	Line	Data
3ffe2988	1
29af4c13	2	policy_module(java, 2.3.0)
3ffe2988 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
56e1b3d2 CP	9	## <desc>
	10	## <p>
	11	## Allow java executable stack
	12	## </p>
	13	## </desc>
0bfccda4	14	gen_tunable(allow_java_execstack, false)
56e1b3d2	15
46c69cb2	16	type java_t;
3ffe2988	17	type java_exec_t;
296273a7 CP	18	application_domain(java_t, java_exec_t)
	19	ubac_constrained(java_t)
	20	typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
	21	typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
4fd08891	22	role system_r types java_t;
296273a7 CP	23
	24	type java_tmp_t;
	25	files_tmp_file(java_tmp_t)
	26	ubac_constrained(java_tmp_t)
	27	typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
	28	typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
	29
	30	type java_tmpfs_t;
	31	ubac_constrained(java_tmpfs_t)
	32	files_tmpfs_file(java_tmpfs_t)
	33	typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
	34	typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
	35
	36	type unconfined_java_t;
	37	init_system_domain(unconfined_java_t, java_exec_t)
46c69cb2 CP	38
	39	########################################
	40	#
	41	# Local policy
	42	#
	43
296273a7 CP	44	allow java_t self:process { signal_perms getsched setsched execmem };
	45	allow java_t self:fifo_file rw_fifo_file_perms;
	46	allow java_t self:tcp_socket create_socket_perms;
	47	allow java_t self:udp_socket create_socket_perms;
	48
	49	manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
	50	manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
4fd08891	51	files_tmp_filetrans(java_t, java_tmp_t, { file dir })
296273a7 CP	52
	53	manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
	54	manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
	55	manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
	56	manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
	57	fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
	58
	59	can_exec(java_t, java_exec_t)
	60
	61	kernel_read_all_sysctls(java_t)
	62	kernel_search_vm_sysctl(java_t)
	63	kernel_read_network_state(java_t)
	64	kernel_read_system_state(java_t)
	65
	66	# Search bin directory under java for java executable
	67	corecmd_search_bin(java_t)
	68
	69	corenet_all_recvfrom_unlabeled(java_t)
	70	corenet_all_recvfrom_netlabel(java_t)
	71	corenet_tcp_sendrecv_generic_if(java_t)
	72	corenet_udp_sendrecv_generic_if(java_t)
c1262146 CP	73	corenet_tcp_sendrecv_generic_node(java_t)
c1262146 CP	74	corenet_udp_sendrecv_generic_node(java_t)
296273a7 CP	75	corenet_tcp_sendrecv_all_ports(java_t)
	76	corenet_udp_sendrecv_all_ports(java_t)
	77	corenet_tcp_connect_all_ports(java_t)
	78	corenet_sendrecv_all_client_packets(java_t)
	79
	80	dev_read_sound(java_t)
	81	dev_write_sound(java_t)
	82	dev_read_urand(java_t)
	83	dev_read_rand(java_t)
4fd08891	84	dev_dontaudit_append_rand(java_t)
296273a7 CP	85
	86	files_read_etc_files(java_t)
	87	files_read_usr_files(java_t)
	88	files_search_home(java_t)
	89	files_search_var_lib(java_t)
	90	files_read_etc_runtime_files(java_t)
	91	# Read global fonts and font config
	92	files_read_etc_files(java_t)
	93
	94	fs_getattr_xattr_fs(java_t)
	95	fs_dontaudit_rw_tmpfs_files(java_t)
	96
	97	logging_send_syslog_msg(java_t)
	98
	99	miscfiles_read_localization(java_t)
	100	# Read global fonts and font config
	101	miscfiles_read_fonts(java_t)
	102
	103	sysnet_read_config(java_t)
	104
	105	userdom_dontaudit_use_user_terminals(java_t)
	106	userdom_dontaudit_setattr_user_home_content_files(java_t)
	107	userdom_dontaudit_exec_user_home_content_files(java_t)
	108	userdom_manage_user_home_content_dirs(java_t)
	109	userdom_manage_user_home_content_files(java_t)
	110	userdom_manage_user_home_content_symlinks(java_t)
	111	userdom_manage_user_home_content_pipes(java_t)
	112	userdom_manage_user_home_content_sockets(java_t)
	113	userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
	114	userdom_write_user_tmp_sockets(java_t)
	115
	116	tunable_policy(`allow_java_execstack',`
	117	allow java_t self:process execstack;
	118
	119	allow java_t java_tmp_t:file execute;
6b19be33	120
296273a7 CP	121	libs_legacy_use_shared_libs(java_t)
	122	libs_legacy_use_ld_so(java_t)
	123
	124	miscfiles_legacy_read_localization(java_t)
	125	')
	126
	127	optional_policy(`
	128	nis_use_ypbind(java_t)
	129	')
6b19be33	130
350b6ab7	131	optional_policy(`
296273a7 CP	132	nscd_socket_use(java_t)
	133	')
	134
	135	optional_policy(`
	136	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
	137	')
	138
	139	########################################
	140	#
	141	# Unconfined java local policy
	142	#
	143
	144	optional_policy(`
	145	# execheap is needed for itanium/BEA jrocket
	146	allow unconfined_java_t self:process { execstack execmem execheap };
	147
	148	init_dbus_chat_script(unconfined_java_t)
	149
84940a09 CP	150	files_execmod_all_files(unconfined_java_t)
	151
	152	init_dbus_chat_script(unconfined_java_t)
	153
296273a7 CP	154	unconfined_domain_noaudit(unconfined_java_t)
296273a7 CP	155	unconfined_dbus_chat(unconfined_java_t)
84940a09 CP	156
	157	optional_policy(`
	158	rpm_domtrans(unconfined_java_t)
	159	')
46c69cb2	160	')