policy/modules/apps/java.te

   1 policy_module(java, 2.3.1)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow java executable stack
  11 ## </p>
  12 ## </desc>
  13 gen_tunable(allow_java_execstack, false)
  14
  15 type java_t;
  16 type java_exec_t;
  17 application_domain(java_t, java_exec_t)
  18 ubac_constrained(java_t)
  19 typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
  20 typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
  21 role system_r types java_t;
  22
  23 type java_tmp_t;
  24 files_tmp_file(java_tmp_t)
  25 ubac_constrained(java_tmp_t)
  26 typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
  27 typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
  28
  29 type java_tmpfs_t;
  30 ubac_constrained(java_tmpfs_t)
  31 files_tmpfs_file(java_tmpfs_t)
  32 typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
  33 typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
  34
  35 type unconfined_java_t;
  36 init_system_domain(unconfined_java_t, java_exec_t)
  37
  38 ########################################
  39 #
  40 # Local policy
  41 #
  42
  43 allow java_t self:process { signal_perms getsched setsched execmem };
  44 allow java_t self:fifo_file rw_fifo_file_perms;
  45 allow java_t self:tcp_socket create_socket_perms;
  46 allow java_t self:udp_socket create_socket_perms;
  47
  48 manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
  49 manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
  50 files_tmp_filetrans(java_t, java_tmp_t, { file dir })
  51
  52 manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
  53 manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
  54 manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
  55 manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
  56 fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
  57
  58 can_exec(java_t, java_exec_t)
  59
  60 kernel_read_all_sysctls(java_t)
  61 kernel_search_vm_sysctl(java_t)
  62 kernel_read_network_state(java_t)
  63 kernel_read_system_state(java_t)
  64
  65 # Search bin directory under java for java executable
  66 corecmd_search_bin(java_t)
  67
  68 corenet_all_recvfrom_unlabeled(java_t)
  69 corenet_all_recvfrom_netlabel(java_t)
  70 corenet_tcp_sendrecv_generic_if(java_t)
  71 corenet_udp_sendrecv_generic_if(java_t)
  72 corenet_tcp_sendrecv_generic_node(java_t)
  73 corenet_udp_sendrecv_generic_node(java_t)
  74 corenet_tcp_sendrecv_all_ports(java_t)
  75 corenet_udp_sendrecv_all_ports(java_t)
  76 corenet_tcp_connect_all_ports(java_t)
  77 corenet_sendrecv_all_client_packets(java_t)
  78
  79 dev_read_sound(java_t)
  80 dev_write_sound(java_t)
  81 dev_read_urand(java_t)
  82 dev_read_rand(java_t)
  83 dev_dontaudit_append_rand(java_t)
  84
  85 files_read_etc_files(java_t)
  86 files_read_usr_files(java_t)
  87 files_search_home(java_t)
  88 files_search_var_lib(java_t)
  89 files_read_etc_runtime_files(java_t)
  90 # Read global fonts and font config
  91
  92 fs_getattr_xattr_fs(java_t)
  93 fs_dontaudit_rw_tmpfs_files(java_t)
  94
  95 logging_send_syslog_msg(java_t)
  96
  97 miscfiles_read_localization(java_t)
  98 # Read global fonts and font config
  99 miscfiles_read_fonts(java_t)
 100
 101 sysnet_read_config(java_t)
 102
 103 userdom_dontaudit_use_user_terminals(java_t)
 104 userdom_dontaudit_setattr_user_home_content_files(java_t)
 105 userdom_dontaudit_exec_user_home_content_files(java_t)
 106 userdom_manage_user_home_content_dirs(java_t)
 107 userdom_manage_user_home_content_files(java_t)
 108 userdom_manage_user_home_content_symlinks(java_t)
 109 userdom_manage_user_home_content_pipes(java_t)
 110 userdom_manage_user_home_content_sockets(java_t)
 111 userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
 112 userdom_write_user_tmp_sockets(java_t)
 113
 114 tunable_policy(`allow_java_execstack',`
 115         allow java_t self:process execstack;
 116
 117         allow java_t java_tmp_t:file execute;
 118
 119         libs_legacy_use_shared_libs(java_t)
 120         libs_legacy_use_ld_so(java_t)
 121
 122         miscfiles_legacy_read_localization(java_t)
 123 ')
 124
 125 optional_policy(`
 126         nis_use_ypbind(java_t)
 127 ')
 128
 129 optional_policy(`
 130         nscd_socket_use(java_t)
 131 ')
 132
 133 optional_policy(`
 134         xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
 135 ')
 136
 137 ########################################
 138 #
 139 # Unconfined java local policy
 140 #
 141
 142 optional_policy(`
 143         # execheap is needed for itanium/BEA jrocket
 144         allow unconfined_java_t self:process { execstack execmem execheap };
 145
 146         init_dbus_chat_script(unconfined_java_t)
 147
 148         files_execmod_all_files(unconfined_java_t)
 149
 150         init_dbus_chat_script(unconfined_java_t)
 151
 152         unconfined_domain_noaudit(unconfined_java_t)
 153         unconfined_dbus_chat(unconfined_java_t)
 154         userdom_unpriv_usertype(unconfined, unconfined_java_t)
 155
 156         optional_policy(`
 157                 rpm_domtrans(unconfined_java_t)
 158         ')
 159 ')