1 policy_module(java, 2.3.1)
3 ########################################
10 ## Allow java executable stack
13 gen_tunable(allow_java_execstack, false)
17 application_domain(java_t, java_exec_t)
18 ubac_constrained(java_t)
19 typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
20 typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
21 role system_r types java_t;
24 files_tmp_file(java_tmp_t)
25 ubac_constrained(java_tmp_t)
26 typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
27 typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
30 ubac_constrained(java_tmpfs_t)
31 files_tmpfs_file(java_tmpfs_t)
32 typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
33 typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
35 type unconfined_java_t;
36 init_system_domain(unconfined_java_t, java_exec_t)
38 ########################################
43 allow java_t self:process { signal_perms getsched setsched execmem };
44 allow java_t self:fifo_file rw_fifo_file_perms;
45 allow java_t self:tcp_socket create_socket_perms;
46 allow java_t self:udp_socket create_socket_perms;
48 manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
49 manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
50 files_tmp_filetrans(java_t, java_tmp_t, { file dir })
52 manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
53 manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
54 manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
55 manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
56 fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
58 can_exec(java_t, java_exec_t)
60 kernel_read_all_sysctls(java_t)
61 kernel_search_vm_sysctl(java_t)
62 kernel_read_network_state(java_t)
63 kernel_read_system_state(java_t)
65 # Search bin directory under java for java executable
66 corecmd_search_bin(java_t)
68 corenet_all_recvfrom_unlabeled(java_t)
69 corenet_all_recvfrom_netlabel(java_t)
70 corenet_tcp_sendrecv_generic_if(java_t)
71 corenet_udp_sendrecv_generic_if(java_t)
72 corenet_tcp_sendrecv_generic_node(java_t)
73 corenet_udp_sendrecv_generic_node(java_t)
74 corenet_tcp_sendrecv_all_ports(java_t)
75 corenet_udp_sendrecv_all_ports(java_t)
76 corenet_tcp_connect_all_ports(java_t)
77 corenet_sendrecv_all_client_packets(java_t)
79 dev_read_sound(java_t)
80 dev_write_sound(java_t)
81 dev_read_urand(java_t)
83 dev_dontaudit_append_rand(java_t)
85 files_read_etc_files(java_t)
86 files_read_usr_files(java_t)
87 files_search_home(java_t)
88 files_search_var_lib(java_t)
89 files_read_etc_runtime_files(java_t)
90 # Read global fonts and font config
92 fs_getattr_xattr_fs(java_t)
93 fs_dontaudit_rw_tmpfs_files(java_t)
95 logging_send_syslog_msg(java_t)
97 miscfiles_read_localization(java_t)
98 # Read global fonts and font config
99 miscfiles_read_fonts(java_t)
101 sysnet_read_config(java_t)
103 userdom_dontaudit_use_user_terminals(java_t)
104 userdom_dontaudit_setattr_user_home_content_files(java_t)
105 userdom_dontaudit_exec_user_home_content_files(java_t)
106 userdom_manage_user_home_content_dirs(java_t)
107 userdom_manage_user_home_content_files(java_t)
108 userdom_manage_user_home_content_symlinks(java_t)
109 userdom_manage_user_home_content_pipes(java_t)
110 userdom_manage_user_home_content_sockets(java_t)
111 userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
112 userdom_write_user_tmp_sockets(java_t)
114 tunable_policy(`allow_java_execstack',`
115 allow java_t self:process execstack;
117 allow java_t java_tmp_t:file execute;
119 libs_legacy_use_shared_libs(java_t)
120 libs_legacy_use_ld_so(java_t)
122 miscfiles_legacy_read_localization(java_t)
126 nis_use_ypbind(java_t)
130 nscd_socket_use(java_t)
134 xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
137 ########################################
139 # Unconfined java local policy
143 # execheap is needed for itanium/BEA jrocket
144 allow unconfined_java_t self:process { execstack execmem execheap };
146 init_dbus_chat_script(unconfined_java_t)
148 files_execmod_all_files(unconfined_java_t)
150 init_dbus_chat_script(unconfined_java_t)
152 unconfined_domain_noaudit(unconfined_java_t)
153 unconfined_dbus_chat(unconfined_java_t)
154 userdom_unpriv_usertype(unconfined, unconfined_java_t)
157 rpm_domtrans(unconfined_java_t)