rpms / selinux-policy

Clone
Source Code
GIT

Blame strict/macros/program/java_macros.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   fa7bea8feb9ebbe65a313de13ae2cbaeb3a744ce
  2.   strict
  3.   macros
  4.   program
  5.   java_macros.te
Blob History Raw
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Authors:  Dan Walsh <dwalsh@redhat.com>
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Macros for javaplugin (java plugin) domains.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# javaplugin_domain(domain_prefix, user)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Define a derived domain for the javaplugin program when executed by
Chris PeBenito 0fbfa5 
# a web browser.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# The type declaration for the executable type for this program is
Chris PeBenito 0fbfa5 
# provided separately in domains/program/java.te.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`javaplugin_domain',`
Chris PeBenito 0fbfa5 
type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# The user role is authorized for this domain.
Chris PeBenito 0fbfa5 
role $2_r types $1_javaplugin_t;
Chris PeBenito 0fbfa5 
domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5 
# Unrestricted inheritance from the caller.
Chris PeBenito 0fbfa5 
allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh };
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t $1_t:process signull;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
can_unix_connect($1_javaplugin_t, $1_t)
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t $1_t:unix_stream_socket { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# This domain is granted permissions common to most domains (including can_net)
Chris PeBenito 0fbfa5 
can_network_client($1_javaplugin_t)
Chris PeBenito 0fbfa5 
can_ypbind($1_javaplugin_t)
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5 
r_dir_file($1_javaplugin_t, { proc_t proc_net_t })
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t self:dir search;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t self:lnk_file read;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t self:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
read_sysctl($1_javaplugin_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
tmp_domain($1_javaplugin)
Chris PeBenito 0fbfa5 
r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Search bin directory under javaplugin for javaplugin executable
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t bin_t:dir search;
Chris PeBenito 0fbfa5 
can_exec($1_javaplugin_t, java_exec_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Allow connections to X server.
Chris PeBenito 0fbfa5 
ifdef(`xserver.te', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifdef(`xdm.te', `
Chris PeBenito 0fbfa5 
# for when /tmp/.X11-unix is created by the system
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t xdm_xserver_tmp_t:dir search;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t xdm_tmp_t:dir search;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t xdm_tmp_t:sock_file write;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifdef(`startx.te', `
Chris PeBenito 0fbfa5 
# for when /tmp/.X11-unix is created by the X server
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t $2_xserver_tmp_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# for /tmp/.X0-lock
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t $2_xserver_tmp_t:file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms;
Chris PeBenito 0fbfa5 
can_unix_connect($1_javaplugin_t, $2_xserver_t)
Chris PeBenito 0fbfa5 
')dnl end startx
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
can_unix_connect($1_javaplugin_t, xdm_xserver_t)
Chris PeBenito 0fbfa5 
allow xdm_xserver_t $1_javaplugin_t:fd use;
Chris PeBenito 0fbfa5 
allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read };
Chris PeBenito 0fbfa5 
dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')dnl end xserver
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t self:shm create_shm_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
uses_shlib($1_javaplugin_t)
Chris PeBenito 0fbfa5 
read_locale($1_javaplugin_t)
Chris PeBenito 0fbfa5 
rw_dir_file($1_javaplugin_t, $1_home_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
if (allow_java_execstack) {
Chris PeBenito 0fbfa5 
legacy_domain($1_javaplugin)
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t lib_t:file execute;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t locale_t:file execute;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t fonts_t:file execute;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t sound_device_t:chr_file execute;
Chris PeBenito 0fbfa5 
}
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t home_root_t:dir { getattr search };
Chris PeBenito 0fbfa5 
file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t)
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t $2_xauth_home_t:file { getattr read };
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t $2_tmp_t:sock_file write;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t $2_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t var_t:dir getattr;
Chris PeBenito 0fbfa5 
allow $1_javaplugin_t var_lib_t:dir { getattr search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write };
Chris PeBenito 0fbfa5 
dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write };
Chris PeBenito 0fbfa5 
dontaudit $1_javaplugin_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5 
dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
Chris PeBenito 0fbfa5 
dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation