* writing a java policy file
@ 2003-07-31 2:02 Michael Luu
2003-07-31 3:30 ` Colin Walters
0 siblings, 1 reply; 2+ messages in thread
From: Michael Luu @ 2003-07-31 2:02 UTC (permalink / raw)
To: selinux
hi all,
i'm trying set up a simple java policy whereby i only allow a specific
user (in java_r role) to run a java (type java_t)application that
communicates with a server (e.g., www.yahoo.com). i'm making some
progress, but can't set up the te and dependent files correctly. when i
test the policy using sepcut, i get name conflict for type java_t. i'm
not sure what else i need to do or if these policy files are correct.
this is what i have done so far:
1. added the java_r to a user that should only have access to run java
(in the users file)
2. added the java_r in the user domain files (user.te and
user_macros.te)
based on
http://sourceforge.net/docman/display_doc.php?docid=15285&group_id=21266
#gs8AddUserDom
3. i created a java.te file:
#DESC jvm policy
#
# File: java.te
# Author(s):
#
type java_port_t, port_type;
type java_t, domain, privowner;
allow java_t user_home_dir_type:file { read };
allow java_t user_home_dir_type:dir { getattr search };
allow java_t { java_port_t }:tcp_socket name_bind;
4. i created a java.fc file:
#DESC jvm policy
#
# File: java.fc
# Author(s):
#
/usr/java/j2sdk.*/include system_u:object_r:java_modules_t
/usr/java/j2sdk.*/lib system_u:object_r:java_modules_t
/usr/java/j2sdk.*/jre system_u:object_r:java_modules_t
/usr/java/j2sdk.*/bin system_u:object_r:java_exec_t
thanks for you help!
mike
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: writing a java policy file
2003-07-31 2:02 writing a java policy file Michael Luu
@ 2003-07-31 3:30 ` Colin Walters
0 siblings, 0 replies; 2+ messages in thread
From: Colin Walters @ 2003-07-31 3:30 UTC (permalink / raw)
To: Michael Luu; +Cc: selinux
On Wed, 2003-07-30 at 22:02, Michael Luu wrote:
> hi all,
>
> i'm trying set up a simple java policy whereby i only allow a specific
> user (in java_r role) to run a java (type java_t)application that
> communicates with a server (e.g., www.yahoo.com).
I think that java_t is a bad name for what you're doing. It seems to me
that you are writing a policy for a program which is implemented in
Java, not the JVM itself.
What you probably want to do is write up a macro like
uses_java(foo_t)
that gives an application privileges to do everything that the JVM does
by default (i.e. using shared libraries, maybe mmapping /dev/zero,
whatever).
Then you should write a policy for your application, call it myapp_t,
and use the uses_java macro. The .fc file looks fine though.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-07-31 3:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-07-31 2:02 writing a java policy file Michael Luu
2003-07-31 3:30 ` Colin Walters
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.