Re: Java Legacy problem

[Luke Kenneth Casson Leighton <lkcl@lkcl.net>]

On Mon, Feb 21, 2005 at 09:24:29AM -0500, Ivan Gyurdiev wrote:
> 
> >I don't think java can be fixed,   I think it is doing this stuff by 
> >design. 
> 
> I thought it was a question of compiling with a newer toolchain that
> supports PT_GNU_STACK... is that not the case? 
> 
> >A couple of things to try.
> >
> >How about we rename java_domain to javap_domain (java_plugin).
> 
> javap is the java profiler - bad name.
> 
> >Then we create a java_domain like the following
> >
> >define(`java_domain',`
> >type $1_java_t, domain, privlog , nscd_client_domain, transitionbool;
> >legacy_domain($1_java)
> >base_user_domain($1_java)
> 
> That looks like a hack 

 not sure.

> - Java is not an actual user. 
 
 the concept of user doesn't exist in selinux, only domains,
 contexts etc.

 therefore this statement is rather ambiguous: could you possibly
 clarify, just for the record?

> You're giving it permissions for user_java_t, while
> the whole filesystem is labeled with `respect to user_t.

 or more specifically, user_t is given certain rights to access
 specific parts of the filesystem, whereas at present,
 user_java_t is given none, yes?

 so... that suggests that user_java_t should be given some, yes?

> For example, code that writes to the home directory
> still has to write to user_home_t, and you've given
> Java permissions to user_java_home_t, which does not
> exist in the fs, since java's not a real user. I don't think
> this will work.
 
 two, maybe three options are available:

 1) typealias user_java_home_t to user_home_t

 2) run it, go looking for places where $1_home_t is used
    and where _appropriate_ add $1_java_home_t as well.

    mostly these places will be in user_macros, and you'd
    do instead of oh i dunno:

	    allow xdm_t $1_home_t:lnk_file read;
    
    you'd do this:

	    allow xdm_t { $1_home_t $1_java_home_t} :lnk_file read; 

    (except that's possibly a bad example).

 3) don't use base_user_domain() although i wouldn't have a 
    clue what to put in its place.


 i'm not sure what daniel intends by the use of base_user_domain()
 so i can't really say if 2) is actually appropriate or not.

 l.

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.