-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

selinux@a61.nl wrote:
> Hi Gents,
> 
> We have spent the last two weeks on creating selinux-modules for jboss and
> a custom-made jbossjava-module. I've attached the files to this message.
> 
> We would like you guys to take a look at our modules and tell us what we
> did wrong. For instance we didn't use real domain-transitions (at least we
> didn't use real domtrans()) to give jbossjava access to myjboss, do we
> have to? Or is the way we work sufficient?
> 
> It is possible that we made some of the rules to coarse, if that's the
> case, please let us know how we can make them better. This is our first
> attempt to write a module and let it checked upstream but that doesn't
> mean you have to be mild to us!
> 
> At the moment we use the (selinux)-user ejbca because in our current
> system we are running ejbca on top of jboss, but we are changing it this
> week to run as jboss.
> 
> Please sent changes as real patches so we can patch our source-code!
> 
> 
> With regards,
> 
> 
> Ronald van den Blink
Just getting around to reviewing this.

myjboss.te

1 You have jboss_rx_t defined but never used.
2 init_daemon_domain contains domain_type(jboss_t)
3 you should try to avoid using gen_require in a te file, you should try
to use interfaces instead
userdom_dontaudit_search_sysadm_home_dirs(jboss_t)
for example.
staff_tmp_t is not used anywhere
4 type port_t should probably be jboss_port_t and then map the actual
ports jboss needs to connect/bind to.

Probably jboss_rw_t and jboss_opt_t should be combined to one type
files_pid_filetrans(jboss_t,jboss_rw_t, { file dir })
Should probably be
files_pid_filetrans(jboss_t,jboss_var_run_t, { file dir })

Does jboss_tmp_t needed?  If yes you probably need
 files_tmp_filetrans(jboss_t,jboss_tmp_t, { file dir })

You are missing
allow jboss_t jboss_log_t:dir manage_dir_perms;
allow jboss_t jboss_log_t:file manage_file_perms;

Not sure you need this, or if jboss_t execs other jboss_exec_t you need
can_exec(jboss_t, jboss_exec_t)
allow jboss_t jboss_exec_t:dir r_dir_perms;


I would just remove the jbossjava stuff all together and use the
standard definitions of java.

I rewrote some of your defs and attached.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkffzjcACgkQrlYvE4MpobP2vACgonlpdAyBgqSiT4CVCv7A/mqH
TvEAoKXnUNCB3q6L9iCqfZ6arsORgs1z
=Xni2
-----END PGP SIGNATURE-----