policy_module(myjboss,1.1.2)

########################################
#
# Declarations
#

type jboss_t;
type jboss_exec_t;
domain_type(jboss_t)
init_daemon_domain(jboss_t, jboss_exec_t)
role system_r types jboss_t;

type jboss_port_t;
ports_type(jboss_port_t)

type jboss_log_t;
logging_log_file(jboss_log_t)
type jboss_tmp_t;
files_tmp_file(jboss_tmp_t)
type jboss_rw_t;
files_type(jboss_rw_t)
type jboss_var_run_t;
files_pid_file(jboss_var_run_t)

########################################
#
# jboss local policy
#

# Init script handling
domain_use_interactive_fds(jboss_t)

allow jboss_t self:capability dac_override;
allow jboss_t self:process { execmem getsched signal };

## internal communication is often done using fifo and unix sockets.
allow jboss_t self:fifo_file rw_file_perms;
allow jboss_t self:unix_stream_socket create_stream_socket_perms;
allow jboss_t self:tcp_socket create_stream_socket_perms;

# Allow acces too our selves
allow jboss_t jboss_exec_t:dir r_dir_perms;
allow jboss_t jboss_rw_t:dir manage_dir_perms;
allow jboss_t jboss_rw_t:file manage_file_perms;

allow jboss_t jboss_log_t:dir manage_dir_perms;
allow jboss_t jboss_log_t:file manage_file_perms;

allow jboss_t jboss_tmp_t:file manage_file_perms;
allow jboss_t jboss_tmp_t:dir create_dir_perms;
files_tmp_filetrans(jboss_t,jboss_tmp_t, { file dir })

files_read_etc_files(jboss_t)

# Network
allow jboss_t jboss_port_t:tcp_socket { name_bind name_connect };

# Localization access
miscfiles_read_localization(jboss_t)

auth_use_nsswitch(jboss_t)

#lib access
libs_use_ld_so(jboss_t)
libs_use_lib_files(jboss_t)
libs_use_shared_libs(jboss_t)

# Call our own bin-dir
corecmd_exec_bin(jboss_t)
corecmd_read_bin_symlinks(jboss_t)
corecmd_search_bin(jboss_t)
corecmd_search_sbin(jboss_t)

# Radomizer access for ssl
dev_read_rand(jboss_t)
dev_read_urand(jboss_t)

# Network Access
kernel_read_network_state(jboss_t)
kernel_search_network_state(jboss_t)
corenet_tcp_bind_http_cache_port(jboss_t)
corenet_tcp_bind_http_port(jboss_t)
corenet_tcp_bind_generic_node(jboss_t)
corenet_tcp_bind_inaddr_any_node(jboss_t)
corenet_tcp_bind_kerberos_master_port(jboss_t)
corenet_tcp_bind_lo_node(jboss_t)
corenet_non_ipsec_sendrecv(jboss_t)
corenet_tcp_connect_http_cache_port(jboss_t)
corenet_tcp_connect_http_port(jboss_t)
sysnet_dns_name_resolve(jboss_t)

files_pid_filetrans(jboss_t,jboss_var_log_t, { file dir })
files_manage_generic_tmp_files(jboss_t)
files_manage_generic_tmp_dirs(jboss_t)
files_read_usr_symlinks(jboss_t)
kernel_read_system_state(jboss_t)
dontaudit jboss_t sysadm_home_dir_t:dir search;

#Go to jbossjava domain

jbossjava_read_lnk(jboss_t)
jbossjava_execute_file(jboss_t)
jbossjava_search_r_dir(jboss_t)