# # Authors: Dan Walsh # # Macros for javaplugin (java plugin) domains. # # # javaplugin_domain(domain_prefix, user) # # Define a derived domain for the javaplugin program when executed by # a web browser. # # The type declaration for the executable type for this program is # provided separately in domains/program/java.te. # define(`javaplugin_domain',` type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool; # The user role is authorized for this domain. role $2_r types $1_javaplugin_t; domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms; # Unrestricted inheritance from the caller. allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh }; allow $1_javaplugin_t $1_t:process signull; can_unix_connect($1_javaplugin_t, $1_t) allow $1_javaplugin_t $1_t:unix_stream_socket { read write }; # This domain is granted permissions common to most domains (including can_net) can_network_client($1_javaplugin_t) can_ypbind($1_javaplugin_t) allow $1_javaplugin_t self:process { fork signal_perms getsched setsched }; allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow $1_javaplugin_t self:fifo_file rw_file_perms; allow $1_javaplugin_t etc_runtime_t:file { getattr read }; allow $1_javaplugin_t fs_t:filesystem getattr; r_dir_file($1_javaplugin_t, { proc_t proc_net_t }) allow $1_javaplugin_t self:dir search; allow $1_javaplugin_t self:lnk_file read; allow $1_javaplugin_t self:file { getattr read }; read_sysctl($1_javaplugin_t) tmp_domain($1_javaplugin) r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t }) # Search bin directory under javaplugin for javaplugin executable allow $1_javaplugin_t bin_t:dir search; can_exec($1_javaplugin_t, java_exec_t) # Allow connections to X server. ifdef(`xserver.te', ` ifdef(`xdm.te', ` # for when /tmp/.X11-unix is created by the system allow $1_javaplugin_t xdm_xserver_tmp_t:dir search; allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms; allow $1_javaplugin_t xdm_tmp_t:dir search; allow $1_javaplugin_t xdm_tmp_t:sock_file write; ') ifdef(`startx.te', ` # for when /tmp/.X11-unix is created by the X server allow $1_javaplugin_t $2_xserver_tmp_t:dir search; # for /tmp/.X0-lock allow $1_javaplugin_t $2_xserver_tmp_t:file getattr; allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms; can_unix_connect($1_javaplugin_t, $2_xserver_t) ')dnl end startx can_unix_connect($1_javaplugin_t, xdm_xserver_t) allow xdm_xserver_t $1_javaplugin_t:fd use; allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read }; dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write }; ')dnl end xserver allow $1_javaplugin_t self:shm create_shm_perms; uses_shlib($1_javaplugin_t) read_locale($1_javaplugin_t) rw_dir_file($1_javaplugin_t, $1_home_t) if (allow_java_execstack) { legacy_domain($1_javaplugin) allow $1_javaplugin_t lib_t:file execute; allow $1_javaplugin_t locale_t:file execute; allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; allow $1_javaplugin_t fonts_t:file execute; allow $1_javaplugin_t sound_device_t:chr_file execute; } allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms; allow $1_javaplugin_t home_root_t:dir { getattr search }; file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t) allow $1_javaplugin_t $2_xauth_home_t:file { getattr read }; allow $1_javaplugin_t $2_tmp_t:sock_file write; allow $1_javaplugin_t $2_t:fd use; allow $1_javaplugin_t var_t:dir getattr; allow $1_javaplugin_t var_lib_t:dir { getattr search }; dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write }; dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write }; dontaudit $1_javaplugin_t devtty_t:chr_file { read write }; dontaudit $1_javaplugin_t tmpfs_t:file { execute read write }; dontaudit $1_javaplugin_t $1_home_t:file { execute setattr }; ')