java, roles: use user exec domain attribute
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge
parent
b7980a45fc
commit
0f650e0dc5
@ -4,18 +4,29 @@
|
||||
## <summary>
|
||||
## Role access for java.
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <param name="role_prefix">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## The prefix of the user role (e.g., user
|
||||
## is the prefix for user_r).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## User domain for the role.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_exec_domain">
|
||||
## <summary>
|
||||
## User exec domain for execute and transition access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`java_role',`
|
||||
template(`java_role',`
|
||||
gen_require(`
|
||||
attribute_role java_roles;
|
||||
type java_t, java_exec_t, java_tmp_t;
|
||||
@ -27,17 +38,17 @@ interface(`java_role',`
|
||||
# Declarations
|
||||
#
|
||||
|
||||
roleattribute $1 java_roles;
|
||||
roleattribute $4 java_roles;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Policy
|
||||
#
|
||||
|
||||
domtrans_pattern($2, java_exec_t, java_t)
|
||||
domtrans_pattern($3, java_exec_t, java_t)
|
||||
|
||||
allow $2 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
|
||||
ps_process_pattern($2, java_t)
|
||||
allow $3 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
|
||||
ps_process_pattern($3, java_t)
|
||||
|
||||
allow $2 java_tmp_t:dir { manage_dir_perms relabel_dir_perms };
|
||||
allow $2 { java_tmp_t java_tmpfs_t }:file { manage_file_perms relabel_file_perms };
|
||||
@ -45,10 +56,14 @@ interface(`java_role',`
|
||||
allow $2 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
||||
allow $2 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
|
||||
allow java_t $2:process signull;
|
||||
allow java_t $2:unix_stream_socket connectto;
|
||||
allow java_t $2:unix_stream_socket { read write };
|
||||
allow java_t $2:tcp_socket { read write };
|
||||
allow java_t $3:process signull;
|
||||
allow java_t $3:unix_stream_socket connectto;
|
||||
allow java_t $3:unix_stream_socket { read write };
|
||||
allow java_t $3:tcp_socket { read write };
|
||||
|
||||
optional_policy(`
|
||||
systemd_user_app_status($1, java_t)
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -63,18 +78,23 @@ interface(`java_role',`
|
||||
## </desc>
|
||||
## <param name="role_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## The prefix of the user role (e.g., user
|
||||
## is the prefix for user_r).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## User domain for the role.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_exec_domain">
|
||||
## <summary>
|
||||
## User exec domain for execute and transition access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -122,7 +142,7 @@ template(`java_role_template',`
|
||||
auth_use_nsswitch($1_java_t)
|
||||
|
||||
optional_policy(`
|
||||
xserver_role($2, $1_java_t)
|
||||
xserver_role($1, $1_java_t, $3, $4)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
@ -123,7 +123,7 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
java_role(staff_r, staff_t)
|
||||
java_role(staff, staff_t, staff_application_exec_domain, staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1258,7 +1258,7 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
java_role(sysadm_r, sysadm_t)
|
||||
java_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -91,7 +91,7 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
java_role(user_r, user_t)
|
||||
java_role(user, user_t, user_application_exec_domain, user_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -94,7 +94,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
java_role(xguest_r, xguest_t)
|
||||
java_role(xguest, xguest_t, xguest_application_exec_domain, xguest_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -113,7 +113,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
java_run_unconfined(unconfined_t, unconfined_r)
|
||||
java_run_unconfined(unconfined_application_exec_domain, unconfined_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1142,7 +1142,7 @@ template(`userdom_restricted_xwindows_user_template',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
java_role($1_r, $1_t)
|
||||
java_role($1, $1_t, $1_application_exec_domain, $1_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
Loading…
Reference in New Issue
Block a user