[selinux-policy: 2229/3172] Fix unconfined_r use of unconfined_java_t.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:17:52 UTC 2010 

commit b2648249d9b0bc0dcf93ba1112ff7ebad428ac04
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Aug 17 13:19:26 2009 -0400

    Fix unconfined_r use of unconfined_java_t.
    
    The unconfined role is running java in the unconfined_java_t.  The current
    policy only has a domtrans interface, so the unconfined_java_t domain is not
    added to unconfined_r.  Add a run interface and change the unconfined module
    to use this new interface.

 Changelog                           |    1 +
 policy/modules/apps/java.if         |   24 ++++++++++++++++++++++++
 policy/modules/apps/java.te         |    2 +-
 policy/modules/system/unconfined.te |    4 ++--
 4 files changed, 28 insertions(+), 3 deletions(-)
---
diff --git a/Changelog b/Changelog
index 8111e07..9154f9a 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Fix unconfined_r use of unconfined_java_t.
 - Add missing x_device rules for XI2 functions, from Eamon Walsh.
 - Add missing rules to make unconfined_cronjob_t a valid cron job domain.
 - Add btrfs and ext4 to labeling targets.
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index a620f39..ec61413 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -68,3 +68,27 @@ interface(`java_domtrans_unconfined',`
 	domtrans_pattern($1, java_exec_t, unconfined_java_t)
 	corecmd_search_bin($1)
 ')
+
+########################################
+## <summary>
+##	Execute the java program in the unconfined java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`java_run_unconfined',`
+	gen_require(`
+		type unconfined_java_t;
+	')
+
+	java_domtrans_unconfined($1)
+	role $2 types unconfined_java_t;
+')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 3c4657f..47ea763 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
 
-policy_module(java, 2.1.0)
+policy_module(java, 2.1.1)
 
 ########################################
 #
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 0f2cfb6..662e60d 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined, 3.0.0)
+policy_module(unconfined, 3.0.1)
 
 ########################################
 #
@@ -123,7 +123,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	java_domtrans_unconfined(unconfined_t)
+	java_run_unconfined(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`

More information about the scm-commits mailing list