[selinux-policy: 2229/3172] Fix unconfined_r use of unconfined_java_t.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:17:52 UTC 2010
commit b2648249d9b0bc0dcf93ba1112ff7ebad428ac04
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Aug 17 13:19:26 2009 -0400
Fix unconfined_r use of unconfined_java_t.
The unconfined role is running java in the unconfined_java_t. The current
policy only has a domtrans interface, so the unconfined_java_t domain is not
added to unconfined_r. Add a run interface and change the unconfined module
to use this new interface.
Changelog | 1 +
policy/modules/apps/java.if | 24 ++++++++++++++++++++++++
policy/modules/apps/java.te | 2 +-
policy/modules/system/unconfined.te | 4 ++--
4 files changed, 28 insertions(+), 3 deletions(-)
---
diff --git a/Changelog b/Changelog
index 8111e07..9154f9a 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Fix unconfined_r use of unconfined_java_t.
- Add missing x_device rules for XI2 functions, from Eamon Walsh.
- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
- Add btrfs and ext4 to labeling targets.
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index a620f39..ec61413 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -68,3 +68,27 @@ interface(`java_domtrans_unconfined',`
domtrans_pattern($1, java_exec_t, unconfined_java_t)
corecmd_search_bin($1)
')
+
+########################################
+## <summary>
+## Execute the java program in the unconfined java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`java_run_unconfined',`
+ gen_require(`
+ type unconfined_java_t;
+ ')
+
+ java_domtrans_unconfined($1)
+ role $2 types unconfined_java_t;
+')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 3c4657f..47ea763 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
-policy_module(java, 2.1.0)
+policy_module(java, 2.1.1)
########################################
#
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 0f2cfb6..662e60d 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined, 3.0.0)
+policy_module(unconfined, 3.0.1)
########################################
#
@@ -123,7 +123,7 @@ optional_policy(`
')
optional_policy(`
- java_domtrans_unconfined(unconfined_t)
+ java_run_unconfined(unconfined_t, unconfined_r)
')
optional_policy(`
More information about the scm-commits
mailing list