Two diferent Java programs on same machine

[giovanni testing]

I keep record of it :)

Thank you a lot !

2010/7/15 Stephen Smalley <sds at tycho.nsa.gov>

> On Thu, 2010-07-15 at 12:10 +0200, giovanni testing wrote:
> > Hi,
> >
> > I've fixed it (thanks to "/sbin/ausearch -i | grep nano | grep avc"),
> > and the allow lines needed are:
> >
> > allow MyPolicy_t bin_t:file entrypoint;
>
> This is fine for testing purposes, but for real use, you only want
> MyPolicy to have entrypoint permission to MyPolicy_exec_t, i.e. the
> MyPolicy_t domain can only be entered by executing a program labeled
> MyPolicy_exec_t.  This can be done using the domain_entry_file()
> interface.
>
> > allow MyPolicy_t usr_t:file { read open };
> >
> > I think that the second one is not appropiated, because MyPolicy now
> > can access to every "usr_t" file (but is only needed to access to
> > "/usr/share/terminfo/x/xterm").
> >
> > To fix that, I'm thinking in a solution that I don't know if is
> > possible: label the file "/usr/share/terminfo/x/xterm" with "xterm_t"
> > instead of "usr_t", but maybe it can block other applications to use
> > "/usr/share/terminfo/x/xterm", so the "xterm_t" needs to be equivalent
> > to "usr_t". To do it I'm thinking to use an alias, but if is
> > bidirectional it will be insecure again. As these lines can seem a bit
> > confusing, there is a little scheme:
> >
> > I need:
> > - "MyPolicy_t" can use "xterm_t"
> > - "MyPolicy_t" cannot "usr_t"
> > - Other policies continue being able to use
> > "/usr/share/terminfo/x/xterm" while they allow use "usr_t" and they
> > have not specified to allow "xterm_t".
> >
> > So accessing to "usr_t" needs to be able to access to "xterm_t", but
> > accessing to "xterm_t" not needs to be able to access to "usr_t" (this
> > is what I say that it not needs to be bidirectional). Maybe it can be
> > done that way (putting the following lines instead the two before):
> >
> > allow MyPolicy_t bin_t:file entrypoint;
> > allow usr_t xterm_t:file manage_file_perms;
> > allow MyPolicy_t xterm_t:file { read open };
>
> I would suggest introducing a generic terminfo_t type or similar for all
> of the files under /usr/share/terminfo, and then allowing most or all
> domains to read that type.  That would need to be upstreamed to the main
> policy as it modifies the type of a base system file.
>
> The second allow rule is not what you want, as it doesn't mean anything
> (no process runs in usr_t).  You could however do:
> allow domain terminfo_t:file read_file_perms;
>
> --
> Stephen Smalley
> National Security Agency
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20100715/48745488/attachment.html