rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   f1bc73d0ef3c84dc88514c335cadb9d7ebd16673
  2.   execmem.patch
Blob Blame History Raw 
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 8d3c1d8..a7b1b65 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -416,14 +416,6 @@ optional_policy(`
 	unconfined_domain_noaudit(rpm_script_t)
 	unconfined_domtrans(rpm_script_t)
 	unconfined_execmem_domtrans(rpm_script_t)
-
-	optional_policy(`
-		java_domtrans_unconfined(rpm_script_t)
-	')
-
-	optional_policy(`
-		mono_domtrans(rpm_script_t)
-	')
 ')
 
 optional_policy(`
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
index 6f3570a..70c661e 100644
--- a/policy/modules/apps/execmem.fc
+++ b/policy/modules/apps/execmem.fc
@@ -46,3 +46,48 @@ ifdef(`distro_gentoo',`
 /opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
 /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+#
+# /opt
+#
+/opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/MATLAB.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
+
+#
+# /usr
+#
+/usr/Aptana[^/]*/AptanaStudio	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/fastjar	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/frysk		--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gappletviewer	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gij		--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gjarsigner	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gkeytool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/grmic		--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/grmiregistry	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/jv-convert	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/octave-[^/]*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/lib(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/opera(/.*)?/opera --	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/opera(/.*)?/works --	gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/ibm(/.*)?/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+')
+/usr/bin/mono.*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
index e23f640..a78bec0 100644
--- a/policy/modules/apps/execmem.if
+++ b/policy/modules/apps/execmem.if
@@ -129,4 +129,3 @@ interface(`execmem_execmod',`
 
 	allow $1 execmem_exec_t:file execmod;
 ')
-
diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
index a7d37e2..fd8450f 100644
--- a/policy/modules/apps/execmem.te
+++ b/policy/modules/apps/execmem.te
@@ -4,7 +4,25 @@ policy_module(execmem, 1.0.0)
 #
 # Declarations
 #
+attribute execmem_type;
 
-type execmem_exec_t alias unconfined_execmem_exec_t;
+type execmem_exec_t;
+typealias execmem_exec_t alias { unconfined_execmem_exec_t mono_exec_t java_exec_t };
 application_executable_file(execmem_exec_t)
 
+allow execmem_type self:process { execmem execstack };
+files_execmod_tmp(execmem_type)
+execmem_execmod(execmem_type)
+
+optional_policy(`
+	gnome_read_usr_config(execmem_type)
+')
+	
+optional_policy(`
+	mozilla_execmod_user_home_files(execmem_type)
+')
+
+optional_policy(`
+	nsplugin_rw_shm(execmem_type)
+	nsplugin_rw_semaphores(execmem_type)
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index d1b1280..f93103b 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -273,10 +273,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	java_domtrans(mozilla_t)
-')
-
-optional_policy(`
 	lpd_domtrans_lpr(mozilla_t)
 ')
 
@@ -456,7 +452,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	java_exec(mozilla_plugin_t)
+	execmem_exec(mozilla_plugin_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index ccc15ab..9d0e298 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -85,5 +85,5 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mono_exec(podsleuth_t)
+	execmem_exec(podsleuth_t)
 ')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index bfabe3f..fbbce55 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -268,10 +268,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		java_role(staff_r, staff_t)
-	')
-
-	optional_policy(`
 		lockdev_role(staff_r, staff_t)
 	')
 
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7cd6d4f..e120bbc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -524,10 +524,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		java_role(sysadm_r, sysadm_t)
-	')
-
-	optional_policy(`
 		lockdev_role(sysadm_r, sysadm_t)
 	')
 
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index fcc8949..6f1425f 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -337,10 +337,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	java_run_unconfined(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
 	kerberos_filetrans_named_content(unconfined_t)
 ')
 
@@ -361,13 +357,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mono_role_template(unconfined, unconfined_r, unconfined_t)
-	unconfined_domain_noaudit(unconfined_mono_t)
-	role system_r types unconfined_mono_t;
-')
-
-
-optional_policy(`
 	mozilla_role_plugin(unconfined_r)
 
 	tunable_policy(`unconfined_mozilla_plugin_transition', `
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e5a8559..68013b7 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -148,10 +148,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		java_role(user_r, user_t)
-	')
-
-	optional_policy(`
 		lockdev_role(user_r, user_t)
 	')
 
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index 1cd57fd..a1db79d 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -107,14 +107,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	java_role_template(xguest, xguest_r, xguest_t)
-')
-
-optional_policy(`
-	mono_role_template(xguest, xguest_r, xguest_t)
-')
-
-optional_policy(`
 	mozilla_run_plugin(xguest_usertype, xguest_r)
 ')
 
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
index 1442451..add9ada 100644
--- a/policy/modules/services/boinc.te
+++ b/policy/modules/services/boinc.te
@@ -168,5 +168,5 @@ miscfiles_read_fonts(boinc_project_t)
 miscfiles_read_localization(boinc_project_t)
 
 optional_policy(`
-	java_exec(boinc_project_t)
+	execmem_exec(boinc_project_t)
 ')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 86ea0ba..a2c41fd 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -299,10 +299,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mono_domtrans(crond_t)
-')
-
-optional_policy(`
 	amanda_search_var_lib(crond_t)
 ')
 
@@ -553,10 +549,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mono_domtrans(system_cronjob_t)
-')
-
-optional_policy(`
 	mrtg_append_create_logs(system_cronjob_t)
 ')
 
@@ -709,11 +701,6 @@ tunable_policy(`fcron_crond',`
 	allow crond_t user_cron_spool_t:file manage_file_perms;
 ')
 
-# need a per-role version of this:
-#optional_policy(`
-#	mono_domtrans(cronjob_t)
-#')
-
 optional_policy(`
 	nis_use_ypbind(cronjob_t)
 ')
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index 1e40c00..ae34382 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -127,7 +127,7 @@ template(`hadoop_domain_template',`
 
 	hadoop_exec_config(hadoop_$1_t)
 
-	java_exec(hadoop_$1_t)
+	execmem_exec(hadoop_$1_t)
 
 	kerberos_use(hadoop_$1_t)
 
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 3889dc9..32dc803 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -167,7 +167,7 @@ miscfiles_read_localization(hadoop_t)
 
 userdom_use_inherited_user_terminals(hadoop_t)
 
-java_exec(hadoop_t)
+execmem_exec(hadoop_t)
 
 kerberos_use(hadoop_t)
 
@@ -342,7 +342,7 @@ sysnet_read_config(zookeeper_t)
 userdom_use_inherited_user_terminals(zookeeper_t)
 userdom_dontaudit_search_user_home_dirs(zookeeper_t)
 
-java_exec(zookeeper_t)
+execmem_exec(zookeeper_t)
 
 ########################################
 #
@@ -427,4 +427,4 @@ miscfiles_read_localization(zookeeper_server_t)
 
 sysnet_read_config(zookeeper_server_t)
 
-java_exec(zookeeper_server_t)
+execmem_exec(zookeeper_server_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 60e0e2d..d14f2d6 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1247,10 +1247,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mono_rw_shm(xserver_t)
-')
-
-optional_policy(`
 	rhgb_rw_shm(xserver_t)
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 53f3bfe..20dd3a0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1190,10 +1190,6 @@ optional_policy(`
 		unconfined_dontaudit_rw_pipes(daemon)
 	')
 
-	optional_policy(`
-		mono_domtrans(initrc_t)
-	')
-
 	# Allow SELinux aware applications to request rpm_script_t execution
 	rpm_transition_script(initrc_t)
 	
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e7a65ae..a001ce9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1281,14 +1281,6 @@ template(`userdom_unpriv_user_template', `
 	')
 
 	optional_policy(`
-		java_role_template($1, $1_r, $1_t)
-	')
-
-	optional_policy(`
-		mono_role_template($1, $1_r, $1_t)
-	')
-
-	optional_policy(`
 		mount_run_fusermount($1_t, $1_r)
 		mount_read_pid_files($1_t)
 	')
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.