[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: writing a java policy file
From:       Colin Walters <walters () verbum ! org>
Date:       2003-07-31 3:30:56
[Download RAW message or body]

On Wed, 2003-07-30 at 22:02, Michael Luu wrote:
> hi all,
> 
> i'm trying set up a simple java policy whereby i only allow a specific
> user (in java_r role) to run a java (type java_t)application that
> communicates with a server (e.g., www.yahoo.com).  

I think that java_t is a bad name for what you're doing.  It seems to me
that you are writing a policy for a program which is implemented in
Java, not the JVM itself.

What you probably want to do is write up a macro like

uses_java(foo_t)

that gives an application privileges to do everything that the JVM does
by default (i.e. using shared libraries, maybe mmapping /dev/zero,
whatever).  

Then you should write a policy for your application, call it myapp_t,
and use the uses_java macro.  The .fc file looks fine though.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]