LinuxLists.cc - [refpolicy] [PATCH] java: let javaws execute binaries and the shell

2017-06-20 19:10:28

Subject: [refpolicy] [PATCH] java: let javaws execute binaries and the shell

Let Java Web Start (domain java_t) execute generic binaries
and the shell.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/java.te | 3 +++
1 file changed, 3 insertions(+)

--- a/policy/modules/contrib/java.te 2017-05-23 21:34:17.369592081 +0200
+++ b/policy/modules/contrib/java.te 2017-06-20 21:07:46.988046583 +0200
@@ -133,6 +133,9 @@ tunable_policy(`allow_java_execstack',`
auth_use_nsswitch(java_t)

corecmd_search_bin(java_t)
+# Java Web Start (javaws) executes generic binaries and the shell
+corecmd_exec_bin(java_t)
+corecmd_exec_shell(java_t)

dev_read_sysfs(java_t)

2017-06-21 22:17:15

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH] java: let javaws execute binaries and the shell

On 06/20/2017 03:10 PM, Guido Trentalancia via refpolicy wrote:
> Let Java Web Start (domain java_t) execute generic binaries
> and the shell.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/java.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> --- a/policy/modules/contrib/java.te 2017-05-23 21:34:17.369592081 +0200
> +++ b/policy/modules/contrib/java.te 2017-06-20 21:07:46.988046583 +0200
> @@ -133,6 +133,9 @@ tunable_policy(`allow_java_execstack',`
> auth_use_nsswitch(java_t)
>
> corecmd_search_bin(java_t)
> +# Java Web Start (javaws) executes generic binaries and the shell
> +corecmd_exec_bin(java_t)
> +corecmd_exec_shell(java_t)

I'm reluctant to add this. java_t is a generic domain; it is not the
javaws domain.

--
Chris PeBenito

2017-06-22 00:43:48

by Guido Trentalancia

[permalink] [raw]

Subject: [refpolicy] [PATCH] java: let javaws execute binaries and the shell

The generic domain at the moment is "java_domain".

Without this permission, the Java Web Start does not work.

I did rush to submit it for the new release... But, it is up to you at
this point.

Regards,

Guido

On Wed, 21/06/2017 at 18.17 -0400, Chris PeBenito wrote
> On 06/20/2017 03:10 PM, Guido Trentalancia via refpolicy wrote:
> > Let Java Web Start (domain java_t) execute generic binaries
> > and the shell.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/java.te | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > --- a/policy/modules/contrib/java.te 2017-05-23
> > 21:34:17.369592081 +0200
> > +++ b/policy/modules/contrib/java.te 2017-06-20
> > 21:07:46.988046583 +0200
> > @@ -133,6 +133,9 @@ tunable_policy(`allow_java_execstack',`
> > auth_use_nsswitch(java_t)
> >
> > corecmd_search_bin(java_t)
> > +# Java Web Start (javaws) executes generic binaries and the shell
> > +corecmd_exec_bin(java_t)
> > +corecmd_exec_shell(java_t)
>
> I'm reluctant to add this. java_t is a generic domain; it is not
> the
> javaws domain.
>