From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue,  3 Jul 2012 21:18:57 +0200
Subject: [refpolicy] [PATCH 4/6] Do not mark java configuration tools as
	java entry points
In-Reply-To: <1341343139-5179-1-git-send-email-sven.vermeulen@siphos.be>
References: <1341343139-5179-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1341343139-5179-5-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Some java-supporting tools, like java-config and java-check-environment, are not
to be used as entry points for the java_t domain. Instead, these should run with
the privileges of the calling domain (and as such should remain bin_t).

The expression itself (java[^-]*) is to still support commonly found java
version binaries (java1.4, java5, java6).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 java.fc |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/java.fc b/java.fc
index 72f3df0..bc1a419 100644
--- a/java.fc
+++ b/java.fc
@@ -9,7 +9,7 @@
 #
 # /usr
 #
-/usr/(.*/)?bin/java.* 		--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/(.*/)?bin/java[^-]*	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/fastjar		--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/frysk			--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gappletviewer		--	gen_context(system_u:object_r:java_exec_t,s0)
-- 
1.7.8.6