From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 21 Jun 2017 18:17:15 -0400
Subject: [refpolicy] [PATCH] java: let javaws execute binaries and the
 shell
In-Reply-To: <1497985828.4769.19.camel@trentalancia.com>
References: <1497985828.4769.19.camel@trentalancia.com>
Message-ID: <f380bda3-0c45-3a2e-2985-b770a7df7142@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/20/2017 03:10 PM, Guido Trentalancia via refpolicy wrote:
> Let Java Web Start (domain java_t) execute generic binaries
> and the shell.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>  policy/modules/contrib/java.te |    3 +++
>  1 file changed, 3 insertions(+)
>
> --- a/policy/modules/contrib/java.te	2017-05-23 21:34:17.369592081 +0200
> +++ b/policy/modules/contrib/java.te	2017-06-20 21:07:46.988046583 +0200
> @@ -133,6 +133,9 @@ tunable_policy(`allow_java_execstack',`
>  auth_use_nsswitch(java_t)
>
>  corecmd_search_bin(java_t)
> +# Java Web Start (javaws) executes generic binaries and the shell
> +corecmd_exec_bin(java_t)
> +corecmd_exec_shell(java_t)

I'm reluctant to add this.  java_t is a generic domain; it is not the 
javaws domain.

-- 
Chris PeBenito