Hi, here is a sample policy for Tomcat5. Could we integrate this (or a reviewed and much better version) into fedora? regards christoph
/usr/bin/tomcat5 -- gen_context(system_u:object_r:tomcat5_exec_t,s0) /usr/bin/dtomcat5 -- gen_context(system_u:object_r:tomcat5_exec_t,s0) /var/log/tomcat5 -d gen_context(system_u:object_r:tomcat5_log_t,s0) /var/log/tomcat5/.* -- gen_context(system_u:object_r:tomcat5_log_t,s0)
policy_module(tomcat5,0.3) ######################################## # # Declarations # type tomcat5_t; type tomcat5_exec_t; type tomcat5_java_t; domain_type(tomcat5_t) domain_type(tomcat5_java_t) domain_entry_file(tomcat5_t, tomcat5_exec_t) gen_require(` type java_exec_t; ') domain_entry_file(tomcat5_java_t, java_exec_t) type tomcat5_log_t; logging_log_file(tomcat5_log_t) type tomcat5_tmp_t; files_tmp_file(tomcat5_tmp_t) role system_r types tomcat5_java_t; ######################################## # # local policy # init_daemon_domain(tomcat5_t, tomcat5_exec_t) allow tomcat5_t tomcat5_log_t:file ra_file_perms; manage_files_pattern(tomcat5_t, tomcat5_log_t, tomcat5_log_t) allow tomcat5_t tomcat5_tmp_t:file manage_file_perms; files_tmp_filetrans(tomcat5_t,tomcat5_tmp_t,file) # neccessary for startup files_search_etc(tomcat5_t) files_search_usr(tomcat5_t) libs_search_lib(tomcat5_t) libs_use_shared_libs(tomcat5_t) miscfiles_read_localization(tomcat5_t) libs_use_ld_so(tomcat5_t) kernel_read_system_state(tomcat5_t) corecmd_search_bin(tomcat5_t) corecmd_getattr_bin_files(tomcat5_t) corecmd_exec_bin(tomcat5_t) init_write_utmp(tomcat5_t) files_read_usr_files(tomcat5_t) corecmd_exec_shell(tomcat5_t) rw_fifo_files_pattern(tomcat5_t, tomcat5_t, tomcat5_t) files_read_etc_files(tomcat5_t) logging_search_logs(tomcat5_t) # run java as tomcat5_java_t #java_spec_domtrans(tomcat5_t, tomcat5_java_t) domain_auto_trans(tomcat5_t, java_exec_t, tomcat5_java_t) # privileges for tomcat java applications allow tomcat5_t tomcat5_java_t:process { rlimitinh siginh noatsecure }; allow tomcat5_java_t tomcat5_t:process { sigchld getsched sigkill execheap execmem execstack rlimitinh siginh noatsecure }; allow tomcat5_java_t tomcat5_java_t:process { signull sigchld getsched sigkill execheap execmem execstack rlimitinh siginh noatsecure}; manage_files_pattern(tomcat5_java_t, tomcat5_log_t, tomcat5_log_t) create_files_pattern(tomcat5_java_t, tomcat5_log_t, tomcat5_log_t) libs_search_lib(tomcat5_java_t) libs_use_shared_libs(tomcat5_java_t) libs_read_lib_files(tomcat5_java_t) files_search_usr(tomcat5_java_t) files_read_usr_files(tomcat5_java_t) files_read_usr_symlinks(tomcat5_java_t) files_search_etc(tomcat5_java_t) files_manage_etc_files(tomcat5_java_t) files_search_var_lib(tomcat5_java_t) files_read_var_lib_files(tomcat5_java_t) files_read_var_lib_symlinks(tomcat5_java_t) files_manage_var_files(tomcat5_java_t) logging_search_logs(tomcat5_java_t) rw_fifo_files_pattern(tomcat5_java_t,tomcat5_t,tomcat5_t) libs_use_ld_so(tomcat5_java_t) write_files_pattern(tomcat5_java_t, tomcat5_log_t, tomcat5_log_t) unconfined_dontaudit_use_terminals(tomcat5_java_t) corecmd_search_bin(tomcat5_java_t) corecmd_getattr_bin_files(tomcat5_java_t) corecmd_read_bin_files(tomcat5_java_t) kernel_read_system_state(tomcat5_java_t) dev_read_sysfs(tomcat5_java_t) files_manage_generic_tmp_files(tomcat5_java_t) files_manage_generic_tmp_dirs(tomcat5_java_t) files_read_var_lib_files(tomcat5_java_t) miscfiles_read_localization(tomcat5_java_t) nscd_read_pid(tomcat5_java_t) dev_read_urand(tomcat5_java_t) dev_read_rand(tomcat5_java_t) kernel_search_network_state(tomcat5_java_t) kernel_read_network_state(tomcat5_java_t) allow tomcat5_java_t java_exec_t:file execute_no_trans; allow tomcat5_java_t tomcat5_java_t:process { signal getsched execstack execmem }; allow tomcat5_java_t tomcat5_java_t:tcp_socket { create ioctl bind setopt listen accept read write getattr setattr connect shutdown }; allow tomcat5_java_t tomcat5_java_t:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; corenet_tcp_bind_all_ports(tomcat5_java_t) corenet_tcp_connect_all_ports(tomcat5_java_t) corenet_tcp_sendrecv_all_ports(tomcat5_java_t) corenet_tcp_bind_mapped_ipv4_node(tomcat5_java_t) corenet_tcp_sendrecv_mapped_ipv4_node(tomcat5_java_t) corenet_tcp_sendrecv_unspec_node(tomcat5_java_t) corenet_tcp_bind_unspec_node(tomcat5_java_t) sysnet_read_config(tomcat5_java_t)
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list