Feature request: Tomcat5-Policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

here is a sample policy for Tomcat5. Could we integrate this (or a
reviewed and much better version) into fedora?

regards

christoph
/usr/bin/tomcat5		--	gen_context(system_u:object_r:tomcat5_exec_t,s0)
/usr/bin/dtomcat5		--	gen_context(system_u:object_r:tomcat5_exec_t,s0)
/var/log/tomcat5		-d	gen_context(system_u:object_r:tomcat5_log_t,s0)
/var/log/tomcat5/.*		--	gen_context(system_u:object_r:tomcat5_log_t,s0)
policy_module(tomcat5,0.3)

########################################
#
# Declarations
#

type tomcat5_t;
type tomcat5_exec_t;
type tomcat5_java_t;

domain_type(tomcat5_t)
domain_type(tomcat5_java_t)

domain_entry_file(tomcat5_t, tomcat5_exec_t)

gen_require(` type java_exec_t; ')

domain_entry_file(tomcat5_java_t, java_exec_t)

type tomcat5_log_t;
logging_log_file(tomcat5_log_t)

type tomcat5_tmp_t;
files_tmp_file(tomcat5_tmp_t)

role system_r types tomcat5_java_t;
########################################
#
# local policy
#

init_daemon_domain(tomcat5_t, tomcat5_exec_t)

allow tomcat5_t tomcat5_log_t:file ra_file_perms;
manage_files_pattern(tomcat5_t, tomcat5_log_t, tomcat5_log_t)

allow tomcat5_t tomcat5_tmp_t:file manage_file_perms;
files_tmp_filetrans(tomcat5_t,tomcat5_tmp_t,file)

# neccessary for startup 
files_search_etc(tomcat5_t)
files_search_usr(tomcat5_t)
libs_search_lib(tomcat5_t)
libs_use_shared_libs(tomcat5_t)
miscfiles_read_localization(tomcat5_t)
libs_use_ld_so(tomcat5_t)
kernel_read_system_state(tomcat5_t)
corecmd_search_bin(tomcat5_t)
corecmd_getattr_bin_files(tomcat5_t)
corecmd_exec_bin(tomcat5_t)
init_write_utmp(tomcat5_t)
files_read_usr_files(tomcat5_t)
corecmd_exec_shell(tomcat5_t)
rw_fifo_files_pattern(tomcat5_t, tomcat5_t, tomcat5_t)
files_read_etc_files(tomcat5_t)
logging_search_logs(tomcat5_t)

# run java as tomcat5_java_t
#java_spec_domtrans(tomcat5_t, tomcat5_java_t)
domain_auto_trans(tomcat5_t, java_exec_t, tomcat5_java_t)

# privileges for tomcat java applications
allow tomcat5_t tomcat5_java_t:process { rlimitinh siginh noatsecure };
allow tomcat5_java_t tomcat5_t:process { sigchld getsched sigkill execheap execmem execstack rlimitinh siginh noatsecure };
allow tomcat5_java_t tomcat5_java_t:process { signull sigchld getsched sigkill execheap execmem execstack rlimitinh siginh noatsecure};
manage_files_pattern(tomcat5_java_t, tomcat5_log_t, tomcat5_log_t)
create_files_pattern(tomcat5_java_t, tomcat5_log_t, tomcat5_log_t)
libs_search_lib(tomcat5_java_t)
libs_use_shared_libs(tomcat5_java_t)
libs_read_lib_files(tomcat5_java_t)
files_search_usr(tomcat5_java_t)
files_read_usr_files(tomcat5_java_t)
files_read_usr_symlinks(tomcat5_java_t)
files_search_etc(tomcat5_java_t)
files_manage_etc_files(tomcat5_java_t)
files_search_var_lib(tomcat5_java_t)
files_read_var_lib_files(tomcat5_java_t)
files_read_var_lib_symlinks(tomcat5_java_t)
files_manage_var_files(tomcat5_java_t)

logging_search_logs(tomcat5_java_t)
rw_fifo_files_pattern(tomcat5_java_t,tomcat5_t,tomcat5_t)
libs_use_ld_so(tomcat5_java_t)
write_files_pattern(tomcat5_java_t, tomcat5_log_t, tomcat5_log_t)
unconfined_dontaudit_use_terminals(tomcat5_java_t)
corecmd_search_bin(tomcat5_java_t)
corecmd_getattr_bin_files(tomcat5_java_t)
corecmd_read_bin_files(tomcat5_java_t)
kernel_read_system_state(tomcat5_java_t)
dev_read_sysfs(tomcat5_java_t)
files_manage_generic_tmp_files(tomcat5_java_t)
files_manage_generic_tmp_dirs(tomcat5_java_t)
files_read_var_lib_files(tomcat5_java_t)
miscfiles_read_localization(tomcat5_java_t)
nscd_read_pid(tomcat5_java_t)
dev_read_urand(tomcat5_java_t)
dev_read_rand(tomcat5_java_t)
kernel_search_network_state(tomcat5_java_t)
kernel_read_network_state(tomcat5_java_t)

allow tomcat5_java_t java_exec_t:file execute_no_trans;
allow tomcat5_java_t tomcat5_java_t:process { signal getsched execstack execmem };
allow tomcat5_java_t tomcat5_java_t:tcp_socket { create ioctl bind setopt listen accept read write getattr setattr connect shutdown };
allow tomcat5_java_t tomcat5_java_t:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
corenet_tcp_bind_all_ports(tomcat5_java_t)
corenet_tcp_connect_all_ports(tomcat5_java_t)
corenet_tcp_sendrecv_all_ports(tomcat5_java_t)
corenet_tcp_bind_mapped_ipv4_node(tomcat5_java_t)
corenet_tcp_sendrecv_mapped_ipv4_node(tomcat5_java_t)
corenet_tcp_sendrecv_unspec_node(tomcat5_java_t)
corenet_tcp_bind_unspec_node(tomcat5_java_t)
sysnet_read_config(tomcat5_java_t)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux