Hey Guys,
I am trying to confine a Java process that I have so that it will be able to read only certain files. This is my experiment setup for my folder. Basically a.out (C program) and Test.class (Java class) are coded to read and print out the text in test.txt.
unconfined_u:object_r:httpd_t:SystemLow a.out
unconfined_u:object_r:user_home_t:SystemLow test.c
unconfined_u:object_r:httpd_t:SystemLow Test.class
unconfined_u:object_r:user_home_t:SystemLow Test.java
unconfined_u:object_r:user_home_t:SystemLow test.txt
I tried to change the type label for a.out from user_home_t to httpd_t just for the sake of the experiment. With this setup, a.out is no longer able to read test.txt in enforcing mode. However, I seem to not be able to do it for Test.class as it's running on a JVM. The java label is "bin_t". And I checked using this:
sesearch -s bin_t -t user_home_t -c file -p read -Ad
And it doesn't seem to have a rule that allows bin_t to read a file with user_home_t label.
What's the right way to do this if any? Then, I also try to confine port accesses for Test.class, e.g. I only allow it to access ports 1234 and 2345. Same question, what's the right way to do this?
Kind regards,
Rahmadi
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.