PHP/Java Bridge SvnRepo

51 lines (40 with data), 1.9 kB

#################################
# php-java-bridge.te
# SELinux rules for the javabridge_t domain
#
# javabridge_exec_t is the type of the javabridge 
# executable "RunJavaBridge", see php-java-bridge.fc

daemon_domain(javabridge);
# log_domain(javabridge);
tmp_domain(javabridge);

# connect for users and httpd
allow httpd_t javabridge_exec_t:file { getattr };
allow httpd_t javabridge_t:unix_stream_socket { connectto };
#allow user_t javabridge_t:unix_stream_socket { connectto };
allow unconfined_t javabridge_t:unix_stream_socket { connectto };

# starting the bridge
allow javabridge_t bin_t:dir { search };
allow javabridge_t bin_t:file { execute execute_no_trans read };
allow javabridge_t javabridge_exec_t:file { execute_no_trans };
allow javabridge_t javabridge_t:file { getattr read };
allow javabridge_t javabridge_t:unix_stream_socket { accept bind connect create getattr getopt listen read setopt write };
allow javabridge_t var_log_t:file { append write };
allow javabridge_t var_log_t:dir { search };

# java needs these for proc/self, /etc/java.
allow javabridge_t proc_t:file { getattr read };
allow javabridge_t etc_runtime_t:file { getattr read };
allow javabridge_t etc_t:file { getattr read };
allow javabridge_t javabridge_t:process { getsched };
allow javabridge_t ld_so_cache_t:file { execute };
allow javabridge_t locale_t:file { execute };
allow javabridge_t random_device_t:chr_file { getattr read append };
allow javabridge_t urandom_device_t:chr_file { getattr read };
# disallow TCP sockets
dontaudit javabridge_t javabridge_t:tcp_socket { create };



# lib/i386/client/classes.jsa
allow javabridge_t lib_t:file { execute getattr read };

# /usr/share/java, /usr/lib/rt.jar, ...
allow javabridge_t usr_t:file { execute getattr read };


# Sun JDK 1.5 creates /tmp/hsperfdata/data and executes it.
# Ugly ...
allow javabridge_t javabridge_tmp_t:file { execute };