Hey Guys,
I am trying to confine a Java process that I have so that it will be able
to read only certain files. This is my experiment setup for my folder.
Basically a.out (C program) and Test.class (Java class) are coded to read
and print out the text in test.txt.
unconfined_u:object_r:httpd_t:SystemLow a.out
unconfined_u:object_r:user_home_t:SystemLow test.c
unconfined_u:object_r:httpd_t:SystemLow Test.class
unconfined_u:object_r:user_home_t:SystemLow Test.java
unconfined_u:object_r:user_home_t:SystemLow test.txt
I tried to change the type label for a.out from user_home_t to httpd_t just
for the sake of the experiment. With this setup, a.out is no longer able to
read test.txt in enforcing mode. However, I seem to not be able to do it
for Test.class as it's running on a JVM. The java label is "bin_t". And I
checked using this:
sesearch -s bin_t -t user_home_t -c file -p read -Ad
And it doesn't seem to have a rule that allows bin_t to read a file with
user_home_t label.
What's the right way to do this if any? Then, I also try to confine port
accesses for Test.class, e.g. I only allow it to access ports 1234 and
2345. Same question, what's the right way to do this?
Kind regards,
Rahmadi
_______________________________________________
Selinux mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to [email protected].
