java selinux module in CentOS 7 targeted policy

[dell-selinux]

Hi All,
I am looking for selinux java module in CentOS 7 targeted policy but it is not present. I looked into CentOS 6.8 and found selinux java module there. Not sure why it got removed from CentOS 7 targeted policy.
I downloaded the CentOS selinux policy source and tried compiling with java module (appended modules-targeted-contrib.conf) but it failed to compile.

The error is like this:
==================

Code: Select all

Compiling targeted java.mod module
m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -s support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 tmp/generated_definitions.conf tmp/all_interfaces.conf policy/modules/contrib/java.te > tmp/java.tmp
policy/modules/contrib/java.te:39: Warning: userdom_user_tmpfs_file(java_tmpfs_t) has been deprecated, use userdom_user_tmp_file() instead.
/usr/bin/checkmodule -M -m tmp/java.tmp -o tmp/java.mod
policy/modules/contrib/java.te:74:ERROR 'unknown type java_domain' at token ';' on line 4231:
#line 74
        typeattribute java_domain kernel_system_state_reader;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/java.tmp
make: *** [tmp/java.mod] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.rwg27q (%install)

Can someone please suggest how to include java module?

[aks]

What is it supposed to achieve?
Does it just have label types or are there other things? If so, what?

[dell-selinux]

I briefly looked into java.te and java.if and as far as I can understand, this java policy module would allow a java application to be confined with the java_t domain.

I have to confine few java applications and for that I want to harness existing java policy module.

[aks]

So what I did with a tomcat install was use semanage to label the files as tomcat_log_t, tomcat_exec_t, tomcat_cache_t, tomcat_unit_file_t etc. (the tomcat type was already defined). I see no reason why you can't just either extend that or search for existing java types and work from there. Once the module is defined, just label the files.

But what we see in your error is some of the types you are using are depreciated and you should use (whatever they said you should). You could just use the "generic" types I guess.

But all this is pretty advanced stuff, how competent are you with SE?

[TrevorH]

I would recommend asking on the selinux mailing list or on #selinux on freenode IRC. Both places have the RH experts on selinux in attendance and as far as I know, none of them read this forum.