--- nsaserefpolicy/policy/modules/apps/java.fc	2008-08-07 11:15:03.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/apps/java.fc	2008-08-14 13:53:54.000000000 -0400
@@ -3,14 +3,15 @@
 #
 /opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:java_exec_t,s0)
 /opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.*      -- gen_context(system_u:object_r:java_exec_t,s0)
 
 #
 # /usr
 #
 /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gappletviewer  --	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
@@ -20,5 +21,10 @@
 /usr/bin/grmic  	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/grmiregistry  	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/jv-convert  	--	gen_context(system_u:object_r:java_exec_t,s0)
-/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar  	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/matlab.*/bin.*/MATLAB.*      -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/bin/octave-[^/]*  	--	gen_context(system_u:object_r:java_exec_t,s0)
--- nsaserefpolicy/policy/modules/apps/java.if	2008-08-07 11:15:03.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/apps/java.if	2008-08-14 13:53:54.000000000 -0400
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`java_per_role_template',`
+template(`java_plugin_per_role_template',`
 	gen_require(`
 		type java_exec_t;
 	')
@@ -57,18 +57,21 @@
 	# Local policy
 	#
 
-	allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
+	allow $1_javaplugin_t self:process {  execmem execstack signal_perms getsched ptrace setsched };
 	allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
-	allow $1_javaplugin_t self:tcp_socket create_socket_perms;
+	allow $1_javaplugin_t self:tcp_socket create_stream_socket_perms;
 	allow $1_javaplugin_t self:udp_socket create_socket_perms;
 	
+	allow $1_javaplugin_t $1_t:process signull;
+	allow $1_javaplugin_t $1_t:unix_stream_socket connectto;
+	allow $1_t $1_javaplugin_t:unix_stream_socket connectto;
 	allow $1_javaplugin_t $2:unix_stream_socket connectto;
-	allow $1_javaplugin_t $2:unix_stream_socket { read write };
-	userdom_write_user_tmp_sockets($1, $1_javaplugin_t)
+	allow $1_javaplugin_t $2:tcp_socket { read write };
 
 	manage_dirs_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
 	manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
 	files_tmp_filetrans($1_javaplugin_t, $1_javaplugin_tmp_t, { file dir })
+	allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
 
 	manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
 	manage_lnk_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
@@ -76,14 +79,9 @@
 	manage_sock_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
 	fs_tmpfs_filetrans($1_javaplugin_t, $1_javaplugin_tmpfs_t, { file lnk_file sock_file fifo_file })
 
-	rw_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
-	read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
-
 	can_exec($1_javaplugin_t, java_exec_t)
 	
-	# The user role is authorized for this domain.
-	domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
-	allow $1_javaplugin_t $2:fd use;
+	domtrans_pattern($2, java_exec_t, $1_javaplugin_t)
 	# Unrestricted inheritance from the caller.
 	allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
 	allow $1_javaplugin_t $2:process signull;
@@ -94,7 +92,7 @@
 	kernel_read_system_state($1_javaplugin_t)
 
 	# Search bin directory under javaplugin for javaplugin executable
-	corecmd_search_bin($1_javaplugin_t)
+	corecmd_exec_bin($1_javaplugin_t)
 
 	corenet_all_recvfrom_unlabeled($1_javaplugin_t)
 	corenet_all_recvfrom_netlabel($1_javaplugin_t)
@@ -107,10 +105,12 @@
 	corenet_tcp_connect_all_ports($1_javaplugin_t)
 	corenet_sendrecv_all_client_packets($1_javaplugin_t)
 
+	dev_list_sysfs($1_javaplugin_t)
 	dev_read_sound($1_javaplugin_t)
 	dev_write_sound($1_javaplugin_t)
 	dev_read_urand($1_javaplugin_t)
 	dev_read_rand($1_javaplugin_t)
+	dev_write_rand($1_javaplugin_t)
 
 	files_read_etc_files($1_javaplugin_t)
 	files_read_usr_files($1_javaplugin_t)
@@ -122,6 +122,9 @@
 
 	fs_getattr_xattr_fs($1_javaplugin_t)
 	fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
+	fs_getattr_tmpfs($1_javaplugin_t)
+
+	auth_use_nsswitch($1_javaplugin_t)
 
 	libs_use_ld_so($1_javaplugin_t)
 	libs_use_shared_libs($1_javaplugin_t)
@@ -132,23 +135,23 @@
 	# Read global fonts and font config
 	miscfiles_read_fonts($1_javaplugin_t)
 
-	sysnet_read_config($1_javaplugin_t)
-
+	unprivuser_manage_home_content_files($1_javaplugin_t)
 	userdom_dontaudit_use_user_terminals($1, $1_javaplugin_t)
 	userdom_dontaudit_setattr_user_home_content_files($1, $1_javaplugin_t)
 	userdom_dontaudit_exec_user_home_content_files($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_dirs($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_files($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_symlinks($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_pipes($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_sockets($1, $1_javaplugin_t)
-	userdom_user_home_dir_filetrans_user_home_content($1, $1_javaplugin_t, { file lnk_file sock_file fifo_file })
+	unprivuser_manage_tmp_dirs($1_javaplugin_t)
+	unprivuser_manage_tmp_files($1_javaplugin_t)
+	unprivuser_manage_tmp_sockets($1_javaplugin_t)
+	userdom_read_user_tmpfs_files($1, $1_javaplugin_t)
+	unprivuser_manage_home_content_dirs($1_javaplugin_t)
+	unprivuser_manage_home_content_files($1_javaplugin_t)
+	unprivuser_manage_home_content_symlinks($1_javaplugin_t)
+	unprivuser_manage_home_content_pipes($1_javaplugin_t)
+	unprivuser_manage_home_content_sockets($1_javaplugin_t)
+	unprivuser_home_dir_filetrans_home_content($1_javaplugin_t, { file lnk_file sock_file fifo_file })
 
 	tunable_policy(`allow_java_execstack',`
 		allow $1_javaplugin_t self:process execstack;
-
-		allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-
 		libs_legacy_use_shared_libs($1_javaplugin_t)
 		libs_legacy_use_ld_so($1_javaplugin_t)
 
@@ -156,16 +159,63 @@
 	')
 
 	optional_policy(`
-		nis_use_ypbind($1_javaplugin_t)
+		xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t)
 	')
 
-	optional_policy(`
-		nscd_socket_use($1_javaplugin_t)
 	')
 
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t)
+#######################################
+## <summary>
+##	The per role template for the java module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`java_per_role_template',`
+	gen_require(`
+		type java_exec_t;
 	')
+
+	type $1_java_t;
+	domain_type($1_java_t)
+	domain_entry_file($1_java_t, java_exec_t)
+	role $3 types $1_java_t;
+
+	domain_interactive_fd($1_java_t)
+
+	userdom_unpriv_usertype($1, $1_java_t)
+
+	allow $1_java_t self:process { getsched sigkill execheap execmem execstack };
+
+	allow $2 $1_java_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+	allow $1_java_t $2:tcp_socket { read write };
+
+	domtrans_pattern($2, java_exec_t, $1_java_t)
+
+	dev_read_urand($1_java_t)
+	dev_read_rand($1_java_t)
+
+	fs_dontaudit_rw_tmpfs_files($1_java_t)
 ')
 
 ########################################
@@ -219,3 +269,67 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, java_exec_t, java_t)
 ')
+
+########################################
+## <summary>
+##	Execute a java in the specified domain
+## </summary>
+## <desc>
+##	<p>
+##	Execute the java command in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain. 
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`java_spec_domtrans',`
+	gen_require(`
+		type java_exec_t;
+	')
+
+	domain_trans($1, java_exec_t, $2)
+	type_transition $1 java_exec_t:process $2;
+')
+
+########################################
+## <summary>
+##	Execute java in the java domain, and
+##	allow the specified role the java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the java domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the java domain to use.
+##	</summary>
+## </param>
+#
+interface(`java_run',`
+	gen_require(`
+		type java_t;
+	')
+
+	java_domtrans($1)
+	role $2 types java_t;
+	allow java_t $3:chr_file rw_term_perms;
+')
+
--- nsaserefpolicy/policy/modules/apps/java.te	2008-08-07 11:15:02.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/apps/java.te	2008-08-14 13:53:54.000000000 -0400
@@ -6,16 +6,10 @@
 # Declarations
 #
 
-## <desc>
-## <p>
-## Allow java executable stack
-## </p>
-## </desc>
-gen_tunable(allow_java_execstack, false)
-
 type java_t;
 type java_exec_t;
 init_system_domain(java_t, java_exec_t)
+typealias java_t alias unconfined_java_t;
 
 ########################################
 #
@@ -23,11 +17,28 @@
 #
 
 # execheap is needed for itanium/BEA jrocket
-allow java_t self:process { execstack execmem execheap };
+allow java_t self:process { getsched sigkill execheap execmem execstack };
 
+optional_policy(`
 init_dbus_chat_script(java_t)
+	optional_policy(`
+		hal_dbus_chat(java_t)
+	')
 
 optional_policy(`
-	unconfined_domain_noaudit(java_t)
 	unconfined_dbus_chat(java_t)
 ')
+')
+
+optional_policy(`
+	rpm_domtrans(java_t)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(java_t)
+')
+
+optional_policy(`
+	xserver_xdm_rw_shm(java_t)
+')
+