selinux-refpolicy/strict/macros/program/orbit_macros.te

45 lines
1.2 KiB
Plaintext
Raw Normal View History

#
# ORBit related types
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#
# orbit_domain(prefix, role_prefix) - create ORBit sockets
# orbit_connect(type1_prefix, type2_prefix)
# - allow communication through ORBit sockets from type1 to type2
define(`orbit_domain', `
# Protect against double inclusion for speed and correctness
ifdef(`orbit_domain_$1_$2', `', `
define(`orbit_domain_$1_$2')
# Relabel directory (startup script)
allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto };
# Type for ORBit sockets
type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t)
allow $1_t tmp_t:dir { read search getattr };
# Create the sockets
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
# Use random device(s)
allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl };
# Why do they do that?
dontaudit $1_t $2_orbit_tmp_t:dir setattr;
') dnl ifdef orbit_domain_args
') dnl orbit_domain
##########################
define(`orbit_connect', `
can_unix_connect($1_t, $2_t)
allow $1_t $2_orbit_tmp_t:sock_file write;
') dnl orbit_connect