Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/contrib/sandbox.if


## <summary>policy for sandbox</summary>

########################################
## <summary>
##	Execute sandbox in the sandbox domain, and
##	allow the specified role the sandbox domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the sandbox domain.
##	</summary>
## </param>
#
interface(`sandbox_transition',`
	gen_require(`
		attribute sandbox_domain;
	')

    sandbox_dyntransition($1) #885288
    allow $1 sandbox_domain:process transition;
    dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };

    role $2 types sandbox_domain;

    allow sandbox_domain $1:process { sigchld signull };
    allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;

    dontaudit sandbox_domain $1:process signal;
    dontaudit sandbox_domain $1:key { link read search view };
    dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
')

########################################
## <summary>
##	Execute sandbox in the sandbox domain, and
##	allow the specified role the sandbox domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_dyntransition',`
	gen_require(`
		attribute sandbox_domain;
	')

	allow $1 sandbox_domain:process dyntransition;
')

########################################
## <summary>
##	Creates types and rules for a basic
##	sandbox process domain.
## </summary>
## <param name="prefix">
##	<summary>
##	Prefix for the domain.
##	</summary>
## </param>
#
template(`sandbox_domain_template',`

	gen_require(`
		attribute sandbox_domain;
	')
	type $1_t, sandbox_domain;

	application_type($1_t)

    # this is to satisfy the assertion:
    dev_raw_memory_reader($1_t)
    dev_raw_memory_writer($1_t)

	mls_rangetrans_target($1_t)
	mcs_constrained($1_t)

    # this is to satisfy the assertion:
    storage_rw_inherited_fixed_disk_dev($1_t)
    storage_rw_inherited_scsi_generic($1_t)

    # this is to satisfy the assertion:
    auth_reader_shadow($1_t)
    auth_writer_shadow($1_t)

    #optional_policy(`
	#    unconfined_typebounds($1_t)
    #')
')
extract all compressed files to make viewing source code easier and updated oreon-backgrounds and oreon-release packages 2024-07-03 21:20:34 -07:00
			`## <summary>policy for sandbox</summary>`

			`########################################`
			`## <summary>`
			`## Execute sandbox in the sandbox domain, and`
			`## allow the specified role the sandbox domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## The role to be allowed the sandbox domain.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sandbox_transition',`
			gen_require(`
			`attribute sandbox_domain;`
			`')`

			`sandbox_dyntransition($1) #885288`
			`allow $1 sandbox_domain:process transition;`
			`dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };`

			`role $2 types sandbox_domain;`

			`allow sandbox_domain $1:process { sigchld signull };`
			`allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;`

			`dontaudit sandbox_domain $1:process signal;`
			`dontaudit sandbox_domain $1:key { link read search view };`
			`dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Execute sandbox in the sandbox domain, and`
			`## allow the specified role the sandbox domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sandbox_dyntransition',`
			gen_require(`
			`attribute sandbox_domain;`
			`')`

			`allow $1 sandbox_domain:process dyntransition;`
			`')`

			`########################################`
			`## <summary>`
			`## Creates types and rules for a basic`
			`## sandbox process domain.`
			`## </summary>`
			`## <param name="prefix">`
			`## <summary>`
			`## Prefix for the domain.`
			`## </summary>`
			`## </param>`
			`#`
			template(`sandbox_domain_template',`

			gen_require(`
			`attribute sandbox_domain;`
			`')`
			`type $1_t, sandbox_domain;`

			`application_type($1_t)`

			`# this is to satisfy the assertion:`
			`dev_raw_memory_reader($1_t)`
			`dev_raw_memory_writer($1_t)`

			`mls_rangetrans_target($1_t)`
			`mcs_constrained($1_t)`

			`# this is to satisfy the assertion:`
			`storage_rw_inherited_fixed_disk_dev($1_t)`
			`storage_rw_inherited_scsi_generic($1_t)`

			`# this is to satisfy the assertion:`
			`auth_reader_shadow($1_t)`
			`auth_writer_shadow($1_t)`

			#optional_policy(`
			`# unconfined_typebounds($1_t)`
			`#')`
			`')`