policy for sandbox

######################################## ##

## Execute sandbox in the sandbox domain, and ## allow the specified role the sandbox domain. ##

## ##

## Domain allowed access ##

## ## ##

## The role to be allowed the sandbox domain. ##

## # interface(`sandbox_transition',` gen_require(` attribute sandbox_domain; ') sandbox_dyntransition($1) #885288 allow $1 sandbox_domain:process transition; dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; role $2 types sandbox_domain; allow sandbox_domain $1:process { sigchld signull }; allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; dontaudit sandbox_domain $1:process signal; dontaudit sandbox_domain $1:key { link read search view }; dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms; ') ######################################## ##

## Execute sandbox in the sandbox domain, and ## allow the specified role the sandbox domain. ##

## ##

## Domain allowed access ##

## # interface(`sandbox_dyntransition',` gen_require(` attribute sandbox_domain; ') allow $1 sandbox_domain:process dyntransition; ') ######################################## ##

## Creates types and rules for a basic ## sandbox process domain. ##

## ##

## Prefix for the domain. ##

## # template(`sandbox_domain_template',` gen_require(` attribute sandbox_domain; ') type $1_t, sandbox_domain; application_type($1_t) # this is to satisfy the assertion: dev_raw_memory_reader($1_t) dev_raw_memory_writer($1_t) mls_rangetrans_target($1_t) mcs_constrained($1_t) # this is to satisfy the assertion: storage_rw_inherited_fixed_disk_dev($1_t) storage_rw_inherited_scsi_generic($1_t) # this is to satisfy the assertion: auth_reader_shadow($1_t) auth_writer_shadow($1_t) #optional_policy(` # unconfined_typebounds($1_t) #') ')