## policy for osbuild
########################################
##
## Execute osbuild_exec_t in the osbuild domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`osbuild_domtrans',`
gen_require(`
type osbuild_t, osbuild_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, osbuild_exec_t, osbuild_t)
')
######################################
##
## Execute osbuild in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`osbuild_exec',`
gen_require(`
type osbuild_exec_t;
')
corecmd_search_bin($1)
can_exec($1, osbuild_exec_t)
')
########################################
##
## Execute osbuild in the osbuild domain, and
## allow the specified role the osbuild domain.
##
##
##
## Domain allowed to transition
##
##
##
##
## The role to be allowed the osbuild domain.
##
##
#
interface(`osbuild_run',`
gen_require(`
type osbuild_t;
attribute_role osbuild_roles;
')
osbuild_domtrans($1)
roleattribute $2 osbuild_roles;
')
########################################
##
## Role access for osbuild
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
interface(`osbuild_role',`
gen_require(`
type osbuild_t;
attribute_role osbuild_roles;
')
roleattribute $1 osbuild_roles;
osbuild_domtrans($2)
ps_process_pattern($2, osbuild_t)
allow $2 osbuild_t:process { signull signal sigkill };
')
########################################
##
## osbuild nnp / nosuid transitions to domain
##
##
##
## Domain to be allowed to transition into.
##
##
#
interface(`osbuild_nnp_nosuid_trans',`
gen_require(`
type osbuild_t;
class process2 { nnp_transition nosuid_transition };
')
allow osbuild_t $1:process2 {nnp_transition nosuid_transition};
')