## <summary>policy for sandbox</summary>
########################################
## <summary>
## Execute sandbox in the sandbox domain, and
## allow the specified role the sandbox domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the sandbox domain.
## </summary>
## </param>
#
interface(`sandbox_transition',`
gen_require(`
attribute sandbox_domain;
')
allow $1 sandbox_domain:process transition;
dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
role $2 types sandbox_domain;
allow sandbox_domain $1:process { sigchld signull };
allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
dontaudit sandbox_domain $1:process signal;
')
########################################
## <summary>
## Creates types and rules for a basic
## sandbox process domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`sandbox_domain_template',`
gen_require(`
attribute sandbox_domain;
')
type $1_t, sandbox_domain;
application_type($1_t)
mls_rangetrans_target($1_t)
mcs_constrained($1_t)
')