## policy for sandbox
########################################
##
## Execute sandbox in the sandbox domain, and
## allow the specified role the sandbox domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the sandbox domain.
##
##
#
interface(`sandbox_transition',`
gen_require(`
attribute sandbox_domain;
')
allow $1 sandbox_domain:process transition;
dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
role $2 types sandbox_domain;
allow sandbox_domain $1:process { sigchld signull };
allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
dontaudit sandbox_domain $1:process signal;
')
########################################
##
## Creates types and rules for a basic
## sandbox process domain.
##
##
##
## Prefix for the domain.
##
##
#
template(`sandbox_domain_template',`
gen_require(`
attribute sandbox_domain;
')
type $1_t, sandbox_domain;
application_type($1_t)
mls_rangetrans_target($1_t)
mcs_constrained($1_t)
')