## <summary>policy for sandbox</summary>

########################################
## <summary>
##	Execute sandbox in the sandbox domain, and
##	allow the specified role the sandbox domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the sandbox domain.
##	</summary>
## </param>
#
interface(`sandbox_transition',`
	gen_require(`
		attribute sandbox_domain;
	')

	allow $1 sandbox_domain:process transition;
	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
	role $2 types sandbox_domain;
	allow sandbox_domain $1:process { sigchld signull };
	allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
	dontaudit sandbox_domain $1:process signal;
')

########################################
## <summary>
##	Creates types and rules for a basic
##	sandbox process domain.
## </summary>
## <param name="prefix">
##	<summary>
##	Prefix for the domain.
##	</summary>
## </param>
#
template(`sandbox_domain_template',`

	gen_require(`
		attribute sandbox_domain;
	')
	type $1_t, sandbox_domain;

	application_type($1_t)

	mls_rangetrans_target($1_t)
	mcs_constrained($1_t)
')