45 lines
1.2 KiB
Plaintext
45 lines
1.2 KiB
Plaintext
|
#
|
||
|
# ORBit related types
|
||
|
#
|
||
|
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
|
||
|
#
|
||
|
# orbit_domain(prefix, role_prefix) - create ORBit sockets
|
||
|
# orbit_connect(type1_prefix, type2_prefix)
|
||
|
# - allow communication through ORBit sockets from type1 to type2
|
||
|
|
||
|
define(`orbit_domain', `
|
||
|
|
||
|
# Protect against double inclusion for speed and correctness
|
||
|
ifdef(`orbit_domain_$1_$2', `', `
|
||
|
define(`orbit_domain_$1_$2')
|
||
|
|
||
|
# Relabel directory (startup script)
|
||
|
allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto };
|
||
|
|
||
|
# Type for ORBit sockets
|
||
|
type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
|
||
|
file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t)
|
||
|
allow $1_t tmp_t:dir { read search getattr };
|
||
|
|
||
|
# Create the sockets
|
||
|
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow $1_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
# Use random device(s)
|
||
|
allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl };
|
||
|
|
||
|
# Why do they do that?
|
||
|
dontaudit $1_t $2_orbit_tmp_t:dir setattr;
|
||
|
|
||
|
') dnl ifdef orbit_domain_args
|
||
|
') dnl orbit_domain
|
||
|
|
||
|
##########################
|
||
|
|
||
|
define(`orbit_connect', `
|
||
|
|
||
|
can_unix_connect($1_t, $2_t)
|
||
|
allow $1_t $2_orbit_tmp_t:sock_file write;
|
||
|
|
||
|
') dnl orbit_connect
|