selinux-policy/policy/modules/apps/seunshare.if

## <summary>Filesystem namespacing/polyinstantiation application.</summary>

########################################
## <summary>
##	Execute a domain transition to run seunshare.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`seunshare_domtrans',`
	gen_require(`
		type seunshare_t, seunshare_exec_t;
	')

	domtrans_pattern($1, seunshare_exec_t, seunshare_t)
')

########################################
## <summary>
##	Execute seunshare in the seunshare domain, and
##	allow the specified role the seunshare domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
#
interface(`seunshare_run',`
	gen_require(`
		type seunshare_t;
	')

	seunshare_domtrans($1)
	role $2 types seunshare_t;

	allow $1 seunshare_t:process signal_perms;

	ifdef(`hide_broken_symptoms', `
		dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
		dontaudit seunshare_t $1:udp_socket rw_socket_perms;
		dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
	')
')

########################################
## <summary>
##	Role access for seunshare
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
#
interface(`seunshare_role',`
	gen_require(`
		type seunshare_t;
	')

	role $2 types seunshare_t;

	seunshare_domtrans($1)

	ps_process_pattern($2, seunshare_t)
	allow $2 seunshare_t:process signal;
')
add seunshare from dan. 2009-09-28 19:40:06 +00:00			`## <summary>Filesystem namespacing/polyinstantiation application.</summary>`

			`########################################`
			`## <summary>`
			`## Execute a domain transition to run seunshare.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed to transition.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`seunshare_domtrans',`
			gen_require(`
			`type seunshare_t, seunshare_exec_t;`
			`')`

			`domtrans_pattern($1, seunshare_exec_t, seunshare_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Execute seunshare in the seunshare domain, and`
			`## allow the specified role the seunshare domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## Role allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`seunshare_run',`
			gen_require(`
			`type seunshare_t;`
			`')`

			`seunshare_domtrans($1)`
			`role $2 types seunshare_t;`
Seunshare patch from Dan Walsh. 2009-12-01 15:31:28 +00:00
			`allow $1 seunshare_t:process signal_perms;`

			ifdef(`hide_broken_symptoms', `
			`dontaudit seunshare_t $1:tcp_socket rw_socket_perms;`
			`dontaudit seunshare_t $1:udp_socket rw_socket_perms;`
			`dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;`
			`')`
add seunshare from dan. 2009-09-28 19:40:06 +00:00			`')`

			`########################################`
			`## <summary>`
			`## Role access for seunshare`
			`## </summary>`
			`## <param name="role">`
			`## <summary>`
			`## Role allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="domain">`
			`## <summary>`
			`## User domain for the role.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`seunshare_role',`
			gen_require(`
			`type seunshare_t;`
			`')`

			`role $2 types seunshare_t;`

			`seunshare_domtrans($1)`

			`ps_process_pattern($2, seunshare_t)`
			`allow $2 seunshare_t:process signal;`
			`')`