selinux-policy/policy/modules/system/application.if

## <summary>Policy for user executable applications.</summary>

########################################
## <summary>
##	Make the specified type usable as an application domain.
## </summary>
## <param name="type">
##	<summary>
##	Type to be used as a domain type.
##	</summary>
## </param>
#
interface(`application_type',`
	gen_require(`
		attribute application_domain_type;
	')

	typeattribute $1 application_domain_type;

	# start with basic domain
	domain_type($1)
')

########################################
## <summary>
##	Make the specified type usable for files
##	that are exectuables, such as binary programs.
##	This does not include shared libraries.
## </summary>
## <param name="type">
##	<summary>
##	Type to be used for files.
##	</summary>
## </param>
#
interface(`application_executable_file',`
	gen_require(`
		attribute application_exec_type;
	')

	typeattribute $1 application_exec_type;

	corecmd_executable_file($1)
')

########################################
## <summary>
## Execute application executables in the caller domain.
## </summary>
## <param name="type">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`application_exec',`
	gen_require(`
		attribute application_exec_type;
	')

	can_exec($1, application_exec_type)
')

########################################
## <summary>
##	Execute all executable files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`application_exec_all',`
	corecmd_dontaudit_exec_all_executables($1)
	corecmd_exec_bin($1)
	corecmd_exec_shell($1)
	corecmd_exec_chroot($1)

	application_exec($1)
')

########################################
## <summary>
##	Create a domain which can be started by users
## </summary>
## <param name="domain">
##	<summary>
##	Type to be used as a domain.
##	</summary>
## </param>
## <param name="entry_point">
##	<summary>
##	Type of the program to be used as an entry point to this domain.
##	</summary>
## </param>
#
interface(`application_domain',`
	application_type($1)
	application_executable_file($2)
	domain_entry_file($1, $2)
')

########################################
## <summary>
##	Send signull to all application domains.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`application_signull',`
	gen_require(`
		attribute application_domain_type;
	')

	allow $1 application_domain_type:process signull;
')