selinux-policy/policy/modules/services/oddjob.if

## <summary>
##	Oddjob provides a mechanism by which unprivileged applications can
##	request that specified privileged operations be performed on their
##	behalf.
## </summary>

########################################
## <summary>
##	Execute a domain transition to run oddjob.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`oddjob_domtrans',`
	gen_require(`
		type oddjob_t, oddjob_exec_t;
	')

	domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')

#####################################
## <summary>
##	Do not audit attempts to read and write 
##	oddjob fifo file.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`oddjob_dontaudit_rw_fifo_file',`
	gen_require(`
		type shutdown_t;
	')

	dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
')

########################################
## <summary>
##	Make the specified program domain accessable
##	from the oddjob.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process to transition to.
##	</summary>
## </param>
## <param name="entrypoint">
##	<summary>
##	The type of the file used as an entrypoint to this domain.
##	</summary>
## </param>
#
interface(`oddjob_system_entry',`
	gen_require(`
		type oddjob_t;
	')

	domtrans_pattern(oddjob_t, $2, $1)
	domain_user_exemption_target($1)
')

########################################
## <summary>
##	Send and receive messages from
##	oddjob over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`oddjob_dbus_chat',`
	gen_require(`
		type oddjob_t;
		class dbus send_msg;
	')

	allow $1 oddjob_t:dbus send_msg;
	allow oddjob_t $1:dbus send_msg;
')

######################################
## <summary>
##	Send a SIGCHLD signal to oddjob.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`oddjob_sigchld',`
	gen_require(`
		type oddjob_t;
	')

	allow $1 oddjob_t:process sigchld;
')

########################################
## <summary>
##	Execute a domain transition to run oddjob_mkhomedir.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`oddjob_domtrans_mkhomedir',`
	gen_require(`
		type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
	')

	domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
')

########################################
## <summary>
##	Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`oddjob_run_mkhomedir',`
	gen_require(`
		type oddjob_mkhomedir_t;
	')

	oddjob_domtrans_mkhomedir($1)
	role $2 types oddjob_mkhomedir_t;
')