#
# ORBit related types 
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#
# orbit_domain(prefix, role_prefix) - create ORBit sockets
# orbit_connect(type1_prefix, type2_prefix) 
#	- allow communication through ORBit sockets from type1 to type2 

define(`orbit_domain', `

# Protect against double inclusion for speed and correctness
ifdef(`orbit_domain_$1_$2', `', `
define(`orbit_domain_$1_$2')

# Relabel directory (startup script)
allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto };

# Type for ORBit sockets
type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t)
allow $1_t tmp_t:dir { read search getattr };

# Create the sockets
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;

# Use random device(s)
allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl };

# Why do they do that?
dontaudit $1_t $2_orbit_tmp_t:dir setattr;

') dnl ifdef orbit_domain_args
') dnl orbit_domain

##########################

define(`orbit_connect', `

can_unix_connect($1_t, $2_t)
allow $1_t $2_orbit_tmp_t:sock_file write;

') dnl orbit_connect