Filesystem namespacing/polyinstantiation application.

######################################## ##

## Execute a domain transition to run seunshare. ##

## ##

## Domain allowed to transition. ##

## # interface(`seunshare_domtrans',` gen_require(` type seunshare_t, seunshare_exec_t; ') domtrans_pattern($1, seunshare_exec_t, seunshare_t) ') ######################################## ##

## Execute seunshare in the seunshare domain, and ## allow the specified role the seunshare domain. ##

## ##

## Domain allowed to transition. ##

## ## ##

## Role allowed access. ##

## # interface(`seunshare_run',` gen_require(` type seunshare_t; ') seunshare_domtrans($1) role $2 types seunshare_t; allow $1 seunshare_t:process signal_perms; ifdef(`hide_broken_symptoms', ` dontaudit seunshare_t $1:tcp_socket rw_socket_perms; dontaudit seunshare_t $1:udp_socket rw_socket_perms; dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; ') ') ######################################## ##

## The role template for the seunshare module. ##

## ##

## The prefix of the user role (e.g., user ## is the prefix for user_r). ##

## ## ##

## Role allowed access. ##

## ## ##

## User domain for the role. ##

## # interface(`seunshare_role_template',` gen_require(` attribute seunshare_domain; type seunshare_exec_t; ') type $1_seunshare_t, seunshare_domain; application_domain($1_seunshare_t, seunshare_exec_t) role $2 types $1_seunshare_t; mls_process_set_level($1_seunshare_t) domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) sandbox_transition($1_seunshare_t, $2) ps_process_pattern($3, $1_seunshare_t) allow $3 $1_seunshare_t:process signal_perms; allow $1_seunshare_t $3:process transition; dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; ifdef(`hide_broken_symptoms', ` dontaudit $1_seunshare_t $3:socket_class_set { read write }; ') ')