--- /dev/null
+# myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
--- /dev/null
+## <summary>Myapp example policy</summary>
+## <desc>
+## <p>
+## More descriptive text about myapp. The <desc>
+## tag can also use <p>, <ul>, and <ol>
+## html tags for formatting.
+## </p>
+## <p>
+## This policy supports the following myapp features:
+## <ul>
+## <li>Feature A</li>
+## <li>Feature B</li>
+## <li>Feature C</li>
+## </ul>
+## </p>
+## </desc>
+#
+
+########################################
+## <summary>
+## Execute a domain transition to run myapp.
+## </summary>
+## <param name="domain">
+## Domain allowed to transition.
+## </param>
+#
+interface(`myapp_domtrans',`
+ gen_requires(`
+ type myapp_t, myapp_exec_t;
+ ')
+
+ domain_auto_trans($1,myapp_exec_t,myapp_t)
+
+ allow $1 myapp_t:fd use;
+ allow myapp_t $1:fd use;
+ allow $1 myapp_t:fifo_file rw_file_perms;
+ allow $1 myapp_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Read myapp log files.
+## </summary>
+## <param name="domain">
+## Domain allowed to read the log files.
+## </param>
+#
+interface(`myapp_read_log',`
+ gen_requires(`
+ type myapp_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 myapp_log_t:file r_file_perms;
+')
--- /dev/null
+
+policy_module(myapp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t;
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t)
+
+type myapp_log_t;
+logging_log_file(myapp_log_t)
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file ra_file_perms;
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_filetrans_tmp(myapp_t,myapp_tmp_t,file)
+
projects / people / stevee / selinux-policy.git / commitdiff
