policy_module(osbuild, 1.0.0)
########################################
#
# Declarations
#
attribute_role osbuild_roles;
roleattribute system_r osbuild_roles;
type osbuild_t;
type osbuild_exec_t;
application_domain(osbuild_t, osbuild_exec_t)
role osbuild_roles types osbuild_t;
########################################
#
# osbuild local policy
#
allow osbuild_t self:fifo_file manage_fifo_file_perms;
allow osbuild_t self:unix_stream_socket create_stream_socket_perms;
# #####################################
# Customization
#
# make an osbuild_t unconfined domain
unconfined_domain(osbuild_t)
# execute setfiles in the setfiles_mac domain
# when in the osbuild_t domain
seutil_domtrans_setfiles_mac(osbuild_t)
osbuild_nnp_nosuid_trans(setfiles_mac_t)
# Allow sysadm and unconfined to run osbuild
optional_policy(`
gen_require(`
type sysadm_t;
role sysadm_r;
')
osbuild_run(sysadm_t, sysadm_r)
')
optional_policy(`
gen_require(`
type unconfined_t;
role unconfined_r;
')
osbuild_run(unconfined_t, unconfined_r)
')
optional_policy(`
gen_require(`
type unconfined_service_t;
role system_r;
')
osbuild_run(unconfined_service_t, system_r)
')
# allow transitioning to install_t (for ostree)
optional_policy(`
anaconda_domtrans_install(osbuild_t)
osbuild_nnp_nosuid_trans(install_t)
')