## D-BUS service which runs odd jobs on behalf of client applications.
########################################
##
## Execute a domain transition to run oddjob.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`oddjob_domtrans',`
gen_require(`
type oddjob_t, oddjob_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')
########################################
##
## Make the specified program domain
## accessable from the oddjob.
##
##
##
## The type of the process to transition to.
##
##
##
##
## The type of the file used as an entrypoint to this domain.
##
##
#
interface(`oddjob_system_entry',`
gen_require(`
type oddjob_t;
')
domtrans_pattern(oddjob_t, $2, $1)
')
########################################
##
## Send and receive messages from
## oddjob over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`oddjob_dbus_chat',`
gen_require(`
type oddjob_t;
class dbus send_msg;
')
allow $1 oddjob_t:dbus send_msg;
allow oddjob_t $1:dbus send_msg;
')
########################################
##
## Execute a domain transition to
## run oddjob mkhomedir.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`oddjob_domtrans_mkhomedir',`
gen_require(`
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
')
########################################
##
## Execute oddjob mkhomedir in the
## oddjob mkhomedir domain and allow
## the specified role the oddjob
## mkhomedir domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`oddjob_run_mkhomedir',`
gen_require(`
attribute_role oddjob_mkhomedir_roles;
')
oddjob_domtrans_mkhomedir($1)
roleattribute $2 oddjob_mkhomedir_roles;
')
#####################################
##
## Do not audit attempts to read and write
## oddjob fifo files.
##
##
##
## Domain to not audit.
##
##
#
interface(`oddjob_dontaudit_rw_fifo_files',`
gen_require(`
type oddjob_t;
')
dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
')
######################################
##
## Send child terminated signals to oddjob.
##
##
##
## Domain allowed access.
##
##
#
interface(`oddjob_sigchld',`
gen_require(`
type oddjob_t;
')
allow $1 oddjob_t:process sigchld;
')