| # Network namespace transitions |
| type execns, domain; |
| type execns_exec, exec_type, vendor_file_type, file_type; |
| |
| init_daemon_domain(execns) |
| |
| allow execns varrun_file:dir search; |
| allow execns varrun_file:file r_file_perms; |
| allow execns self:capability { sys_admin setuid setgid }; |
| allow execns nsfs:file { open read }; |
| |
| #Allow execns itself to be run by init in its own domain |
| domain_auto_trans(init, execns_exec, execns); |
| |
| # Allow dhcpclient to be run by execns in its own domain |
| domain_auto_trans(execns, dhcpclient_exec, dhcpclient); |
| |
| # Allow dhcpserver to be run by execns in its own domain |
| domain_auto_trans(execns, dhcpserver_exec, dhcpserver); |
| |
| # Allow hostapd_nohidl to be run by execns in its own domain |
| domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl); |
| |
| # Allow execns to read createns proc file to get the namespace file |
| allow execns createns:file read; |
| allow execns createns:dir search; |
| allow execns createns:lnk_file read; |