1# Run by odsign to verify a CompOS signature 2type compos_verify, domain, coredomain; 3type compos_verify_exec, exec_type, file_type, system_file_type; 4 5# Start a VM 6binder_use(compos_verify); 7virtualizationservice_use(compos_verify); 8 9# Access instance image files 10allow compos_verify apex_module_data_file:dir search; 11r_dir_file(compos_verify, apex_compos_data_file) 12 13# Read CompOS info & signature files 14allow compos_verify apex_art_data_file:dir search; 15allow compos_verify apex_art_data_file:file r_file_perms; 16 17# Allow odsign to redirect our stdout/stderr to log 18allow compos_verify odsign:fd use; 19allow compos_verify odsign_devpts:chr_file { read write }; 20 21# Only odsign can enter the domain via exec 22neverallow { domain -odsign } compos_verify:process transition; 23neverallow * compos_verify:process dyntransition; 24