#DESC LRRD - network-wide load graphing
#
# Author:  Erich Schubert <erich@debian.org>
# X-Debian-Packages: lrrd-client, lrrd-server
#

#################################
#
# Rules for the lrrd_t domain.
#
# lrrd_exec_t is the type of the lrrd executable.
#
daemon_domain(lrrd)

allow lrrd_t lrrd_var_run_t:sock_file create_file_perms;

etcdir_domain(lrrd)
type lrrd_var_lib_t, file_type, sysadmfile;

log_domain(lrrd)
tmp_domain(lrrd)

# has cron jobs
system_crond_entry(lrrd_exec_t, lrrd_t)
allow crond_t lrrd_var_lib_t:dir search;

# init script
allow initrc_t lrrd_log_t:file { write append setattr ioctl };

# allow to drop privileges and renice
allow lrrd_t self:capability { setgid setuid };
allow lrrd_t self:process { getsched setsched };

allow lrrd_t urandom_device_t:chr_file { getattr read };
allow lrrd_t proc_t:file { getattr read };
allow lrrd_t usr_t:file { read ioctl };

can_exec(lrrd_t, bin_t)
allow lrrd_t bin_t:dir search;
allow lrrd_t usr_t:lnk_file read;

# Allow access to the lrrd databases
create_dir_file(lrrd_t, lrrd_var_lib_t)
allow lrrd_t var_lib_t:dir search;

# read config files
r_dir_file(initrc_t, lrrd_etc_t)
allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
# for accessing the output directory
ifdef(`apache.te', `
allow lrrd_t httpd_sys_content_t:dir search;
')

allow lrrd_t etc_t:dir search;

can_unix_connect(sysadm_t, lrrd_t)
can_unix_connect(lrrd_t, lrrd_t)
can_unix_send(lrrd_t, lrrd_t)
can_network_server(lrrd_t)
can_ypbind(lrrd_t)

ifdef(`logrotate.te', `
r_dir_file(logrotate_t, lrrd_etc_t)
allow logrotate_t lrrd_var_lib_t:dir search;
allow logrotate_t lrrd_var_run_t:dir search;
allow logrotate_t lrrd_var_run_t:sock_file write;
can_unix_connect(logrotate_t, lrrd_t)
')