policy_module(sobby,1.0.0)

########################################
#
# Declarations
#

type sobby_t;
type sobby_exec_t;
domain_type(sobby_t)
init_daemon_domain(sobby_t, sobby_exec_t)

type sobby_script_exec_t;
init_script_type(sobby_script_exec_t)

type sobby_rw_t;
files_type(sobby_rw_t)

type sobby_etc_rw_t;
files_type(sobby_etc_rw_t)

type sobby_port_t;
corenet_port(sobby_port_t)

########################################
#
# sobby local policy
#

# Init script handling
domain_use_interactive_fds(sobby_t)

## internal communication is often done using fifo and unix sockets.
allow sobby_t self:fifo_file rw_file_perms;
allow sobby_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(sobby_t)

libs_use_ld_so(sobby_t)
libs_use_shared_libs(sobby_t)

miscfiles_read_localization(sobby_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(sobby_t)
	term_dontaudit_use_generic_ptys(sobby_t)
')


allow sobby_t sobby_rw_t:file manage_file_perms;
allow sobby_t sobby_rw_t:dir create_dir_perms;

allow sobby_t sobby_etc_rw_t:file manage_file_perms;
allow sobby_t sobby_etc_rw_t:dir manage_dir_perms;
files_etc_filetrans(sobby_t,sobby_etc_rw_t, { file dir })

sysnet_dns_name_resolve(sobby_t)
corenet_all_recvfrom_unlabeled(sobby_t)

allow sobby_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(sobby_t)
corenet_tcp_sendrecv_all_nodes(sobby_t)
corenet_tcp_sendrecv_all_ports(sobby_t)
corenet_tcp_bind_all_nodes(sobby_t)
allow sobby_t sobby_port_t:tcp_socket name_bind;

# Allow access to random entropy
dev_read_urand(sobby_t)
dev_read_rand(sobby_t)

files_search_home(sobby_t)

### Uhh?
### audit2allow spit this out, but it looks like something
### may be wrong with the initial labeling of /srv/sobby

require {
        type sobby_t;
        type user_home_dir_t;
        class file { write create };
}

#============= sobby_t ==============
allow sobby_t user_home_dir_t:file { write create };
userdom_manage_generic_user_home_dirs(sobby_t)