policy_module(cronapt,1.0.2)

########################################
#
# Declarations
#

type cronapt_t;
type cronapt_exec_t;
domain_type(cronapt_t);
domain_entry_file(cronapt_t, cronapt_exec_t);
role system_r types cronapt_t;

type cronapt_log_t;
logging_log_file(cronapt_log_t);

type cronapt_var_lib_t;
files_type(cronapt_var_lib_t);

type cronapt_tmp_t;
files_tmp_file(cronapt_tmp_t)

########################################
#
# Local policy
#

allow cronapt_t self:capability { setgid setuid };

files_search_pids(cronapt_t)
corecmd_search_bin(cronapt_t)

logging_search_logs(cronapt_t)
# write is still needed, while cron-apt uses "touch"
append_files_pattern(cronapt_t, cronapt_log_t, cronapt_log_t)
write_files_pattern(cronapt_t, cronapt_log_t, cronapt_log_t)

files_search_var_lib(cronapt_t)
manage_files_pattern(cronapt_t, cronapt_var_lib_t, cronapt_var_lib_t)

files_tmp_filetrans(cronapt_t, cronapt_tmp_t, { dir file })
manage_dirs_pattern(cronapt_t, cronapt_tmp_t, cronapt_tmp_t)
manage_files_pattern(cronapt_t, cronapt_tmp_t, cronapt_tmp_t)

files_read_etc_runtime_files(cronapt_t)
files_read_etc_files(cronapt_t)
files_read_usr_files(cronapt_t)

cronapt_rw_pipes(cronapt_t)

corecmd_exec_bin(cronapt_t)
corecmd_exec_shell(cronapt_t)

dev_read_urand(cronapt_t)

libs_use_ld_so(cronapt_t)
libs_use_shared_libs(cronapt_t)
libs_read_lib_files(cronapt_t)

logging_send_syslog_msg(cronapt_t)

mta_send_mail(cronapt_t)
cronapt_read_tmp_files(system_mail_t)

miscfiles_read_localization(cronapt_t)

kernel_dontaudit_read_system_state(cronapt_t)
selinux_dontaudit_getattr_fs(cronapt_t)
userdom_dontaudit_search_sysadm_home_dirs(cronapt_t)

optional_policy(`
	cron_system_entry(cronapt_t, cronapt_exec_t)
')

optional_policy(`
	require {
		type apt_t;
	}

	apt_domtrans(cronapt_t)
	allow apt_t cronapt_tmp_t:file append_file_perms;
')