policy_module(sec, 1.0.3)

########################################
#
# Declarations
#

require {
	type system_mail_t;
}

## <desc>
## <p>
## Allow sec to use iptables
## </p>
## </desc>
gen_tunable(allow_sec_use_iptables, false)

## <desc>
## <p>
## Allow sec to send mails e.g. via /bin/mail
## </p>
## </desc>
gen_tunable(allow_sec_send_mail, false)

type sec_t;
type sec_exec_t;
init_daemon_domain(sec_t, sec_exec_t)

type sec_log_t;
logging_log_file(sec_log_t)

type sec_var_run_t;
files_pid_file(sec_var_run_t)

type sec_tmp_t;
files_tmp_file(sec_tmp_t)

########################################
#
# Local policy
#

allow sec_t self:capability { setgid sys_tty_config };

append_files_pattern(sec_t, sec_log_t, sec_log_t)
logging_log_filetrans(sec_t, sec_log_t, file)

manage_files_pattern(sec_t, sec_var_run_t, sec_var_run_t)
files_pid_filetrans(sec_t, sec_var_run_t, file)

manage_files_pattern(sec_t, sec_tmp_t, sec_tmp_t)
files_tmp_filetrans(sec_t, sec_tmp_t, { file dir })

files_read_etc_files(sec_t)
files_read_usr_files(sec_t)

sec_rw_pipes(sec_t)

init_use_fds(sec_t)

logging_read_all_logs(sec_t)

kernel_dontaudit_read_system_state(sec_t)
term_dontaudit_use_console(sec_t)
userdom_dontaudit_search_sysadm_home_dirs(sec_t)

miscfiles_read_localization(sec_t)

libs_use_ld_so(sec_t)
libs_use_shared_libs(sec_t)

dev_read_urand(sec_t)

corecmd_exec_shell(sec_t)
corecmd_read_bin_symlinks(sec_t)

tunable_policy(`allow_sec_use_iptables',`
	corecmd_search_bin(sec_t)
	iptables_domtrans(sec_t)
')

tunable_policy(`allow_sec_send_mail',`
	corecmd_exec_bin(sec_t)
	mta_send_mail(sec_t)
	sec_read_tmp_files(system_mail_t)
')