policy_module(tdm2, 1.3.0)

########################################
#
# Declarations
#

require {
	type device_t, fixed_disk_device_t;
}

type tdm2_t;
type tdm2_exec_t;
init_daemon_domain(tdm2_t, tdm2_exec_t)

type tdm2_etc_t;
files_config_file(tdm2_etc_t)

type tdm2_log_t;
logging_log_file(tdm2_log_t)

########################################
#
# Local policy
#

allow tdm2_t self:process { execmem sigkill signal };
allow tdm2_t self:capability mknod;
allow tdm2_t self:fifo_file { read write };
allow tdm2_t self:tcp_socket { listen accept };
allow tdm2_t self:unix_dgram_socket { create_socket_perms sendto };

# daemon needs write permission on config files
manage_files_pattern(tdm2_t, tdm2_etc_t, tdm2_etc_t)

logging_search_logs(tdm2_t)
# daemon needs read and write rights on logfile
rw_files_pattern(tdm2_t, tdm2_log_t, tdm2_log_t)

kernel_read_kernel_sysctls(tdm2_t)
kernel_read_system_state(tdm2_t)

# /dev/twa0 may be created and removed by tdm2_t
filetrans_pattern(tdm2_t, device_t, fixed_disk_device_t, chr_file)
storage_manage_fixed_disk(tdm2_t)

# /etc/nsswitch.conf
files_read_etc_files(tdm2_t)

# AMCC/3DM2/help/...
files_read_usr_files(tdm2_t)

# /sys/class/scsi_host/host0/stats
dev_read_sysfs(tdm2_t)

dev_read_urand(tdm2_t)

term_use_console(tdm2_t)

miscfiles_read_localization(tdm2_t)

libs_use_ld_so(tdm2_t)
libs_use_shared_libs(tdm2_t)

logging_send_syslog_msg(tdm2_t)

# Networking 
sysnet_dns_name_resolve(tdm2_t)
corenet_tcp_sendrecv_all_ports(tdm2_t)
corenet_tcp_connect_all_ports(tdm2_t)
corenet_tcp_bind_all_ports(tdm2_t)
corenet_tcp_bind_all_nodes(tdm2_t)