policy_module(usbguard, 1.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether authorized users can control the daemon,
##	which requires usbguard-daemon to be able modify its rules in
##	/etc/usbguard.
##	</p>
## </desc>
gen_tunable(usbguard_user_modify_rule_files, false)

type usbguard_t;
type usbguard_daemon_exec_t;
init_daemon_domain(usbguard_t, usbguard_daemon_exec_t)

type usbguard_conf_t;
files_config_file(usbguard_conf_t)

type usbguard_log_t;
logging_log_file(usbguard_log_t)

type usbguard_rules_t;
files_config_file(usbguard_rules_t)

# /dev/shm
type usbguard_tmpfs_t;
files_tmpfs_file(usbguard_tmpfs_t)

########################################
#
# Usbguard local policy
#

allow usbguard_t self:capability { chown dac_read_search fowner };
allow usbguard_t self:netlink_kobject_uevent_socket create_socket_perms;
allow usbguard_t self:unix_stream_socket rw_stream_socket_perms;

files_read_etc_files(usbguard_t)
list_dirs_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
read_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
read_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)

manage_dirs_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
manage_files_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
mmap_read_files_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
fs_tmpfs_filetrans(usbguard_t, usbguard_tmpfs_t, { dir file })

append_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)
create_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)
logging_log_filetrans(usbguard_t, usbguard_log_t, file)
setattr_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)

dev_rw_sysfs(usbguard_t)

tunable_policy(`usbguard_user_modify_rule_files',`
	manage_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)
')