policy_module(userhelper, 1.12.0)

########################################
#
# Declarations
#

attribute consolehelper_type;
attribute userhelper_type;

attribute_role consolehelper_roles;
attribute_role userhelper_roles;

type userhelper_conf_t;
files_config_file(userhelper_conf_t)

type userhelper_exec_t;
application_executable_file(userhelper_exec_t)

type consolehelper_exec_t;
application_executable_file(consolehelper_exec_t)

########################################
#
# Common consolehelper domain local policy
#

allow consolehelper_type self:capability { dac_override setgid setuid };
allow consolehelper_type self:process signal;
allow consolehelper_type self:fifo_file rw_fifo_file_perms;
allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
allow consolehelper_type self:shm create_shm_perms;

dontaudit consolehelper_type userhelper_conf_t:file audit_access;
read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)

domain_use_interactive_fds(consolehelper_type)

kernel_read_system_state(consolehelper_type)
kernel_read_kernel_sysctls(consolehelper_type)

corecmd_exec_bin(consolehelper_type)

dev_getattr_all_chr_files(consolehelper_type)
dev_dontaudit_list_all_dev_nodes(consolehelper_type)

files_read_config_files(consolehelper_type)
files_read_usr_files(consolehelper_type)

fs_getattr_all_dirs(consolehelper_type)
fs_getattr_all_fs(consolehelper_type)
fs_search_auto_mountpoints(consolehelper_type)
files_search_mnt(consolehelper_type)

term_list_ptys(consolehelper_type)

auth_search_pam_console_data(consolehelper_type)
auth_read_pam_pid(consolehelper_type)

miscfiles_read_localization(consolehelper_type)
miscfiles_read_fonts(consolehelper_type)

userhelper_exec(consolehelper_type)

userdom_use_user_terminals(consolehelper_type)

# might want to make this consolehelper_tmp_t
userdom_manage_user_tmp_dirs(consolehelper_type)
userdom_manage_user_tmp_files(consolehelper_type)
userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
userdom_user_runtime_filetrans_user_tmp(consolehelper_type, { dir file })

tunable_policy(`use_nfs_home_dirs',`
	fs_search_nfs(consolehelper_type)
')

tunable_policy(`use_samba_home_dirs',`
	fs_search_cifs(consolehelper_type)
')

optional_policy(`
	shutdown_run(consolehelper_type, consolehelper_roles)
	shutdown_signal(consolehelper_type)
')

optional_policy(`
	xserver_domtrans_xauth(consolehelper_type)
	xserver_read_xdm_pid(consolehelper_type)
	xserver_stream_connect(consolehelper_type)
')

########################################
#
# Common userhelper domain local policy
#

allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config };
allow userhelper_type self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow userhelper_type self:fd use;
allow userhelper_type self:fifo_file rw_fifo_file_perms;
allow userhelper_type self:shm create_shm_perms;
allow userhelper_type self:sem create_sem_perms;
allow userhelper_type self:msgq create_msgq_perms;
allow userhelper_type self:msg { send receive };
allow userhelper_type self:unix_dgram_socket sendto;
allow userhelper_type self:unix_stream_socket { accept connectto listen };

dontaudit userhelper_type userhelper_conf_t:file audit_access;
read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t)

can_exec(userhelper_type, userhelper_exec_t)

kernel_read_all_sysctls(userhelper_type)
kernel_getattr_debugfs(userhelper_type)
kernel_read_system_state(userhelper_type)

corecmd_exec_shell(userhelper_type)

domain_use_interactive_fds(userhelper_type)
domain_sigchld_interactive_fds(userhelper_type)

dev_read_urand(userhelper_type)
dev_list_all_dev_nodes(userhelper_type)

files_list_var_lib(userhelper_type)
files_read_var_files(userhelper_type)
files_read_var_symlinks(userhelper_type)
files_search_home(userhelper_type)

fs_getattr_all_fs(userhelper_type)
fs_search_auto_mountpoints(userhelper_type)

selinux_get_fs_mount(userhelper_type)
selinux_validate_context(userhelper_type)
selinux_compute_access_vector(userhelper_type)
selinux_compute_create_context(userhelper_type)
selinux_compute_relabel_context(userhelper_type)
selinux_compute_user_contexts(userhelper_type)

term_list_ptys(userhelper_type)
term_relabel_all_ttys(userhelper_type)
term_relabel_all_ptys(userhelper_type)
term_use_all_ttys(userhelper_type)
term_use_all_ptys(userhelper_type)

auth_manage_pam_pid(userhelper_type)
auth_manage_var_auth(userhelper_type)
auth_search_pam_console_data(userhelper_type)

init_use_fds(userhelper_type)
init_manage_utmp(userhelper_type)
init_runtime_filetrans_utmp(userhelper_type)

logging_send_syslog_msg(userhelper_type)

miscfiles_read_localization(userhelper_type)

seutil_read_config(userhelper_type)
seutil_read_default_contexts(userhelper_type)

optional_policy(`
	rpm_domtrans(userhelper_type)
')