#DESC uml_net helper program for user-mode Linux
#
# Author: Russell Coker <russell@coker.com.au>
#
# WARNING: Do not install this file on any machine that has hostile users.

type uml_net_t, domain, privlog;
type uml_net_exec_t, file_type, sysadmfile, exec_type;
in_user_role(uml_net_t)
allow uml_net_t self:process { fork signal_perms };
allow uml_net_t { bin_t sbin_t }:dir search;
allow uml_net_t self:fifo_file { read write };
allow uml_net_t device_t:dir search;
allow uml_net_t self:udp_socket { create ioctl };
uses_shlib(uml_net_t)
allow uml_net_t devtty_t:chr_file { read write };
allow uml_net_t etc_runtime_t:file { getattr read };
allow uml_net_t etc_t:file read;
allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search;
allow uml_net_t proc_t:file { getattr read };

# if you want ip_forward to be set then you should set it yourself
dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search;
dontaudit uml_net_t sysctl_net_t:file write;

dontaudit ifconfig_t uml_net_t:udp_socket { read write };
dontaudit uml_net_t self:capability sys_module;

allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl };
can_exec(uml_net_t, { shell_exec_t sbin_t })