policy_module(cfengine, 1.4.0)

########################################
#
# Declarations
#

attribute cfengine_domain;

cfengine_domain_template(serverd)
cfengine_domain_template(execd)
cfengine_domain_template(monitord)

type cfengine_initrc_exec_t;
init_script_file(cfengine_initrc_exec_t)

type cfengine_var_lib_t;
files_type(cfengine_var_lib_t)

type cfengine_log_t;
logging_log_file(cfengine_log_t)

########################################
#
# Common cfengine domain local policy
#

allow cfengine_domain self:capability { chown kill setgid setuid sys_chroot };
allow cfengine_domain self:process { setfscreate signal };
allow cfengine_domain self:fifo_file rw_fifo_file_perms;
allow cfengine_domain self:unix_stream_socket { accept listen };

manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, dir)

manage_dirs_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
append_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)

kernel_read_system_state(cfengine_domain)

corecmd_exec_bin(cfengine_domain)
corecmd_exec_shell(cfengine_domain)

dev_read_urand(cfengine_domain)
dev_read_sysfs(cfengine_domain)

logging_send_syslog_msg(cfengine_domain)

miscfiles_read_localization(cfengine_domain)

sysnet_domtrans_ifconfig(cfengine_domain)

########################################
#
# Exec local policy
#

kernel_read_sysctl(cfengine_execd_t)

domain_read_all_domains_state(cfengine_execd_t)

########################################
#
# Monitord local policy
#

kernel_read_hotplug_sysctls(cfengine_monitord_t)
kernel_read_network_state(cfengine_monitord_t)

domain_read_all_domains_state(cfengine_monitord_t)

fs_getattr_xattr_fs(cfengine_monitord_t)