policy_module(obfs4proxy)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether obfs4proxy can bind
##	tcp sockets to all unreserved ports.
##	</p>
## </desc>
gen_tunable(obfs4proxy_bind_all_unreserved_ports, false)

## <desc>
##	<p>
##	Determine whether obfs4proxy can bind
##	tcp sockets to all http ports.
##	</p>
## </desc>
gen_tunable(obfs4proxy_bind_http_ports, false)

type obfs4proxy_t;
type obfs4proxy_exec_t;
init_daemon_domain(obfs4proxy_t, obfs4proxy_exec_t)

########################################
#
# Local policy
#

allow obfs4proxy_t self:process signal;
allow obfs4proxy_t self:tcp_socket create_stream_socket_perms;

corenet_tcp_bind_generic_node(obfs4proxy_t)
corenet_tcp_connect_all_unreserved_ports(obfs4proxy_t)

files_search_var_lib(obfs4proxy_t)
fs_getattr_all_dirs(obfs4proxy_t)
tor_rw_pt_state_var_files(obfs4proxy_t)

tunable_policy(`obfs4proxy_bind_all_unreserved_ports',`
	corenet_sendrecv_all_server_packets(obfs4proxy_t)
	corenet_tcp_bind_all_unreserved_ports(obfs4proxy_t)
')

tunable_policy(`obfs4proxy_bind_http_ports',`
	corenet_tcp_bind_http_port(obfs4proxy_t)
')