policy_module(certwatch, 1.7.0)

########################################
#
# Declarations
#

type certwatch_t;
type certwatch_exec_t;
application_domain(certwatch_t, certwatch_exec_t)
role system_r types certwatch_t;

########################################
#
# Local policy
#
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };

dev_read_urand(certwatch_t)

files_read_etc_files(certwatch_t)
files_read_usr_files(certwatch_t)
files_read_usr_symlinks(certwatch_t)
files_list_tmp(certwatch_t)

fs_list_inotifyfs(certwatch_t)

auth_manage_cache(certwatch_t)
auth_read_passwd(certwatch_t)
auth_var_filetrans_cache(certwatch_t)

logging_send_syslog_msg(certwatch_t)

miscfiles_read_all_certs(certwatch_t)

userdom_use_inherited_user_terminals(certwatch_t)
userdom_dontaudit_list_admin_dir(certwatch_t)

optional_policy(`
	apache_exec_modules(certwatch_t)
	apache_read_config(certwatch_t)
')

optional_policy(`
	cron_system_entry(certwatch_t, certwatch_exec_t)
')

optional_policy(`
	pcscd_domtrans(certwatch_t)
	pcscd_stream_connect(certwatch_t)
	pcscd_read_pub_files(certwatch_t)
')