policy_module(mcelog, 1.1.0)

########################################
#
# Declarations
#

type mcelog_t;
type mcelog_exec_t;
init_system_domain(mcelog_t, mcelog_exec_t)
application_domain(mcelog_t, mcelog_exec_t)

type mcelog_var_run_t;
files_pid_file(mcelog_var_run_t)

type mcelog_log_t;
logging_log_file(mcelog_log_t)

########################################
#
# mcelog local policy
#

allow mcelog_t self:capability sys_admin;

manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })

manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file } )

kernel_read_system_state(mcelog_t)

corecmd_exec_shell(mcelog_t)
corecmd_exec_bin(mcelog_t)

dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
dev_rw_sysfs(mcelog_t)

files_read_etc_files(mcelog_t)

# for /dev/mem access
mls_file_read_all_levels(mcelog_t)

auth_read_passwd(mcelog_t)

logging_send_syslog_msg(mcelog_t)

optional_policy(`
	cron_system_entry(mcelog_t, mcelog_exec_t)
')