policy_module(samhain, 1.1.0)

########################################
#
# Declarations
#

type samhain_etc_t;
files_config_file(samhain_etc_t)

type samhain_exec_t;
corecmd_executable_file(samhain_exec_t)

type samhain_log_t;
logging_log_file(samhain_log_t)

# Filesystem signature database
type samhain_db_t;
files_type(samhain_db_t)

type samhain_initrc_exec_t;
init_script_file(samhain_initrc_exec_t)

type samhain_var_run_t;
files_pid_file(samhain_var_run_t)

# Domain for command line access
samhain_service_template(samhain)
application_domain(samhain_t, samhain_exec_t)

# Domain for samhain service started by samhain init script
samhain_service_template(samhaind)

ifdef(`enable_mcs',`
	# This is system instead of daemon to work around
	# a type transition conflict
	init_ranged_system_domain(samhaind_t, samhain_exec_t, mcs_systemhigh)
')

ifdef(`enable_mls',`
	# This is system instead of daemon to work around
	# a type transition conflict
	init_ranged_system_domain(samhaind_t, samhain_exec_t, mls_systemhigh)
')

########################################
#
# Samhain local policy
#

manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })

domain_use_interactive_fds(samhain_t)

seutil_sigchld_newrole(samhain_t)

userdom_use_inherited_user_terminals(samhain_t)

########################################
#
# Samhaind local policy
#

# Need signal_perms to send SIGABRT/SIGKILL to termiate samhain_t
# Need signull to get the status of samhain_t
allow samhaind_t { samhain_t self }:process signal_perms;

# Only needed when starting samhain daemon from its init script.
can_exec(samhaind_t, samhain_exec_t)

read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)

# init script ptys are the stdin/out/err
# when using run_init
init_use_script_ptys(samhaind_t)