policy_module(realmd, 1.0.0)

########################################
#
# Declarations
#

type realmd_t;
type realmd_exec_t;
application_domain(realmd_t, realmd_exec_t)
role system_r types realmd_t;

########################################
#
# realmd local policy
#

allow realmd_t self:capability sys_nice;
allow realmd_t self:process setsched;

kernel_read_system_state(realmd_t)

corecmd_exec_bin(realmd_t)
corecmd_exec_shell(realmd_t)

corenet_tcp_connect_http_port(realmd_t)

domain_use_interactive_fds(realmd_t)

dev_read_rand(realmd_t)
dev_read_urand(realmd_t)


fs_getattr_all_fs(realmd_t)

auth_use_nsswitch(realmd_t)

logging_send_syslog_msg(realmd_t)

sysnet_dns_name_resolve(realmd_t)
systemd_exec_systemctl(realmd_t)

#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")

optional_policy(`
	authconfig_domtrans(realmd_t)
')

optional_policy(`
	dbus_system_domain(realmd_t, realmd_exec_t)

	optional_policy(`
		networkmanager_dbus_chat(realmd_t)
	')

	optional_policy(`
		policykit_dbus_chat(realmd_t)
	')
')

optional_policy(`
	hostname_exec(realmd_t)
')

optional_policy(`
	kerberos_use(realmd_t)
	kerberos_rw_keytab(realmd_t)
')

optional_policy(`
	nis_exec_ypbind(realmd_t)
	nis_systemctl_ypbind(realmd_t)
')

optional_policy(`
	gnome_read_config(realmd_t)
	gnome_read_generic_cache_files(realmd_t)
	gnome_write_generic_cache_files(realmd_t)
	gnome_manage_cache_home_dir(realmd_t)

')

optional_policy(`
	samba_domtrans_net(realmd_t)
	samba_manage_config(realmd_t)
	samba_getattr_winbind(realmd_t)
')

optional_policy(`
	sssd_getattr_exec(realmd_t)
	sssd_manage_config(realmd_t)
	sssd_manage_lib_files(realmd_t)
	sssd_manage_public_files(realmd_t)
	sssd_read_pid_files(realmd_t)
	sssd_systemctl(realmd_t)
')

optional_policy(`
	xserver_read_state_xdm(realmd_t)
')