policy_module(thin, 1.0)

########################################
#
# Declarations
#

attribute thin_domain;

thin_domain_template(thin)

type thin_log_t;
logging_log_file(thin_log_t)

type thin_var_run_t;
files_pid_file(thin_var_run_t)

thin_domain_template(thin_aeolus_configserver)

type thin_aeolus_configserver_lib_t;
files_type(thin_aeolus_configserver_lib_t)

type thin_aeolus_configserver_log_t;
logging_log_file(thin_aeolus_configserver_log_t)

type thin_aeolus_configserver_var_run_t;
files_pid_file(thin_aeolus_configserver_var_run_t)

########################################
#
# thin_domain local policy
#

allow thin_domain self:process signal;

allow thin_domain self:fifo_file rw_fifo_file_perms;
allow thin_domain self:tcp_socket create_stream_socket_perms;

# we want to stay in a new thin domain if we call thin binary from a script
# # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t
can_exec(thin_domain, thin_exec_t)

corecmd_exec_bin(thin_domain)
corecmd_exec_shell(thin_domain)

corenet_tcp_bind_generic_node(thin_domain)

dev_read_rand(thin_domain)
dev_read_urand(thin_domain)


auth_read_passwd(thin_domain)

miscfiles_read_certs(thin_domain)


fs_search_auto_mountpoints(thin_domain)

init_read_utmp(thin_domain)

kernel_read_kernel_sysctls(thin_domain)

optional_policy(`
	sysnet_read_config(thin_domain)
')

########################################
#
# thin local policy
#

allow thin_t self:capability { setuid kill setgid dac_override };

allow thin_t self:netlink_route_socket r_netlink_socket_perms;
allow thin_t self:udp_socket create_socket_perms;
allow thin_t self:unix_stream_socket create_stream_socket_perms;

manage_files_pattern(thin_t, thin_log_t, thin_log_t)
manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
logging_log_filetrans(thin_t, thin_log_t, { file dir })

manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
files_pid_filetrans(thin_t, thin_var_run_t, { file })

corenet_tcp_bind_ntop_port(thin_t)
corenet_tcp_connect_postgresql_port(thin_t)


#######################################
#
# thin aeolus configserver local policy
#

allow thin_aeolus_configserver_t self:capability { setuid setgid };

corenet_tcp_bind_tram_port(thin_aeolus_configserver_t)

manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir })

manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir })

manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })