policy_module(sshguard, 0.1.6)

########################################
#
# Declarations
#

attribute_role sshguard_roles;

type sshguard_t;
type sshguard_exec_t;
init_daemon_domain(sshguard_t, sshguard_exec_t)
role sshguard_roles types sshguard_t;

type sshguard_etc_t;
files_config_file(sshguard_etc_t)

type sshguard_initrc_exec_t;
init_script_file(sshguard_initrc_exec_t)

type sshguard_var_run_t;
files_pid_file(sshguard_var_run_t)

########################################
#
# Local policy
#

allow sshguard_t self:fifo_file { getattr read write };
allow sshguard_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow sshguard_t self:udp_socket { connect create getattr read write };

manage_files_pattern(sshguard_t, sshguard_var_run_t, sshguard_var_run_t)
files_pid_filetrans(sshguard_t, sshguard_var_run_t, file)

read_files_pattern(sshguard_t, sshguard_etc_t, sshguard_etc_t)

iptables_domtrans(sshguard_t)

logging_send_syslog_msg(sshguard_t)
logging_read_all_logs(sshguard_t)

corecmd_exec_shell(sshguard_t)
corecmd_exec_bin(sshguard_t)

miscfiles_read_localization(sshguard_t)

auth_use_nsswitch(sshguard_t)

sysnet_read_config(sshguard_t)

gen_require(`
	type iptables_t;
')
logging_read_all_logs(iptables_t)