policy_module(apticron, 0.1.8)

#################################
#
# Declarations
#

attribute_role apticron_roles;

type apticron_t;
type apticron_exec_t;
init_system_domain(apticron_t, apticron_exec_t)
role apticron_roles types apticron_t;

type apticron_var_lib_t;
files_type(apticron_var_lib_t)

type apticron_tmp_t;
files_tmp_file(apticron_tmp_t)

type apticron_etc_t;
files_config_file(apticron_etc_t)

########################################
#
# Local policy
#

allow apticron_t self:fifo_file { read write ioctl getattr };
allow apticron_t self:capability setgid;
allow apticron_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow apticron_t self:process getsched;
allow apticron_t self:tcp_socket { read write create connect };
allow apticron_t self:udp_socket { create connect getattr };

manage_files_pattern(apticron_t, apticron_tmp_t, apticron_tmp_t)
manage_dirs_pattern(apticron_t, apticron_tmp_t, apticron_tmp_t)
files_tmp_filetrans(apticron_t, apticron_tmp_t, { file dir })

manage_files_pattern(apticron_t, apticron_var_lib_t, apticron_var_lib_t)
files_var_lib_filetrans(apticron_t, apticron_var_lib_t, file)

read_files_pattern(apticron_t, apticron_etc_t, apticron_etc_t)

apt_domtrans(apticron_t)
dpkg_run(apticron_t, apticron_roles)
hostname_domtrans(apticron_t)
sysnet_domtrans_ifconfig(apticron_t)
corecmd_exec_shell(apticron_t)
corecmd_exec_bin(apticron_t)
miscfiles_read_localization(apticron_t)
kernel_read_system_state(apticron_t)
fs_getattr_xattr_fs(apticron_t)
dev_read_urand(apticron_t)
sysnet_read_config(apticron_t)
corenet_tcp_connect_smtp_port(apticron_t)

gen_require(`
	type apt_var_cache_t;
')
allow apticron_t apt_var_cache_t:dir { write read getattr open search };
allow apticron_t apt_var_cache_t:file { read getattr open };

gen_require(`
	type apt_var_lib_t;
')
allow apticron_t apt_var_lib_t:dir { read open search };
allow apticron_t apt_var_lib_t:file { read ioctl open getattr };

gen_require(`
        type crond_tmp_t;
')
allow apticron_t crond_tmp_t:file { read write getattr ioctl };

gen_require(`
	type etc_t;
')
allow apticron_t etc_t:file { read getattr open };

gen_require(`
	type usr_t;
')
allow apticron_t usr_t:file { read getattr open };
optional_policy(`
        cron_system_entry(apticron_t, apticron_exec_t)
')

gen_require(`
        type dpkg_var_lib_t;
')
allow apticron_t dpkg_var_lib_t:file { read getattr open };
allow apticron_t dpkg_var_lib_t:dir { read search open };