policy_module(spreed-webrtc, 0.1.4)

########################################
#
# Declarations
#

attribute_role spreed_roles;

type spreed_t;
type spreed_exec_t;
init_daemon_domain(spreed_t, spreed_exec_t)

type spreed_opt_t;
files_type(spreed_opt_t)

type spreed_etc_t;
files_config_file(spreed_etc_t)

########################################
#
# Local policy
#
allow spreed_t self:process getsched;
allow spreed_t self:tcp_socket { getattr setopt bind create accept listen read write };


read_files_pattern(spreed_t, spreed_opt_t, spreed_opt_t)
search_dirs_pattern(spreed_t, spreed_opt_t, spreed_opt_t)
list_dirs_pattern(spreed_t, spreed_opt_t, spreed_opt_t)

read_files_pattern(spreed_t, spreed_etc_t, spreed_etc_t)

apache_read_sys_content(spreed_t)

corenet_tcp_bind_http_cache_port(spreed_t)
corenet_tcp_bind_generic_node(spreed_t)

miscfiles_read_localization(spreed_t)

kernel_read_net_sysctls(spreed_t)
files_read_etc_files(spreed_t)

dev_read_urand(spreed_t)

optional_policy(`
  gen_require(`
    type supervisor_t;
  ')
  supervisor_service_domain(spreed_t,spreed_exec_t)
  allow supervisor_t spreed_opt_t:dir search;
')