policy_module(atop, 0.1.25)

########################################
#
# Declarations
#

require {
  type var_t;
}

attribute_role atop_roles;

type atop_t;
type atop_exec_t;
init_daemon_domain(atop_t, atop_exec_t)
role atop_roles types atop_t;

type atopacct_t;
type atopacct_exec_t;
init_daemon_domain(atopacct_t, atopacct_exec_t)

type atop_initrc_exec_t;
init_script_file(atop_initrc_exec_t)

type atopacct_initrc_exec_t;
init_script_file(atopacct_initrc_exec_t)

type atop_var_log_t;
logging_log_file(atop_var_log_t)

type atop_var_run_t;
files_pid_file(atop_var_run_t)

type atopacct_var_run_t;
files_pid_file(atopacct_var_run_t)

type atop_var_cache_t;
files_type(atop_var_cache_t)

type atop_unit_t;
init_unit_file(atop_unit_t)

########################################
#
# Local policy
#

allow atop_t atop_exec_t:file execute_no_trans;
allow atop_t self:capability { setuid sys_nice sys_resource ipc_lock sys_pacct dac_override net_raw sys_ptrace };
allow atop_t self:process { setsched sigkill setrlimit setpgid signal };
allow atop_t self:sem { write read create unix_write unix_read };
allow atop_t self:udp_socket { create ioctl };
allow atop_t self:sem associate;
allow atop_t self:rawip_socket { create getopt };
allow atop_t self:fifo_file { getattr ioctl read write };

allow atop_t atopacct_t:sem { associate read unix_write write };

manage_dirs_pattern(atop_t, atop_var_log_t, atop_var_log_t)
manage_files_pattern(atop_t, atop_var_log_t, atop_var_log_t)
logging_log_filetrans(atop_t, atop_var_log_t, file)

manage_dirs_pattern(atop_t, atop_var_cache_t, atop_var_cache_t)
manage_files_pattern(atop_t, atop_var_cache_t, atop_var_cache_t)
filetrans_pattern(atop_t, var_t, atop_var_cache_t, { file dir lnk_file })

manage_dirs_pattern(atop_t, atop_var_run_t, atop_var_run_t)
manage_files_pattern(atop_t, atop_var_run_t, atop_var_run_t)
files_pid_filetrans(atop_t, atop_var_run_t, { file dir })

read_files_pattern(atop_t, atopacct_var_run_t, atopacct_var_run_t)

corecmd_exec_bin(atop_t)

optional_policy(`
	gen_require(`
		type initrc_t;
	')
	allow atop_t initrc_t:sem { read unix_write write associate };
')

userdom_getattr_user_home_dirs(atop_t)

kernel_getattr_proc(atop_t)
kernel_search_proc(atop_t)
kernel_list_proc(atop_t)
kernel_getattr_proc_files(atop_t)
kernel_read_proc_symlinks(atop_t)
kernel_read_system_state(atop_t)
kernel_get_sysvipc_info(atop_t)
kernel_read_kernel_sysctls(atop_t)
kernel_read_rpc_sysctls(atop_t)

domain_read_all_domains_state(atop_t)
corecmd_shell_entry_type(atop_t)
kernel_read_network_state(atop_t)
fs_getattr_tmpfs(atop_t)
fs_getattr_xattr_fs(atop_t)
auth_use_nsswitch(atop_t)

storage_getattr_fixed_disk_dev(atop_t)
miscfiles_read_localization(atop_t)
dev_getattr_lvm_control(atop_t)

cron_system_entry(atop_t, atop_exec_t)

init_read_utmp(atop_t)

dontaudit atop_t self:capability dac_read_search;

### atopacct policy

allow atopacct_t self:capability { net_admin sys_nice sys_pacct };
allow atopacct_t self:netlink_generic_socket { bind create read setopt write };
allow atopacct_t self:process { setsched signal };
allow atopacct_t self:unix_dgram_socket { connect create write };
allow atopacct_t self:sem { read unix_read };

manage_dirs_pattern(atopacct_t, atopacct_var_run_t, atopacct_var_run_t)
manage_files_pattern(atopacct_t, atopacct_var_run_t, atopacct_var_run_t)
files_pid_filetrans(atopacct_t, atopacct_var_run_t, { file dir })

logging_send_syslog_msg(atopacct_t)

miscfiles_read_localization(atopacct_t)

kernel_read_system_state(atopacct_t)

fs_getattr_tmpfs(atopacct_t)

optional_policy(`
	gen_require(`
		type initrc_t;
	')
	allow atopacct_t initrc_t:sem { associate read unix_read unix_write write };
')