policy_module(jabber_additional, 0.0.6)

require {
  type jabberd_t;
  type jabberd_var_lib_t;
  type faillog_t;
  type initrc_runtime_t;
}

type jabber_unit_t;
init_unit_file(jabber_unit_t)

type jabberd_var_cache_t;
files_type(jabberd_var_cache_t)

allow jabberd_t self:process { getsched setsched };
allow jabberd_t self:capability { dac_read_search setgid setuid chown fowner };

manage_dirs_pattern(jabberd_t, jabberd_var_cache_t, jabberd_var_cache_t)
manage_files_pattern(jabberd_t, jabberd_var_cache_t, jabberd_var_cache_t)
type_transition jabberd_t jabberd_var_cache_t:{ file dir } jabberd_var_cache_t;

allow jabberd_t initrc_runtime_t:file { lock open read };

kernel_read_vm_overcommit_sysctl(jabberd_t)
files_search_spool(jabberd_t)

su_exec(jabberd_t)
auth_domtrans_chk_passwd(jabberd_t)
selinux_compute_access_vector(jabberd_t)
auth_read_shadow(jabberd_t)
miscfiles_read_generic_certs(jabberd_t)

corecmd_exec_shell(jabberd_t)

corenet_tcp_bind_epmd_port(jabberd_t)
corenet_tcp_connect_epmd_port(jabberd_t)
corenet_tcp_connect_ldap_port(jabberd_t)
corenet_tcp_bind_all_unreserved_ports(jabberd_t)
corenet_udp_bind_all_unreserved_ports(jabberd_t)
corenet_tcp_connect_all_unreserved_ports(jabberd_t)

files_read_generic_tmp_files(jabberd_t)

auth_rw_faillog(jabberd_t)
manage_dirs_pattern(jabberd_t, faillog_t, faillog_t)
manage_files_pattern(jabberd_t, faillog_t, faillog_t)