policy_module(janus, 0.0.5)

########################################
#
# Declarations
#

type janus_t;
type janus_exec_t;
init_daemon_domain(janus_t, janus_exec_t)

type janus_var_log_t;
logging_log_file(janus_var_log_t)

type janus_local_etc_t;
files_config_file(janus_local_etc_t)

type janus_local_share_t;
files_type(janus_local_share_t)

allow janus_t self:fifo_file { read write };
allow janus_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow janus_t self:process { getsched setsched };
allow janus_t self:rawip_socket create;
allow janus_t self:tcp_socket { accept bind create getattr listen read setopt shutdown write };
allow janus_t self:udp_socket { bind connect create getattr ioctl read setopt write };
allow janus_t self:unix_dgram_socket { create ioctl };


manage_dirs_pattern(janus_t, janus_var_log_t, janus_var_log_t)
manage_files_pattern(janus_t, janus_var_log_t, janus_var_log_t)
logging_log_filetrans(janus_t, janus_var_log_t, file)

read_files_pattern(janus_t, janus_local_etc_t, janus_local_etc_t)
search_dirs_pattern(janus_t, janus_local_etc_t, janus_local_etc_t)

read_files_pattern(janus_t, janus_local_share_t, janus_local_share_t)
allow janus_t janus_local_share_t:dir read;
search_dirs_pattern(janus_t, janus_local_share_t, janus_local_share_t)

auth_use_nsswitch(janus_t)

miscfiles_read_localization(janus_t)
miscfiles_read_all_certs(janus_t)

sysnet_read_config(janus_t)

corenet_tcp_bind_generic_node(janus_t)
corenet_udp_bind_generic_node(janus_t)
corenet_tcp_bind_all_unreserved_ports(janus_t)
corenet_udp_bind_all_unreserved_ports(janus_t)

kernel_read_network_state(janus_t)
kernel_read_vm_overcommit_sysctl(janus_t)
kernel_read_system_state(janus_t)

dev_read_urand(janus_t)

optional_policy(`
  gen_require(`
    type supervisor_t;
  ')
  supervisor_service_domain(janus_t,janus_exec_t)
')