module cryptobone 1.1.0;

require {
	type lib_t;
	type lpr_exec_t;
        type unlabeled_t;
        type tmp_t;
	type tmpfs_t;
	type debugfs_t;
        type user_tmp_t;
	type init_t;
	type init_tmp_t;
        type ssh_port_t;
        type ssh_home_t;
        type ssh_exec_t;
	type ssh_agent_exec_t;
	type admin_home_t;
        type fetchmail_t;
        type fetchmail_home_t;
        type etc_t;
	class perf_event { cpu kernel open read tracepoint write };
	class dir { add_name remove_name write relabelto open getattr search};
	class file { append create ioctl execute execute_no_trans getattr open read setattr write relabelto };
	class sock_file { create unlink read write};
        class tcp_socket name_connect;

	class capability { dac_override dac_read_search };
	class rawip_socket create;
}

#============= init_t ==============
#!!!! This avc is allowed in the current policy
allow init_t admin_home_t:file { append create open ioctl write read };

allow init_t self:perf_event { cpu kernel open read tracepoint write };

allow init_t lib_t:dir write;
allow init_t lib_t:dir { add_name remove_name };
allow init_t debugfs_t:dir { add_name remove_name };
allow init_t debugfs_t:file { append create open ioctl write read };
allow init_t unlabeled_t:dir { add_name write };
allow init_t unlabeled_t:file { create write execute execute_no_trans setattr };
allow init_t lib_t:file { append create write setattr };

allow init_t lib_t:sock_file { create unlink read write };
allow init_t lpr_exec_t:file { execute execute_no_trans open read };
allow init_t ssh_agent_exec_t:file { execute execute_no_trans getattr open read };
allow init_t ssh_exec_t:file { execute execute_no_trans getattr open read };

allow init_t ssh_port_t:tcp_socket name_connect;
allow init_t ssh_home_t:file { getattr open read };
allow init_t user_tmp_t:file { append create open write getattr setattr };

allow init_t self:rawip_socket create;

#============= fetchmail_t ==============
allow fetchmail_t user_tmp_t:file { append create open read write getattr setattr ioctl };
allow fetchmail_t user_tmp_t:dir { add_name remove_name write open getattr };
allow fetchmail_t tmp_t:file { create open read write getattr setattr ioctl };
allow fetchmail_t tmp_t:dir {  add_name remove_name write open getattr };

allow fetchmail_t init_tmp_t:file { open read getattr ioctl };
allow fetchmail_t admin_home_t:file { create open read write getattr setattr ioctl };
allow fetchmail_t admin_home_t:dir {  add_name remove_name write open getattr };

allow fetchmail_t self:capability { dac_override dac_read_search };
allow fetchmail_t tmpfs_t:file write;

#============= fetchmail_home_t ==============
allow fetchmail_home_t user_tmp_t:file { append create open read write getattr setattr ioctl };
allow fetchmail_home_t user_tmp_t:dir { add_name remove_name write open getattr };
allow fetchmail_home_t tmp_t:file { create open read write getattr setattr ioctl };
allow fetchmail_home_t tmp_t:dir { add_name remove_name write open getattr };