policy_module(ladvd,1.0.0)

require {
	type net_conf_t;
	type sysctl_net_t;
	type var_run_t;
	type ladvd_t;
	type sysfs_t;
	type sysctl_t;
	class capability { setuid net_raw setgid };
	class file { write getattr read lock create };
	class netlink_route_socket { write getattr read bind create nlmsg_read };
	class packet_socket { write create };
	class lnk_file read;
	class udp_socket { create ioctl };
	class dir { write search add_name getattr };
}

########################################
#
# Declarations
#

type ladvd_t;
type ladvd_exec_t;
init_daemon_domain(ladvd_t, ladvd_exec_t)

type ladvd_script_exec_t;
init_script_file(ladvd_script_exec_t)

########################################
#
# ladvd local policy
#

# Init script handling
domain_use_interactive_fds(ladvd_t)

# internal communication is often done using fifo and unix sockets.
allow ladvd_t self:fifo_file rw_file_perms;
allow ladvd_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(ladvd_t)

libs_use_ld_so(ladvd_t)
libs_use_shared_libs(ladvd_t)

miscfiles_read_localization(ladvd_t)

logging_send_syslog_msg(ladvd_t)


allow ladvd_t net_conf_t:file { read getattr };
allow ladvd_t self:capability { setuid net_raw setgid };
allow ladvd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow ladvd_t self:packet_socket { write create };
allow ladvd_t self:udp_socket { create ioctl };
allow ladvd_t sysctl_net_t:dir search;
allow ladvd_t sysctl_net_t:file read;
allow ladvd_t sysctl_t:dir search;
allow ladvd_t sysfs_t:dir { search getattr };
allow ladvd_t sysfs_t:file { read getattr };
allow ladvd_t sysfs_t:lnk_file read;
allow ladvd_t var_run_t:dir { write add_name };
allow ladvd_t var_run_t:file { write lock create };