policy_module(sau, 0.2)

gen_require(`
  type system_cronjob_t;
  type sysadm_t;

  role sysadm_r;
  role system_r;
')

type sau_t;
type sau_exec_t;
type sau_config_t;

domain_type(sau_t)
domain_entry_file(sau_t, sau_exec_t)
files_config_file(sau_config_t)
read_files_pattern(sau_t, etc_t, sau_config_t);

role sysadm_r types sau_t;
role system_r types sau_t;

domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)

domain_use_interactive_fds(sau_t)
userdom_use_user_ptys(sau_t)
userdom_use_all_users_fds(sau_t)

# required for python
corecmd_mmap_bin_files(sau_t)


kernel_read_system_state(sau_t)
domain_read_all_domains_state(sau_t)
allow sau_t self:capability sys_ptrace;

init_startstop_all_script_services(sau_t)
init_all_labeled_script_domtrans(sau_t)
init_use_script_ptys(sau_t)
init_domtrans_script(sau_t)
init_domtrans_labeled_script(sau_t)

miscfiles_read_localization(sau_t)
logging_send_syslog_msg(sau_t)
allow sau_t self:fifo_file { read write };
corecmd_exec_shell(sau_t)
corecmd_exec_bin(sau_t)

init_manage_script_service(sau_t)
init_read_script_status_files(sau_t)
allow sau_t initrc_state_t:lnk_file { getattr read };
allow sau_t initrc_state_t:dir { search read };

# Gentoo specific
portage_domtrans(sau_t)

dontaudit sau_t self:fifo_file { getattr ioctl };