policy_module(laurel, 1.0.0)

type laurel_t;
type laurel_exec_t;
type laurel_etc_t;
type laurel_log_t;

# The line below should be removed if no "avc: denied { … }" are
# logged by auditd after laurel has been activated.
permissive laurel_t;

init_daemon_domain(laurel_t, laurel_exec_t)

# Transition auditd (auditd 3+) -> laurel
ifdef(`audit3',`
	gen_require(`type auditd_t;')

	allow auditd_t laurel_exec_t:file { getattr open read execute entrypoint };
	type_transition auditd_t laurel_exec_t:process laurel_t;
	allow auditd_t auditd_t:capability kill;
	allow auditd_t laurel_t:process { transition signal };
')

# Transition audispd (auditd 2.x) -> laurel
ifdef(`audit2',`
	gen_require(`type audisp_t;')

	allow audisp_t laurel_exec_t:file { getattr open read execute entrypoint };
	type_transition audisp_t laurel_exec_t:process laurel_t;
	allow audisp_t audisp_t:capability kill;
	allow audisp_t laurel_t:process { transition signal };
')

# Set / retain capabilities
allow laurel_t self:process { getcap setcap };
# Set permissions at initialization time
allow laurel_t self:capability { chown fowner fsetid setuid setgid };
# Inspect process environments, override UNIX read permissions
allow laurel_t self:capability { sys_ptrace dac_read_search };

# Write to Syslog
logging_send_syslog_msg(laurel_t)

# Read from /proc
domain_read_all_domains_state(laurel_t)
list_dirs_pattern(laurel_t, proc_t, proc_t);

# stat() for every file (for enrich.script)
files_getattr_all_files(laurel_t)

# Access local user database
ifdef(`distro_debian',`
	gen_require(`type etc_t;')
	allow laurel_t etc_t:file { open read };
	ifdef(`systemd_stream_connect_userdb',`
		systemd_stream_connect_userdb(laurel_t)
	')
	ifdef(`systemd_connect_machined',`
		systemd_connect_machined(laurel_t)
	')
')

ifdef(`distro_redhat',`
	gen_require(`type passwd_file_t;')
	allow laurel_t passwd_file_t:file { open read };
	ifdef(`systemd_userdbd_stream_connect',`
		systemd_userdbd_stream_connect(laurel_t)
	')
	ifdef(`systemd_machined_stream_connect',`
		systemd_machined_stream_connect(laurel_t)
	')
')

# Access user database via SSSD
sssd_read_public_files(laurel_t)
sssd_stream_connect(laurel_t)

# Read config files
read_files_pattern(laurel_t, laurel_etc_t, laurel_etc_t)

# Write/rotate log files
manage_dirs_pattern(laurel_t, laurel_log_t, laurel_log_t)
manage_files_pattern(laurel_t, laurel_log_t, laurel_log_t)
manage_lnk_files_pattern(laurel_t, laurel_log_t, laurel_log_t)
setattr_files_pattern(laurel_t, laurel_log_t, laurel_log_t)

# Mark config, log files
files_config_file(laurel_etc_t)
logging_log_file(laurel_log_t)

# Create log directory with specified label
logging_log_filetrans(laurel_t, laurel_log_t, dir)