policy_module(myipsec, 1.0)

gen_require(`
	type ipsec_t, ipsec_exec_t;
	type ipsec_mgmt_t, ipsec_mgmt_exec_t;
	type ipsec_conf_file_t, ipsec_key_file_t, ipsec_var_run_t;
');

########################################
#
# Declarations
#

type ipsec_supervisor_t;
type ipsec_supervisor_exec_t;
init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
role system_r types ipsec_supervisor_t;

########################################
#
# ipsec_t policy
#

allow ipsec_t self:capability { chown setgid setuid };
allow ipsec_t self:fifo_file rw_fifo_file_perms;
allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_write };

kernel_rw_net_sysctls(ipsec_t);

########################################
#
# ipsec_mgmt_t policy
#

allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };

domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);

########################################
#
# ipsec_supervisor_t policy
#

allow ipsec_supervisor_t self:capability { net_admin dac_read_search dac_override kill };
allow ipsec_supervisor_t self:process { signal };
allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
allow ipsec_supervisor_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_write };
allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;

allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);

domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);

manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)

allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
allow ipsec_supervisor_t ipsec_t:process { signal };

allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })

kernel_read_network_state(ipsec_supervisor_t)
kernel_read_system_state(ipsec_supervisor_t)
kernel_rw_net_sysctls(ipsec_supervisor_t);

corecmd_exec_bin(ipsec_supervisor_t);
corecmd_exec_shell(ipsec_supervisor_t)

dev_read_rand(ipsec_supervisor_t);
dev_read_urand(ipsec_supervisor_t);

files_read_etc_files(ipsec_supervisor_t);

logging_send_syslog_msg(ipsec_supervisor_t);

miscfiles_read_localization(ipsec_supervisor_t);

optional_policy(`
	modutils_domtrans_insmod(ipsec_supervisor_t)
')