policy_module(ipa_kpasswd, 1.0)

########################################
#
# Declarations
#

type ipa_kpasswd_t;
type ipa_kpasswd_exec_t;
type ipa_kpasswd_var_run_t;
type ipa_kpasswd_ccache_t;
init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t)

########################################
#
# IPA kpasswd local policy
#

allow ipa_kpasswd_t self:capability { sys_nice dac_override };
allow ipa_kpasswd_t self:tcp_socket create_stream_socket_perms;
allow ipa_kpasswd_t self:udp_socket create_socket_perms;

files_read_etc_files(ipa_kpasswd_t)
files_search_usr(ipa_kpasswd_t)

files_pid_file(ipa_kpasswd_var_run_t);
allow ipa_kpasswd_t ipa_kpasswd_var_run_t:file manage_file_perms;
files_pid_filetrans(ipa_kpasswd_t,ipa_kpasswd_var_run_t,file)

auth_use_nsswitch(ipa_kpasswd_t)

libs_use_ld_so(ipa_kpasswd_t)
libs_use_shared_libs(ipa_kpasswd_t)

logging_send_syslog_msg(ipa_kpasswd_t)

miscfiles_read_localization(ipa_kpasswd_t)

kerberos_use(ipa_kpasswd_t)
kerberos_manage_host_rcache(ipa_kpasswd_t)
kerberos_read_kdc_config(ipa_kpasswd_t)

kernel_read_system_state(ipa_kpasswd_t)

# /var/cache/ipa/kpasswd
files_type(ipa_kpasswd_ccache_t)
manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir)

kernel_read_network_state(ipa_kpasswd_t)
kernel_read_network_state_symlinks(ipa_kpasswd_t)

corenet_tcp_sendrecv_all_if(ipa_kpasswd_t)
corenet_udp_sendrecv_all_if(ipa_kpasswd_t)
corenet_raw_sendrecv_all_if(ipa_kpasswd_t)
corenet_tcp_sendrecv_all_nodes(ipa_kpasswd_t)
corenet_udp_sendrecv_all_nodes(ipa_kpasswd_t)
corenet_raw_sendrecv_all_nodes(ipa_kpasswd_t)
corenet_tcp_sendrecv_all_ports(ipa_kpasswd_t)
corenet_udp_sendrecv_all_ports(ipa_kpasswd_t)
corenet_non_ipsec_sendrecv(ipa_kpasswd_t)
corenet_tcp_bind_all_nodes(ipa_kpasswd_t)
corenet_udp_bind_all_nodes(ipa_kpasswd_t)
corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t)
corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t)
require {
	type krb5kdc_conf_t; 
};

allow ipa_kpasswd_t krb5kdc_conf_t:dir search_dir_perms;

optional_policy(`
    gen_require(`
             type kerberos_password_port_t;
    ')
    corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t)
    corenet_udp_bind_kerberos_password_port(ipa_kpasswd_t)
')