policy_module(qarshd, 1.0.0.23);

require {
    type unconfined_t;
}

type qarshd_t;
type qarshd_exec_t;

# --------------- QARSHD part ------------------

# we define new domain, assign common attributes
domain_type(qarshd_t);

# we don't want qarshd domain to be confined in any
# way as qarshd must be able to do all as root
unconfined_domain(qarshd_t);
init_daemon_domain(qarshd_t,qarshd_exec_t)

# define qarshd as (x)inetd service with it's own domain
inetd_tcp_service_domain(qarshd_t,qarshd_exec_t);

# whenever we run anything with qarshd_exec_t type
# we want to end up in qarshd_t domain. This will be
# useful when starting daemons manually from shell
domain_auto_trans(unconfined_t, qarshd_exec_t, qarshd_t);

# allow any transition from qarshd_t
allow qarshd_t domain:process { transition };

# qarshd_t sockets end up as stdin, stdout, and stderr
# for processes in other domains, let them read, write,
# fstat and ioctl on them
allow domain qarshd_t:tcp_socket { write read getattr ioctl};

# allow any domain to signal to qarshd_t process
allow domain qarshd_t:process { sigchld };