#
# Macros for locate domains.
#

#
# Author:  Russell Coker <russell@coker.com.au>
#

#
# locate_domain(domain_prefix)
#
# Define a derived domain for the locate program when executed
# by a user domain.
#
# The type declaration for the executable type for this program is
# provided separately in domains/program/locate.te. 
#
undefine(`locate_domain')
ifdef(`slocate.te', `
define(`locate_domain',`
# Derived domain based on the calling user domain and the program.
type $1_locate_t, domain;

allow $1_locate_t self:process signal;

allow $1_locate_t etc_t:file { getattr read };
allow $1_locate_t self:unix_stream_socket create_socket_perms;
r_dir_file($1_locate_t,var_lib_locate_t)
allow $1_locate_t var_lib_t:dir search;

# Transition from the user domain to this domain.
domain_auto_trans($1_t, locate_exec_t, $1_locate_t)

# The user role is authorized for this domain.
role $1_r types $1_locate_t;

# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `
allow $1_locate_t $1_gph_t:fd use;
')

allow $1_locate_t privfd:fd use;

# allow ps to show locate
can_ps($1_t, $1_locate_t)
allow $1_t $1_locate_t:process signal;

uses_shlib($1_locate_t)
access_terminal($1_locate_t, $1)

allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search };
allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read };

base_file_read_access($1_locate_t)
r_dir_file($1_locate_t, { etc_t lib_t var_t })
dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms;
dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read };
')

', `

define(`locate_domain',`')

')