#DESC Quota - File system quota management utilities
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: quota quotatool
#

#################################
#
# Rules for the quota_t domain.
#
# needs auth attribute because it has read access to shadow_t because checkquota
# is buggy
daemon_base_domain(quota, `, auth, fs_domain')

# so the administrator can run quotacheck
domain_auto_trans(sysadm_t, quota_exec_t, quota_t)
role sysadm_r types quota_t;
allow quota_t admin_tty_type:chr_file { read write };

type quota_flag_t, file_type, sysadmfile;
type quota_db_t, file_type, sysadmfile;

rw_dir_create_file(initrc_t, quota_flag_t)

allow quota_t fs_t:filesystem { getattr quotaget quotamod remount };
# quotacheck creates new quota_db_t files
file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
# for some reason it wants dac_override not dac_read_search
allow quota_t self:capability { sys_admin dac_override };
allow quota_t file_type:{ fifo_file sock_file } getattr;
allow quota_t file_t:file quotaon;

# for quotacheck
allow quota_t file_type:dir r_dir_perms;
# The following line is apparently necessary, although read and
# ioctl seem to be more than should be required.
allow quota_t file_type:file { getattr read ioctl };
allow quota_t file_type:{ fifo_file sock_file } getattr;
allow quota_t file_type:lnk_file { read getattr };
allow quota_t device_type:{ chr_file blk_file } getattr;

allow quota_t fixed_disk_device_t:blk_file { getattr read };

# for /quota.*
allow quota_t quota_db_t:file { read write };
dontaudit unpriv_userdomain quota_db_t:file getattr;
allow quota_t quota_db_t:file quotaon;

# Read /etc/mtab.
allow quota_t etc_runtime_t:file { read getattr };

allow quota_t device_t:dir r_dir_perms;
allow quota_t fixed_disk_device_t:blk_file getattr;
allow quota_t boot_t:dir r_dir_perms;
allow quota_t sysctl_t:dir { getattr search };

allow quota_t initrc_devpts_t:chr_file rw_file_perms;

allow quota_t proc_t:file getattr;