#DESC Gatekeeper - OpenH.323 voice over IP gate-keeper
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: opengate openh323gk
#

#################################
#
# Rules for the gatekeeper_t domain.
#
# gatekeeper_exec_t is the type of the gk executable.
#
daemon_domain(gatekeeper)

# for SSP
allow gatekeeper_t urandom_device_t:chr_file read;

etc_domain(gatekeeper)
allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
logdir_domain(gatekeeper)

# Use the network.
can_network_server(gatekeeper_t)
can_ypbind(gatekeeper_t)
allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind;
allow gatekeeper_t self:unix_stream_socket create_socket_perms;

# for stupid symlinks
tmp_domain(gatekeeper)

# pthreads wants to know the kernel version
read_sysctl(gatekeeper_t)

allow gatekeeper_t etc_t:file { getattr read };

allow gatekeeper_t etc_t:dir r_dir_perms;
allow gatekeeper_t sbin_t:dir r_dir_perms;

allow gatekeeper_t self:process setsched;
allow gatekeeper_t self:fifo_file rw_file_perms;

allow gatekeeper_t proc_t:file read;

# for local users to run VOIP software
can_udp_send(userdomain, gatekeeper_t)
can_udp_send(gatekeeper_t, userdomain)
can_tcp_connect(gatekeeper_t, userdomain)

# this is crap, gk wants to create symlinks in /etc every time it starts and
# remove them when it exits.
#allow gatekeeper_t etc_t:dir rw_dir_perms;