# Authors:  Dan Walsh,  Russell Coker
# Maintained by Dan Walsh <dwalsh@redhat.com>
define(`sudo_domain',`
newrole_domain($1_sudo, `, privuser')

# By default, revert to the calling domain when a shell is executed.
domain_auto_trans($1_sudo_t, shell_exec_t, $1_t)

ifdef(`mta.te', `
domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms;
')

allow $1_sudo_t self:capability sys_resource;

allow $1_sudo_t self:process setrlimit;

ifdef(`pam.te', `
allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
allow $1_sudo_t pam_var_run_t:file create_file_perms;
')

allow $1_sudo_t initrc_var_run_t:file rw_file_perms;
allow $1_sudo_t sysctl_t:dir search;
allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr;
allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read };
read_sysctl($1_sudo_t)

allow $1_sudo_t var_run_t:dir search;
r_dir_file($1_sudo_t, default_context_t)
rw_dir_create_file($1_sudo_t, $1_tmp_t)
rw_dir_create_file($1_sudo_t, $1_home_t)
domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
')