policy_module(slocate,1.0.0)

#################################
#
# Declarations
#

type locate_t;
type locate_exec_t;
init_system_domain(locate_t,locate_exec_t)

type locate_log_t;
logging_log_file(locate_log_t)

type locate_var_lib_t;
files_type(locate_var_lib_t)

########################################
#
# Local policy
#

allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
allow locate_t self:process { execmem execheap execstack };
allow locate_t self:fifo_file rw_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;

allow locate_t locate_var_lib_t:dir create_dir_perms;
allow locate_t locate_var_lib_t:file create_file_perms;

kernel_read_system_state(locate_t)
kernel_dontaudit_search_sysctl(locate_t)

corecmd_exec_bin(locate_t)

files_list_all(locate_t)
files_getattr_all_files(locate_t)
files_read_etc_runtime_files(locate_t)
files_read_etc_files(locate_t)

fs_getattr_xattr_fs(locate_t)

optional_policy(`cron',`
	cron_system_entry(locate_t, locate_exec_t)
')