policy_module(misc,1.0.0)

### AFS ###

require {
	type crond_t, kernel_t, sshd_t, user_t, httpd_t;
	type postfix_local_t, procmail_t;
	type proc_t;
}
afs_access(afsd_t);
afs_access(crond_t);
afs_access(httpd_t);
afs_access(kernel_t);
afs_access(postfix_local_t);
afs_access(procmail_t);
afs_access(sshd_t);
afs_access(user_t);

require {
	type initrc_t;
}
# init.d script sets up cell files:
allow initrc_t afsd_etc_t:file { setattr write };
# permit aklog:
allow user_t proc_t:file write;

### CRON ###

require {
	type crond_t, user_cron_spool_t;
	type user_t;
};

### crond can switch to user_t rather than user_crond_t
### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
domain_cron_exemption_target(user_t)
allow user_t user_cron_spool_t:file entrypoint;
allow crond_t user_t:process transition;
dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
allow crond_t user_t:fd use;
allow user_t crond_t:fd use;
allow user_t crond_t:fifo_file rw_file_perms;
allow user_t crond_t:process sigchld;

### KRB ###

require {
	type sendmail_t, sshd_t;
};

### sshd GSSAPI authentication
kerberos_read_keytab(sshd_t)
allow user_t kernel_t:key search;

### MAIL ###
mta_sendmail_exec(user_t)
can_exec(user_t, sendmail_exec_t)
allow sendmail_t postfix_local_t:fd use;
allow sendmail_t postfix_local_t:fifo_file { getattr write };
corecmd_exec_bin(procmail_t)
corecmd_exec_sbin(procmail_t)

### HTTPD ###
allow httpd_t self:key all_key_perms;