policy_module(misc,1.0.0)

### USER ###

require {
	type user_t;
};

afs_access(user_t);
zephyr_access(user_t);

### AFS ###

require {
	type kernel_t, initrc_t, proc_t;
};

afs_access(kernel_t);
zephyr_access(kernel_t);

# init.d script sets up cell files:
allow initrc_t afsd_etc_t:file { setattr write };
# permit aklog:
allow user_t proc_t:file write;

### CRON ###

require {
	type crond_t, user_cron_spool_t;
	type system_crond_t;
	type var_log_t;
};

afs_access(crond_t);
### crond can switch to user_t rather than user_crond_t
### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
domain_cron_exemption_target(user_t)
allow user_t user_cron_spool_t:file entrypoint;
allow crond_t user_t:process transition;
dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
allow crond_t user_t:fd use;
allow user_t crond_t:fd use;
allow user_t crond_t:fifo_file rw_file_perms;
allow user_t crond_t:process sigchld;
allow system_crond_t var_log_t:file rw_file_perms;

### SSH ###

require {
	type sshd_t;
};

afs_access(sshd_t);
### sshd GSSAPI authentication
kerberos_read_keytab(sshd_t)
allow user_t kernel_t:key search;

### MAIL ###

require {
	type postfix_local_t, procmail_t, sendmail_t;
};

afs_access(postfix_local_t);
afs_access(procmail_t);
mta_sendmail_exec(user_t)
mta_sendmail_exec(system_crond_t)
can_exec(user_t, sendmail_exec_t)
can_exec(system_crond_t, sendmail_exec_t)
allow sendmail_t postfix_local_t:fd use;
allow sendmail_t postfix_local_t:fifo_file { getattr write };
corecmd_exec_bin(procmail_t)
corecmd_exec_sbin(procmail_t)

### HTTPD ###

require {
	type httpd_t, httpd_suexec_exec_t;
};

afs_access(httpd_t);
allow httpd_t self:key all_key_perms;
allow httpd_t self:process setrlimit;
allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans };