;;
;; Permission sets definitions
;;

(classpermission search_dir_perms)
(classpermissionset search_dir_perms (dir (getattr search)))

(classpermission list_dir_perms)
(classpermissionset list_dir_perms (dir (getattr search open read lock ioctl)))

(classpermission rw_dir_perms)
(classpermissionset rw_dir_perms (dir (open read getattr lock search ioctl add_name remove_name write)))

(classpermission manage_dir_perms)
(classpermissionset manage_dir_perms (dir (create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl)))

(classpermission rw_chr_file_perms)
(classpermissionset rw_chr_file_perms (chr_file (getattr open read write append ioctl lock)))

(classpermission read_file_perms)
(classpermissionset read_file_perms (file (getattr open read lock ioctl)))

(classpermission rw_file_perms)
(classpermissionset rw_file_perms (file (open getattr read write append ioctl lock)))

(classpermission manage_file_perms)
(classpermissionset manage_file_perms (file (create open getattr setattr read write append rename link unlink ioctl lock)))

(classpermission exec_file_perms)
(classpermissionset exec_file_perms (file (getattr open map read execute ioctl execute_no_trans)))

(classpermission read_lnk_file_perms)
(classpermissionset read_lnk_file_perms (lnk_file (getattr read)))

(classpermission rw_lnk_file_perms)
(classpermissionset rw_lnk_file_perms (lnk_file (getattr read write lock ioctl)))

(classpermission manage_lnk_file_perms)
(classpermissionset manage_lnk_file_perms (lnk_file (create read write getattr setattr link unlink rename ioctl lock)))

(classpermission write_sock_file_perms)
(classpermissionset write_sock_file_perms (sock_file (getattr write open append)))

(classpermission manage_sock_file_perms)
(classpermissionset manage_sock_file_perms (sock_file (create open getattr setattr read write rename link unlink ioctl lock append)))

(classpermission create_tcp_socket_perms)
(classpermissionset create_tcp_socket_perms (tcp_socket (ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept)))

(classpermission create_udp_socket_perms)
(classpermissionset create_udp_socket_perms (udp_socket (ioctl read getattr write setattr append bind connect getopt setopt shutdown)))

(classpermission create_sctp_socket_perms)
(classpermissionset create_sctp_socket_perms (sctp_socket (ioctl read getattr write setattr append bind connect getopt setopt shutdown)))

(classpermission rw_shm_perms)
(classpermissionset rw_shm_perms (shm (lock associate getattr read unix_read unix_write write)))

;;
;; Base container policy
;;

(block container
	(blockabstract container)

	(type process)
	(type socket)

	(roletype system_r process)
	(typeattributeset domain (process))
	(typeattributeset container_domain (process))
	(typeattributeset mcs_constrained_type (process))
	(typeattributeset file_type (socket))

	(allow process socket manage_sock_file_perms)
	(allow container_engine_domain process (key (create search setattr view)))
)