policy_module(tayga, 1.0.0)

##########
# Definitions
#

type tayga_t;
type tayga_exec_t;
init_daemon_domain(tayga_t, tayga_exec_t)

type tayga_etc_t;
files_config_file(tayga_etc_t)

type tayga_var_run_t;
files_pid_file(tayga_var_run_t)

type tayga_var_db_t;
files_type(tayga_var_db_t)

########
# Rules

# Non interfaced rules that "seem" to be the norm ... 
allow tayga_t self:capability net_admin;

application_domain(tayga_t, tayga_exec_t)

dev_read_rand( tayga_t )
# Why is this needed also?
gen_require(`
    type urandom_device_t;
')
allow tayga_t urandom_device_t:chr_file { read open };

auth_use_nsswitch(tayga_t)

read_files_pattern(tayga_t, tayga_etc_t, tayga_etc_t)
getattr_dirs_pattern(tayga_t, tayga_etc_t, tayga_etc_t)
search_dirs_pattern(tayga_t, tayga_etc_t, tayga_etc_t)
list_dirs_pattern(tayga_t, tayga_etc_t, tayga_etc_t)
## Would be better if I could use ...
# read_dirs_pattern(tayga_t, tayga_etc_t, tayga_etc_t)
manage_files_pattern(tayga_t, tayga_var_run_t, tayga_var_run_t)
manage_dirs_pattern(tayga_t, tayga_var_db_t, tayga_var_db_t)
manage_files_pattern(tayga_t, tayga_var_db_t, tayga_var_db_t)

## Allow access to the tun
allow tayga_t self:tun_socket { create_socket_perms relabelfrom relabelto };   
corenet_rw_tun_tap_dev(tayga_t)

## I'm not sure about these ...
kernel_read_system_state(tayga_t)
corecmd_shell_domtrans(tayga_t, tayga_t)
sysnet_domtrans_ifconfig( tayga_t )
# This rule may need appropriate interfaces
gen_require(`
    type shell_exec_t;
')
allow tayga_t shell_exec_t:file execute_no_trans;