policy_module(realmd, 1.1.0)

########################################
#
# Declarations
#

type realmd_t;
type realmd_exec_t;
init_system_domain(realmd_t, realmd_exec_t)

########################################
#
# Local policy
#

allow realmd_t self:capability sys_nice;
allow realmd_t self:process setsched;

kernel_read_system_state(realmd_t)

corecmd_exec_bin(realmd_t)
corecmd_exec_shell(realmd_t)

corenet_all_recvfrom_unlabeled(realmd_t)
corenet_all_recvfrom_netlabel(realmd_t)
corenet_tcp_sendrecv_generic_if(realmd_t)
corenet_tcp_sendrecv_generic_node(realmd_t)

corenet_sendrecv_http_client_packets(realmd_t)
corenet_tcp_connect_http_port(realmd_t)
corenet_tcp_sendrecv_http_port(realmd_t)

domain_use_interactive_fds(realmd_t)

dev_read_rand(realmd_t)
dev_read_urand(realmd_t)

fs_getattr_all_fs(realmd_t)

files_read_usr_files(realmd_t)

auth_use_nsswitch(realmd_t)

logging_send_syslog_msg(realmd_t)

optional_policy(`
	dbus_system_domain(realmd_t, realmd_exec_t)

	optional_policy(`
		networkmanager_dbus_chat(realmd_t)
	')

	optional_policy(`
		policykit_dbus_chat(realmd_t)
	')
')

optional_policy(`
	hostname_exec(realmd_t)
')

optional_policy(`
	kerberos_use(realmd_t)
	kerberos_rw_keytab(realmd_t)
')

optional_policy(`
	nis_exec_ypbind(realmd_t)
	nis_initrc_domtrans(realmd_t)
')

optional_policy(`
	gnome_read_generic_home_content(realmd_t)
')

optional_policy(`
	samba_domtrans_net(realmd_t)
	samba_manage_config(realmd_t)
	samba_getattr_winbind_exec(realmd_t)
')

optional_policy(`
	sssd_getattr_exec(realmd_t)
	sssd_manage_config(realmd_t)
	sssd_manage_lib_files(realmd_t)
	sssd_manage_public_files(realmd_t)
	sssd_read_pid_files(realmd_t)
	sssd_initrc_domtrans(realmd_t)
')