policy_module(aimee-os, 1.0)

########################################
#
# Declarations
#

type aimee_storinit_t;
type aimee_storinit_exec_t;
init_daemon_domain(aimee_storinit_t, aimee_storinit_exec_t)

type aimee_storinit_runtime_t;
files_runtime_file(aimee_storinit_runtime_t)

type aimee_sysupdate_t;
type aimee_sysupdate_exec_t;
userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)

type aimee_sysupdate_tmp_t;
files_tmp_file(aimee_sysupdate_tmp_t)

type aimee_factory_reset_t;
type aimee_factory_reset_exec_t;
init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)

type aimee_set_root_password_t;
type aimee_set_root_password_exec_t;
userdom_user_application_domain(aimee_set_root_password_t, aimee_set_root_password_exec_t)

type aimee_set_root_password_tmp_t;
files_tmp_file(aimee_set_root_password_tmp_t)

########################################
#
# init-storage local policy
#

allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
allow aimee_storinit_t self:capability { chown fsetid sys_admin };
allow aimee_storinit_t self:process { setfscreate };

manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
files_runtime_filetrans(aimee_storinit_t, aimee_storinit_runtime_t, dir)

corecmd_exec_bin(aimee_storinit_t)

storage_raw_read_fixed_disk(aimee_storinit_t)
fstools_domtrans(aimee_storinit_t)
mount_exec(aimee_storinit_t)
miscfiles_read_localization(aimee_storinit_t)
mount_list_runtime(aimee_storinit_t)
dev_read_sysfs(aimee_storinit_t)
kernel_search_debugfs(aimee_storinit_t)
kernel_list_unlabeled(aimee_storinit_t)
fs_getattr_all_fs(aimee_storinit_t)
fs_mount_all_fs(aimee_storinit_t)
fs_unmount_all_fs(aimee_storinit_t)
allow aimee_storinit_t aimee_storinit_runtime_t:dir mounton;

gen_require(`
	type mount_runtime_t;
')
dontaudit aimee_storinit_t mount_runtime_t:dir write;

seutil_read_config(aimee_storinit_t)
seutil_read_file_contexts(aimee_storinit_t)
seutil_read_bin_policy(aimee_storinit_t)
seutil_domtrans_setfiles(aimee_storinit_t)

kernel_manage_unlabeled_dirs(aimee_storinit_t)

auth_manage_shadow(aimee_storinit_t)
auth_relabel_shadow(aimee_storinit_t)

files_manage_var_dirs(aimee_storinit_t)
files_relabel_var_dirs(aimee_storinit_t)
files_manage_var_files(aimee_storinit_t)
files_manage_var_symlinks(aimee_storinit_t)

gen_require(`
	type var_lib_t, var_lock_t, var_run_t;
	type semanage_store_t;
	type semanage_read_lock_t, semanage_trans_lock_t;
	type system_dbusd_var_lib_t;
	type init_var_lib_t;
	type auditd_log_t;
	type tmp_t;
	type etc_t;
	type shadow_t;
	attribute logfile;
')
manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
relabel_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
relabel_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
relabel_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
relabel_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
relabel_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
relabel_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
relabel_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
relabel_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
relabel_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
relabel_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
relabel_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
relabel_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
relabel_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
relabel_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
relabel_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
relabel_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
relabel_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
relabel_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
relabel_dirs_pattern(aimee_storinit_t, logfile, logfile)
manage_files_pattern(aimee_storinit_t, logfile, logfile)
relabel_files_pattern(aimee_storinit_t, logfile, logfile)
manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
relabel_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
relabel_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
relabel_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
relabel_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
manage_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
relabel_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
allow aimee_storinit_t shadow_t:file mounton;

########################################
#
# system-update local policy
#

allow aimee_sysupdate_t self:capability { chown fowner fsetid sys_admin };
allow aimee_sysupdate_t self:fifo_file rw_fifo_file_perms;
allow aimee_sysupdate_t self:tcp_socket create_stream_socket_perms;

files_tmp_filetrans(aimee_sysupdate_t, aimee_sysupdate_tmp_t, dir)
manage_dirs_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
manage_files_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)

filetrans_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, bin_t, file, "install")

domain_use_interactive_fds(aimee_sysupdate_t)
userdom_use_inherited_user_terminals(aimee_sysupdate_t)
corecmd_exec_bin(aimee_sysupdate_t)
selinux_get_fs_mount(aimee_sysupdate_t)
seutil_read_config(aimee_sysupdate_t)
userdom_search_user_home_dirs(aimee_sysupdate_t)
kernel_read_system_state(aimee_sysupdate_t)
fstools_exec(aimee_sysupdate_t)
fstools_manage_runtime_files(aimee_sysupdate_t)
miscfiles_read_localization(aimee_sysupdate_t)
storage_raw_rw_fixed_disk(aimee_sysupdate_t)
dev_read_sysfs(aimee_sysupdate_t)
files_read_etc_files(aimee_sysupdate_t)
systemd_read_resolved_runtime(aimee_sysupdate_t)
systemd_stream_connect_resolved(aimee_sysupdate_t)
corenet_tcp_connect_http_port(aimee_sysupdate_t)
corenet_tcp_connect_soundd_port(aimee_sysupdate_t)
files_manage_non_security_dirs(aimee_sysupdate_t)
files_manage_non_security_files(aimee_sysupdate_t)
mount_exec(aimee_sysupdate_t)
mount_list_runtime(aimee_sysupdate_t)
fs_getattr_all_fs(aimee_sysupdate_t)
fs_mount_all_fs(aimee_sysupdate_t)
fs_unmount_all_fs(aimee_sysupdate_t)
dbus_system_bus_client(aimee_sysupdate_t)
systemd_dbus_chat_logind(aimee_sysupdate_t)
logging_send_syslog_msg(aimee_sysupdate_t)
files_mounton_non_security(aimee_sysupdate_t)

gen_require(`
	type sysadm_t;
	role sysadm_r;
')
aimee_os_run_system_update(sysadm_t, sysadm_r)

# factory-reset local policy
#

allow aimee_factory_reset_t self:capability { sys_admin };
allow aimee_factory_reset_t self:fifo_file rw_fifo_file_perms;

corecmd_exec_bin(aimee_factory_reset_t)
dev_read_sysfs(aimee_factory_reset_t)
kernel_read_system_state(aimee_factory_reset_t)
fstools_exec(aimee_factory_reset_t)
fstools_manage_runtime_files(aimee_factory_reset_t)
miscfiles_read_localization(aimee_factory_reset_t)
storage_raw_rw_fixed_disk(aimee_factory_reset_t)

########################################
#
# set-root-password local policy
#

gen_require(`
	class passwd { passwd };
')

allow aimee_set_root_password_t self:capability { sys_admin };
allow aimee_set_root_password_t self:fifo_file rw_fifo_file_perms;
allow aimee_set_root_password_t self:process setfscreate;
allow aimee_set_root_password_t self:process { ptrace sigkill sigstop signal };
allow aimee_set_root_password_t self:passwd passwd;

files_tmp_filetrans(aimee_set_root_password_t, aimee_set_root_password_tmp_t, dir)
manage_dirs_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
manage_files_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
relabel_files_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)

domain_use_interactive_fds(aimee_set_root_password_t)
userdom_use_inherited_user_terminals(aimee_set_root_password_t)
userdom_search_user_home_dirs(aimee_set_root_password_t)
corecmd_exec_bin(aimee_set_root_password_t)
selinux_get_fs_mount(aimee_set_root_password_t)
seutil_read_config(aimee_set_root_password_t)
miscfiles_read_localization(aimee_set_root_password_t)
files_mounton_root(aimee_set_root_password_t)
aimee_os_set_root_password_exec(aimee_set_root_password_t)
mount_list_runtime(aimee_set_root_password_t)
fs_getattr_all_fs(aimee_set_root_password_t)
fs_mount_all_fs(aimee_set_root_password_t)
fs_unmount_all_fs(aimee_set_root_password_t)
files_read_var_lib_files(aimee_set_root_password_t)
files_manage_etc_files(aimee_set_root_password_t)
files_relabel_etc_files(aimee_set_root_password_t)
files_manage_etc_dirs(aimee_set_root_password_t)
auth_manage_shadow(aimee_set_root_password_t)
auth_relabel_shadow(aimee_set_root_password_t)
files_mounton_etc_dirs(aimee_set_root_password_t)
usermanage_domtrans_passwd(aimee_set_root_password_t)
dev_read_sysfs(aimee_set_root_password_t)
aimee_os_manage_set_root_password_tmp_files(aimee_set_root_password_t)

gen_require(`
	type mount_t;
	type passwd_t;
')
allow aimee_set_root_password_t aimee_set_root_password_tmp_t:dir mounton;
allow mount_t aimee_set_root_password_tmp_t:dir mounton;
aimee_os_manage_set_root_password_tmp_files(passwd_t)

gen_require(`
	type sysadm_t;
	role sysadm_r;
')
aimee_os_run_set_root_password(sysadm_t, sysadm_r)

########################################
#
# Additional policy rules for Aimee OS-specific behavior
#

# Allow ssh-keygen to create host key files in /var/lib/ssh
gen_require(`
	type ssh_keygen_t;
	type sshd_key_t, var_lib_t;
')
allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)

# Allow login to execute /bin/busybox (via /bin/sh symlink)
gen_require(`
	type local_login_t;
')
corecmd_exec_bin(local_login_t)

# Allow root to log in on the serial console
gen_require(`
	type sysadm_t;
')
init_use_fds(sysadm_t)