policy_module(hostapd, 1.0.0)

########################################
#
# Declarations
#

type hostapd_t;
type hostapd_exec_t;
init_daemon_domain(hostapd_t, hostapd_exec_t)

type hostapd_var_run_t;
files_pid_file(hostapd_var_run_t)

type hostapd_unit_file_t;
systemd_unit_file(hostapd_unit_file_t)

########################################
#
# hostapd local policy
#
allow hostapd_t self:capability { fsetid chown net_admin net_raw };
allow hostapd_t self:fifo_file rw_fifo_file_perms;
allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
allow hostapd_t self:netlink_socket create_socket_perms;
allow hostapd_t self:netlink_generic_socket create_socket_perms;
allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
allow hostapd_t self:packet_socket create_socket_perms;

manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })

kernel_read_system_state(hostapd_t)
kernel_read_network_state(hostapd_t)
kernel_request_load_module(hostapd_t)

corenet_udp_bind_dhcpd_port(hostapd_t)

dev_read_rand(hostapd_t)
dev_read_urand(hostapd_t)
dev_read_sysfs(hostapd_t)
dev_rw_wireless(hostapd_t)

domain_use_interactive_fds(hostapd_t)

files_read_etc_files(hostapd_t)

auth_use_nsswitch(hostapd_t)

logging_send_syslog_msg(hostapd_t)

miscfiles_read_localization(hostapd_t)

userdom_write_user_tmp_sockets(hostapd_t)

optional_policy(`
	unconfined_dgram_send(hostapd_t)
')