policy_module(journalctl, 1.0.0)

########################################
#
# Declarations
#

attribute_role journalctl_roles;
roleattribute system_r journalctl_roles;

type journalctl_t;
type journalctl_exec_t;
application_domain(journalctl_t, journalctl_exec_t)

role journalctl_roles types journalctl_t;

########################################
#
# journalctl local policy
#
allow journalctl_t self:capability sys_resource;
allow journalctl_t self:process { fork setrlimit signal_perms };

allow journalctl_t self:fifo_file manage_fifo_file_perms;
allow journalctl_t self:unix_stream_socket create_stream_socket_perms;

kernel_read_system_state(journalctl_t)

corecmd_exec_bin(journalctl_t)

domain_use_interactive_fds(journalctl_t)

files_read_etc_files(journalctl_t)

fs_getattr_all_fs(journalctl_t)

init_read_state(journalctl_t)
init_mmap_read_var_lib_files(journalctl_t)

auth_use_nsswitch(journalctl_t)

miscfiles_read_localization(journalctl_t)

logging_read_generic_logs(journalctl_t)
logging_watch_generic_log_dirs(journalctl_t)
logging_read_syslog_pid(journalctl_t)
logging_mmap_journal(journalctl_t)
logging_watch_journal_dir(journalctl_t)

term_use_generic_ptys(journalctl_t)

userdom_list_user_home_dirs(journalctl_t)
userdom_read_user_home_content_files(journalctl_t)
userdom_use_inherited_user_ptys(journalctl_t)
userdom_use_inherited_user_ttys(journalctl_t)
userdom_rw_inherited_user_tmp_files(journalctl_t)
userdom_rw_inherited_user_home_content_files(journalctl_t)

optional_policy(`
	rhcd_read_fifo_files(journalctl_t)
')