policy_module(pcp, 1.1.0)

########################################
#
# Declarations
#


## <desc>
## <p>
## Allow pcp to bind to all unreserved_ports
## </p>
## </desc>
gen_tunable(pcp_bind_all_unreserved_ports, false)

## <desc>
## <p>
## Allow pcp to read generic logs
## </p>
## </desc>
gen_tunable(pcp_read_generic_logs, false)

attribute pcp_domain;

pcp_domain_template(pmcd)
pcp_domain_template(pmlogger)
pcp_domain_template(pmproxy)
pcp_domain_template(pmie)
pcp_domain_template(plugin)

type pcp_log_t;
logging_log_file(pcp_log_t)

type pcp_var_lib_t;
files_type(pcp_var_lib_t)

type pcp_var_run_t;
files_pid_file(pcp_var_run_t)

type pcp_tmp_t;
files_tmp_file(pcp_tmp_t)

type pcp_tmpfs_t;
files_tmpfs_file(pcp_tmpfs_t)

########################################
#
# pcp domain local  policy
#

allow pcp_domain self:capability { setuid setgid dac_read_search  };
allow pcp_domain self:process signal_perms;
allow pcp_domain self:tcp_socket create_stream_socket_perms;
allow pcp_domain self:udp_socket create_socket_perms;
allow pcp_domain self:netlink_route_socket create_socket_perms;
allow pcp_domain self:unix_stream_socket connectto;

corenet_tcp_connect_all_ephemeral_ports(pcp_domain)

manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t)
manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t)
logging_log_filetrans(pcp_domain, pcp_log_t, { dir })

manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
manage_sock_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
manage_lnk_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir})

manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
manage_lnk_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file lnk_file })

manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
manage_sock_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file sock_file })

manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file })
can_exec(pcp_domain, pcp_tmpfs_t)

dev_read_urand(pcp_domain)

files_read_etc_files(pcp_domain)

fs_getattr_all_fs(pcp_domain)

miscfiles_read_generic_certs(pcp_domain)

sysnet_read_config(pcp_domain)

tunable_policy(`pcp_bind_all_unreserved_ports',`
    corenet_sendrecv_all_server_packets(pcp_pmcd_t)
    corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
    corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
    corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
    
')


########################################
#
# pcp_pmcd local  policy
#

allow pcp_pmcd_t self:capability { dac_read_search dac_override ipc_owner net_admin sys_admin sys_ptrace };
allow pcp_pmcd_t self:process { setsched };
allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
allow pcp_pmcd_t self:cap_userns sys_ptrace;

kernel_get_sysvipc_info(pcp_pmcd_t)
kernel_manage_perf_event(pcp_pmcd_t)
kernel_read_debugfs(pcp_pmcd_t)
kernel_read_network_state(pcp_pmcd_t)
kernel_read_system_state(pcp_pmcd_t)
kernel_read_state(pcp_pmcd_t)
kernel_read_fs_sysctls(pcp_pmcd_t)
kernel_read_rpc_sysctls(pcp_pmcd_t)
kernel_search_network_sysctl(pcp_pmcd_t)
kernel_read_net_sysctls(pcp_pmcd_t)

corecmd_exec_bin(pcp_pmcd_t)

corenet_tcp_bind_amqp_port(pcp_pmcd_t)
corenet_tcp_connect_amqp_port(pcp_pmcd_t)
corenet_tcp_connect_http_port(pcp_pmcd_t)
corenet_udp_bind_statsd_port(pcp_pmcd_t)

dev_read_sysfs(pcp_pmcd_t)
dev_rw_lvm_control(pcp_pmcd_t)

domain_read_all_domains_state(pcp_pmcd_t)
domain_getattr_all_domains(pcp_pmcd_t)

dev_getattr_all_blk_files(pcp_pmcd_t)
dev_getattr_all_chr_files(pcp_pmcd_t)
dev_read_sysfs(pcp_pmcd_t)
dev_read_urand(pcp_pmcd_t)

fs_getattr_all_fs(pcp_pmcd_t)
fs_getattr_all_dirs(pcp_pmcd_t)
fs_list_cgroup_dirs(pcp_pmcd_t)
fs_read_cgroup_files(pcp_pmcd_t)
fs_read_nfsd_files(pcp_pmcd_t)
fs_search_tracefs_dirs(pcp_pmcd_t)

init_read_utmp(pcp_pmcd_t)

logging_send_syslog_msg(pcp_pmcd_t)

lvm_domtrans(pcp_pmcd_t)

storage_getattr_fixed_disk_dev(pcp_pmcd_t)
storage_raw_read_fixed_disk(pcp_pmcd_t)

userdom_read_user_tmp_files(pcp_pmcd_t)
userdom_manage_unpriv_user_semaphores(pcp_pmcd_t)

optional_policy(`
	acct_search_data(pcp_pmcd_t)
')

optional_policy(`
	cron_read_pid_files(pcp_pmcd_t)
')

optional_policy(`
    container_manage_lib_files(pcp_pmcd_t)
')

optional_policy(`
    mock_read_lib_files(pcp_pmcd_t)
')

optional_policy(`
    mysql_stream_connect(pcp_pmcd_t)
')

optional_policy(`
    dbus_system_bus_client(pcp_pmcd_t)

    optional_policy(`
        avahi_dbus_chat(pcp_pmcd_t)
    ')
')

optional_policy(`
    postfix_read_config(pcp_pmcd_t)
    postfix_search_spool(pcp_pmcd_t)
')

optional_policy(`
    raid_domtrans_mdadm(pcp_pmcd_t)
    raid_access_check_mdadm(pcp_pmcd_t)
')

tunable_policy(`pcp_read_generic_logs',`
    logging_read_generic_logs(pcp_pmcd_t)

')

########################################
#
# pcp_pmproxy local  policy
#

allow pcp_pmproxy_t self:process setsched;
allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;

kernel_search_network_sysctl(pcp_pmproxy_t)

logging_send_syslog_msg(pcp_pmproxy_t)

optional_policy(`
    dbus_system_bus_client(pcp_pmproxy_t)

    optional_policy(`
        avahi_dbus_chat(pcp_pmproxy_t)
    ')
')

########################################
#
# pcp_pmie local  policy
#
allow pcp_pmie_t self:capability { chown fsetid sys_ptrace };
allow pcp_pmie_t self:cap_userns sys_ptrace;
allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };

allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;

allow pcp_pmie_t pcp_pmcd_t:process signal;

kernel_read_net_sysctls(pcp_pmie_t)
kernel_read_network_state(pcp_pmie_t)
kernel_read_system_state(pcp_pmie_t)
kernel_dontaudit_request_load_module(pcp_pmie_t)

can_exec(pcp_pmie_t, pcp_pmie_exec_t)

corecmd_exec_bin(pcp_pmie_t)
corecmd_getattr_all_executables(pcp_pmie_t)

domain_read_all_domains_state(pcp_pmie_t)

fs_search_cgroup_dirs(pcp_pmie_t)

init_status(pcp_pmie_t)

logging_send_syslog_msg(pcp_pmie_t)

systemd_exec_systemctl(pcp_pmie_t)
systemd_read_unit_files(pcp_pmie_t)
systemd_search_unit_dirs(pcp_pmie_t)

userdom_read_user_tmp_files(pcp_pmie_t)

########################################
#
# pcp_pmlogger local  policy
#

allow pcp_pmlogger_t self:capability { dac_read_search dac_override chown fowner sys_ptrace };
allow pcp_pmlogger_t self:process setpgid;
allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };

allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;

allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans;

dontaudit pcp_pmlogger_t self:cap_userns { sys_ptrace };

kernel_read_system_state(pcp_pmlogger_t)
kernel_read_network_state(pcp_pmlogger_t)
kernel_read_all_sysctls(pcp_pmlogger_t)

corecmd_exec_bin(pcp_pmlogger_t)

corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
corenet_tcp_bind_generic_node(pcp_pmlogger_t)

domain_read_all_domains_state(pcp_pmlogger_t)

fs_mount_tracefs(pcp_pmlogger_t)
fs_getattr_all_fs(pcp_pmlogger_t)

init_read_utmp(pcp_pmlogger_t)
init_status(pcp_pmlogger_t)

logging_send_syslog_msg(pcp_pmlogger_t)

systemd_exec_systemctl(pcp_pmlogger_t)
systemd_getattr_unit_files(pcp_pmlogger_t)

optional_policy(`
    hostname_exec(pcp_pmlogger_t)
')

optional_policy(`
    rpm_script_signal(pcp_pmlogger_t)
')

########################################
#
# pcp_plugin local  policy
#

domtrans_pattern(pcp_domain, pcp_plugin_exec_t, pcp_plugin_t)

optional_policy(`
    unconfined_domain(pcp_plugin_t)
')