policy_module(netlabel, 1.3.0)

########################################
#
# Declarations
#

type netlabel_mgmt_t;
type netlabel_mgmt_exec_t;
init_daemon_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
role system_r types netlabel_mgmt_t;

type netlabel_mgmt_unit_file_t;
systemd_unit_file(netlabel_mgmt_unit_file_t)

########################################
#
# NetLabel Management Tools Local policy
#

# modify the network subsystem configuration
allow netlabel_mgmt_t self:capability net_admin;
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;

can_exec(netlabel_mgmt_t, netlabel_mgmt_exec_t)

kernel_read_network_state(netlabel_mgmt_t)
kernel_read_system_state(netlabel_mgmt_t)

corecmd_exec_bin(netlabel_mgmt_t)
corecmd_exec_shell(netlabel_mgmt_t)

files_read_etc_files(netlabel_mgmt_t)

term_use_all_inherited_terms(netlabel_mgmt_t)

seutil_use_newrole_fds(netlabel_mgmt_t)

auth_read_passwd(netlabel_mgmt_t)

userdom_use_inherited_user_terminals(netlabel_mgmt_t)