#
# Authors:  Justin Smith <jsmith@mcs.drexel.edu>
#

role sysadm_t types { ipchains_t };
domain_auto_trans(sysadm_t, ipchains_exec_t, ipchains_t)

allow tripwire_t sysadm_tty_device_t:chr_file rw_file_perms;
allow tripwire_t sysadm_devpts_t:chr_file rw_file_perms;
allow tripwire_t sysadm_gph_t:fd inherit_fd_perms;
 
auditallow sysadm_t ipchains_t:process transition;
auditallow sysadm_t ipchains_exec_t:process transition;
auditallow sysadm_t ipchains_exec_t:file execute;

#
# Rules for the ipchains_t domain.
#
type ipchains_t, domain, privlog;
type ipchains_exec_t, file_type, sysadmfile, exec_type;
type ipchains_var_run_t, file_type, sysadmfile, pidfile;

domain_auto_trans(ipchains_t, insmod_exec_t, insmod_t)

domain_auto_trans(ipchains_t, ifconfig_exec_t, ifconfig_t)
file_type_auto_trans(ipchains_t, var_run_t, ipchains_var_run_t)
uses_shlib(ipchains_t)

# Inherit and use descriptors from init.
allow ipchains_t init_t:fd inherit_fd_perms;

allow ipchains_t bin_t:file { execute execute_no_trans };
allow ipchains_t ipchains_exec_t:file { execute_no_trans };
allow ipchains_t ipchains_t:capability { net_admin net_raw };
allow ipchains_t ipchains_t:rawip_socket { create setopt };