policy_module(thread-context, 1.0)

gen_require(`
	type unconfined_t;
	type unconfined_devpts_t;

	role unconfined_r;
')

attribute unconfined_colors;

#--- red ---
type unconfined_red_t, unconfined_colors;
domain_type(unconfined_red_t);
role unconfined_r types unconfined_red_t;

#--- blue ---
type unconfined_blue_t, unconfined_colors;
domain_type(unconfined_blue_t);
role unconfined_r types unconfined_blue_t;

#--- green ---
type unconfined_green_t, unconfined_colors;
domain_type(unconfined_green_t);
role unconfined_r types unconfined_green_t;

#--- hierarchy ---
typedominate unconfined_t unconfined_red_t;
typedominate unconfined_t unconfined_blue_t;
# typedominate unconfined_t unconfined_green_t;

#--- process:dyntransition
allow unconfined_t unconfined_colors : process { dyntransition };
allow unconfined_colors unconfined_t : fd { use };
allow unconfined_colors unconfined_devpts_t : chr_file { write };

#--- /proc permissions
kernel_search_proc(unconfined_colors)
allow unconfined_colors unconfined_t : dir search_dir_perms;
allow unconfined_colors self : file read_file_perms;