#
# Macros for chkpwd domains.
#

#
# chkpwd_domain(domain_prefix)
#
# Define a derived domain for the *_chkpwd program when executed
# by a user domain.
#
# The type declaration for the executable type for this program is
# provided separately in domains/program/su.te. 
#
undefine(`chkpwd_domain')
ifdef(`chkpwd.te', `
define(`chkpwd_domain',`
# Derived domain based on the calling user domain and the program.
type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;

role $1_r types $1_chkpwd_t;

# is_selinux_enabled
allow $1_chkpwd_t proc_t:file read;

can_getcon($1_chkpwd_t)
authentication_domain($1_chkpwd_t)

ifelse($1, system, `
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
authentication_domain(auth_chkpwd)
', `
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)

# Write to the user domain tty.
access_terminal($1_chkpwd_t, $1)

allow $1_chkpwd_t privfd:fd use;

# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')

# Inherit and use descriptors from newrole.
ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
')

uses_shlib($1_chkpwd_t)
allow $1_chkpwd_t etc_t:file { getattr read };
allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
read_locale($1_chkpwd_t)

# Use capabilities.
allow $1_chkpwd_t self:capability setuid;
r_dir_file($1_chkpwd_t, selinux_config_t)

# for nscd
ifdef(`nscd.te', `', `
dontaudit $1_chkpwd_t var_t:dir search;
')

dontaudit $1_chkpwd_t fs_t:filesystem getattr;
')

', `

define(`chkpwd_domain',`')

')