## <module name="sysnetwork" layer="system">
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>

#######################################
## <interface name="sysnet_domtrans_dhcpc">
##     <description>
##             Execute dhcp client in dhcpc domain.
##     </description>
##     <parameter name="domain">
##             The type of the process performing this action.
##     </parameter>
## </interface>
#
define(`sysnet_domtrans_dhcpc',`
	requires_block_template(`$0'_depend)

	domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)

	allow $1 dhcpc_t:fd use;
	allow dhcpc_t $1:fd use;
	allow dhcpc_t $1:fifo_file rw_file_perms;
	allow dhcpc_t $1:process sigchld;
')

define(`sysnet_domtrans_dhcpc_depend',`
	type dhcpc_t, dhcpc_exec_t;

	class file { getattr read execute };
	class process { transition noatsecure siginh rlimitinh sigchld };
	class fd use;
	class fifo_file rw_file_perms;
')

#######################################
## <interface name="sysnet_domtrans_ifconfig">
##	<description>
##		Execute ifconfig in the ifconfig domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`sysnet_domtrans_ifconfig',`
	requires_block_template(`$0'_depend)

	domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)

	allow $1 ifconfig_t:fd use;
	allow ifconfig_t $1:fd use;
	allow ifconfig_t $1:fifo_file rw_file_perms;
	allow ifconfig_t $1:process sigchld;
')

define(`sysnet_domtrans_ifconfig_depend',`
	type ifconfig_t, ifconfig_exec_t;

	class file { getattr read execute };
	class process { transition noatsecure siginh rlimitinh sigchld };
	class fd use;
	class fifo_file rw_file_perms;
')

########################################
## <interface name="sysnet_run_ifconfig">
##	<description>
##		Execute ifconfig in the ifconfig domain, and
##		allow the specified role the ifconfig domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the ifconfig domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the ifconfig domain to use.
##	</parameter>
## </interface>
#
define(`sysnet_run_ifconfig',`
	requires_block_template(`$0'_depend)

	sysnet_domtrans_ifconfig($1)
	role $2 types ifconfig_t;
	allow ifconfig_t $3:chr_file { getattr read write ioctl };
')

define(`sysnet_run_ifconfig_depend',`
	type ifconfig_t;

	class chr_file { getattr read write ioctl };
')

#######################################
## <interface name="sysnet_read_config">
##     <description>
##             Allow network init to read network config files.
##     </description>
##     <parameter name="domain">
##             The type of the process performing this action.
##     </parameter>
## </interface>
#
define(`sysnet_read_config',`
	requires_block_template(`$0'_depend)

	files_search_etc($1)
	allow $1 net_conf_t:file r_file_perms;
')

define(`sysnet_read_config_depend',`
	type net_conf_t;

	class file r_file_perms;
')

## </module>