#DESC yppassdd - NIS password update daemon
#
# Authors:  Dan Walsh <dwalsh@redhat.com>
# Depends: portmap.te
#

#################################
#
# Rules for the yppasswdd_t domain.
#
daemon_domain(yppasswdd, `, auth_write, privowner')

# Use capabilities.
allow yppasswdd_t self:capability { net_bind_service };

# Use the network.
can_network_server(yppasswdd_t)

read_sysctl(yppasswdd_t)

# Send to portmap and initrc.
can_udp_send(yppasswdd_t, portmap_t)
can_udp_send(yppasswdd_t, initrc_t)

allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;

allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read };
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file)
allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto };
can_setfscreate(yppasswdd_t)
allow yppasswdd_t proc_t:file getattr;
allow yppasswdd_t { bin_t sbin_t }:dir search;
allow yppasswdd_t bin_t:lnk_file read;
can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t })
allow yppasswdd_t self:fifo_file rw_file_perms;
rw_dir_create_file(yppasswdd_t, var_yp_t)