policy_module(ical,1.0.0)

########################################
#
# Declarations
#

type ical_t;
type ical_exec_t;
application_domain(ical_t, ical_exec_t)
role system_r types ical_t;


type ical_tmp_t;
files_tmp_file(ical_tmp_t)

########################################
#
# ical local policy
#

## internal communication is often done using fifo and unix sockets.
allow ical_t self:fifo_file rw_file_perms;
allow ical_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(ical_t)

libs_use_ld_so(ical_t)
libs_use_shared_libs(ical_t)

miscfiles_read_localization(ical_t)


allow ical_t ical_tmp_t:file manage_file_perms;
allow ical_t ical_tmp_t:dir create_dir_perms;
files_tmp_filetrans(ical_t,ical_tmp_t, { file dir })

logging_send_audit_msgs(ical_t)

gen_require(`
		type unconfined_t;
		type unconfined_devpts_t;
		type unconfined_tty_device_t;
		type ical_file_t;
        	type ical_t;
		type net_conf_t;
		type user_home_t;
		role unconfined_r;
        	class file { read write getattr };
	')

ical_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })


### customized rules
allow ical_t ical_file_t:file { read write getattr };
files_read_usr_files(ical_t)
kernel_read_system_state(ical_t)
miscfiles_read_fonts(ical_t)
xserver_read_xdm_pid(ical_t)
xserver_stream_connect_xdm_xserver(ical_t)

### we don't want this accesss, instead use dontaudit
#sysnet_read_config(ical_t)
#userdom_read_generic_user_home_content_files(ical_t)

### dontaudit
dontaudit ical_t net_conf_t:file { read getattr };
allow ical_t user_home_t:file read;

### New type for ical config file
type ical_file_t;
files_config_file(ical_file_t)