## <summary>Control group rules engine daemon.</summary>
## <desc>
##	<p>
##		cgrulesengd is a daemon, which distributes processes
##		to control groups. When any process changes its
##		effective UID or GID, cgrulesengd inspects list of
##		rules loaded from cgrules.conf file and moves the
##		process to the appropriate control group.
##	</p>
##	<p>
##		The list of rules is read during the daemon startup and
##		are cached in daemon’s memory. The daemon reloads the
##		list of rules when it receives SIGUSR2 signal.
##	</p>
## </desc>

########################################
## <summary>
##	Read and write cgrulesengd sock file in /var/run.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`libcgroup_cgrulesengd_rw_pid_sock_file', `
	gen_require(`
		type cgrulesengd_var_run_t;
	')

	rw_sock_files_pattern($1, cgrulesengd_var_run_t, cgrulesengd_var_run_t)
	files_search_pids($1)
')

########################################
## <summary>
##	Unix stream socket connect to cgrulesengd.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`libcgroup_cgrulesengd_stream_connect', `
	gen_require(`
		type cgrulesengd_t;
	')

	allow $1 cgrulesengd_t:unix_stream_socket connectto;
')