policy_module(libcgroup, 1.0.0) 

########################################
#
# cgrulesengd personal declarations.
#

type cgrulesengd_t;
type cgrulesengd_exec_t;
init_daemon_domain(cgrulesengd_t, cgrulesengd_exec_t)

type cgrulesengd_initrc_exec_t;
init_script_file(cgrulesengd_initrc_exec_t)

type cgrulesengd_var_run_t;
files_pid_file(cgrulesengd_var_run_t)

permissive cgrulesengd_t;

########################################
#
# cgconfig personal declarations.
#

type cgconfigparser_t;
type cgconfigparser_exec_t;
init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)

type cgconfig_initrc_exec_t;
init_script_file(cgconfig_initrc_exec_t)

permissive cgconfigparser_t;

########################################
#
# cgrulesengd personal policy.
#

allow cgrulesengd_t self:capability { net_admin sys_ptrace };
allow cgrulesengd_t self:netlink_socket { write bind create read };
allow cgrulesengd_t self:unix_dgram_socket { write create connect };

manage_sock_files_pattern(cgrulesengd_t, cgrulesengd_var_run_t, cgrulesengd_var_run_t)
files_pid_filetrans(cgrulesengd_t, cgrulesengd_var_run_t, sock_file)

domain_read_all_domains_state(cgrulesengd_t)

files_read_etc_files(cgrulesengd_t)

kernel_read_system_state(cgrulesengd_t)

logging_send_syslog_msg(cgrulesengd_t)

miscfiles_read_localization(cgrulesengd_t)

optional_policy(`
	fs_write_cgroup_files(cgrulesengd_t)
')

########################################
#
# cgconfig personal policy.
#

optional_policy(`
	fs_manage_cgroup_dirs(cgconfigparser_t)
	fs_rw_cgroup_files(cgconfigparser_t)
	fs_setattr_cgroup_files(cgconfigparser_t)
	fs_mount_cgroup_fs(cgconfigparser_t)
')

files_mounton_mnt(cgconfigparser_t)
files_manage_mnt_dirs(cgconfigparser_t)

files_read_etc_files(cgconfigparser_t)

# /mnt/cgroups/cpu
kernel_list_unlabeled(cgconfigparser_t)
kernel_read_system_state(cgconfigparser_t)