policy_module(iotop, 1.0.0)

########################################
#
# Declarations
#
attribute_role iotop_roles;
roleattribute system_r iotop_roles;

type iotop_t;
type iotop_exec_t;
application_domain(iotop_t, iotop_exec_t)

role iotop_roles types iotop_t;

#permissive iotop_t;

########################################
#
# iotop local policy
#

allow iotop_t self:capability net_admin;
allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
allow iotop_t self:netlink_socket create_socket_perms;
allow iotop_t self:unix_dgram_socket create_socket_perms;

kernel_read_system_state(iotop_t)
dev_read_urand(iotop_t)
domain_getsched_all_domains(iotop_t)
domain_read_all_domains_state(iotop_t)

auth_read_passwd(iotop_t)
corecmd_exec_bin(iotop_t)
miscfiles_read_localization(iotop_t)
userdom_use_user_terminals(iotop_t)

optional_policy(`
    sssd_read_public_files(iotop_t)
')