init_ranged_daemon_domain() was not working for me, im sure i have done something wrong, but i have no idea what or where that is, right now with the policy as it is, its running in system_u:object_r:unlabeled_t:s0 meaning iv borked things big time.
here is the policy:
policy_module(myapp, 1.0.0)
########################################
#
# Declarations
#
require {
# type init_t;
type initrc_t;
type systemd_unit_file_t ;
type urandom_device_t ;
type etc_runtime_t ;
type proc_t;
type bin_t;
type tmp_t;
type user_home_dir_t;
type user_home_t;
type net_conf_t;
type ldconfig_exec_t;
type mongod_port_t;
type unreserved_port_t;
type http_cache_port_t;
type http_port_t;
type sandbox_file_t;
type node_t ;
type shell_exec_t ;
type bin_t ;
type security_t ;
type setroubleshootd_t ;
type unconfined_t ;
type default_t ;
}
init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
type myapp_t;
domain_type(myapp_t);
type myapp_exec_t;
type myapp_unit_file_t;
systemd_unit_file(systemd_unit_file_t)
mcs_process_set_categories(myapp_t);
########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process signal;
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir write;
allow myapp_t bin_t:file { execute execute_no_trans };
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t user_home_dir_t:dir { search getattr read open write add_name};
allow myapp_t user_home_t:file { read open getattr ioctl create};
allow myapp_t user_home_t:dir { read open search getattr };
allow myapp_t ldconfig_exec_t:file {execute read open execute_no_trans};
allow myapp_t net_conf_t:file { read open getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt connect getattr getopt write read bind append};
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt connect getattr getopt write read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name create };
allow myapp_t sandbox_file_t:file { read open getattr ioctl create write relabelfrom relabelto };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t shell_exec_t:file { execute execute_no_trans };
allow myapp_t security_t:file write;
allow myapp_t self:tcp_socket { create setopt connect getattr getopt write read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append listen accept };
allow myapp_t self:netlink_route_socket { create bind getattr write nlmsg_read nlmsg_write read setattr lock getopt setopt append };
domain_use_interactive_fds(myapp_t)
allow myapp_t urandom_device_t:chr_file {read open};
allow myapp_t default_t:file { read getattr execute open execute_no_trans};
allow setroubleshootd_t myapp_exec_t:file getattr;
allow init_t myapp_exec_t:file execute;
allow init_t myapp_exec_t:file { read open execute getattr entrypoint };