policy_module(iotop, 1.0.0)

########################################
#
# Declarations
#
attribute_role iotop_roles;
roleattribute system_r iotop_roles;

type iotop_t;
type iotop_exec_t;
application_domain(iotop_t, iotop_exec_t)

role iotop_roles types iotop_t;

#permissive iotop_t;

########################################
#
# iotop local policy
#

allow iotop_t self:capability net_admin;
allow iotop_t self:netlink_route_socket { bind create };
allow iotop_t self:netlink_socket { bind create setopt getattr read write };
### Why is this unix_dgram_socket create not covered by the kernel_rw_unix_dgram_sockets interface?
allow iotop_t self:unix_dgram_socket { connect create write };

corecmd_exec_bin(iotop_t)

miscfiles_read_localization(iotop_t)

files_read_etc_files(iotop_t)

domain_getsched_all_domains(iotop_t)
domain_read_all_domains_state(iotop_t)

kernel_read_system_state(iotop_t)
kernel_rw_unix_dgram_sockets(iotop_t)

userdom_use_user_terminals(iotop_t)