policy_module(cups_xpra, 2.0)

require {
	type user_tmp_t;
	type init_var_run_t;
	type passwd_file_t;
	type print_spool_t;
	type udev_var_run_t;
	class capability dac_override;
	class dir { search open read };
	class sock_file { write };

	type xserver_exec_t;
}

type cups_xpra_t;
type cups_xpra_exec_t;

cups_backend(cups_xpra_t, cups_xpra_exec_t)

libs_domtrans_ldconfig(cups_xpra_t)
corecmd_exec_bin(cups_xpra_t)
corecmd_exec_shell(cups_xpra_t)

unconfined_stream_connect(cups_xpra_t)
logging_send_syslog_msg(cups_xpra_t)

auth_read_passwd(cups_xpra_t)
dev_read_sysfs(cups_xpra_t)
kernel_read_system_state(cups_xpra_t)


allow cups_xpra_t print_spool_t:dir { search open read };
allow cups_xpra_t user_tmp_t:dir { search getattr };

allow cups_xpra_t self:capability dac_override;

fs_rw_anon_inodefs_files(cups_xpra_t)
fs_search_auto_mountpoints(cups_xpra_t)

allow cups_xpra_t init_var_run_t:dir search;
dontaudit cups_xpra_t udev_var_run_t:dir search;

allow cups_xpra_t user_tmp_t:sock_file write;

#to generate the default xpra config object,
#we may need to getattr the Xorg binary:
allow cups_xpra_t xserver_exec_t:file getattr;