/*
 * Test Policy
 */


/* pepl statements */

allow fwrite on ethernet by httpd;

allow fwrite on etc_files  by e of privileged_agent if e is superuser;

allow fwrite on t of tom_bashrc by e of emacs if ((t.permissions == "RW") and (t.owner == e.username));

allow fwrite on dev_null by agent;

allow fwrite on f of file by priv-emacs if f in etc_files;

allow fwrite on r of remotefile by emacs if not r in etc_files;

/* depepl statements */

/* resource type definitions */

type b : Object {
	attribute stuff "stuff";
	key(stuff);
};

type file : Object {
	attribute path "path";
	attribute size "size";
	attribute owner "owner";
	attribute permissions "perm";
	key(path);
};

type remotefile : file {
	attribute path query("path", "158.130.6.65");
	attribute size query("size", "158.130.6.65");
	attribute owner query("owner", "158.130.6.65");
	attribute permissions query("perm", "158.130.6.65");
	key(path);
};

type device : file {
	attribute dev_id "DEVID";
	attribute dev_type "DV_TYPE";
	attribute max_rate "DV_BPS";
	key(dev_id, dev_type);
};


type agent : Object {
	attribute executable "EXEC_PATH";
	attribute username "OWNER";
	attribute files "OPEN_FDS";
	attribute sockets "OPEN_SOCKS";
	key(executable,username);
};

type privileged_agent : agent {
	attribute su-username "SUID";
	key(executable,su-username);
	// inherits rest from agent
};

set etc_files  { fstab, passwd }  intersect  { passwd  };

/* Actual resources */

match emacs agent("emacs","*");

match priv-emacs privileged_agent("emacs","root");

match httpd agent("httpd","www");

match passwd file("/etc/passwd");

match fstab file("/etc/fstab");

match tom_bashrc file("/home/tom/.bashrc");

match ethernet device("eth0","character");

match dev_null device("null","character");

match my_remote_file remotefile("filename");

/*
 * operations that can be performed on resources or 
 *  types of resources in the system
 */

operation fwrite {
	key("fwrite");
	agents(agent);
	subjects(file);
};

predicate superuser (e of agent) = e.username == "root";
