## <summary>device locking policy for lockdev</summary>
#######################################
## <summary>
## The per role template for the lockdev module.
## </summary>
## <desc>
## <p>
## This template creates derived domains which are used
## for lockdev. A derived type is also created to protect
## the user's device locks.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`lockdev_per_role_template',`
gen_require(`
type lockdev_exec_t;
')
########################################
#
# Declarations
#
type $1_lockdev_t;
application_domain($1_lockdev_t, lockdev_exec_t)
role $3 types $1_lockdev_t;
type $1_lockdev_lock_t;
files_lock_file($1_lockdev_lock_t)
########################################
#
# Local policy
#
# Use capabilities.
allow $1_lockdev_t self:capability setgid;
allow $1_lockdev_t $2:process signull;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, lockdev_exec_t, $1_lockdev_t)
allow $1_lockdev_t $1_lockdev_lock_t:file manage_file_perms;
files_lock_filetrans($1_lockdev_t, $1_lockdev_lock_t, file)
files_read_all_locks($1_lockdev_t)
fs_getattr_xattr_fs($1_lockdev_t)
logging_send_syslog_msg($1_lockdev_t)
userdom_use_user_terminals($1, $1_lockdev_t)
optional_policy(`
logging_send_syslog_msg($1_t)
')
')