## policy for journalctl
########################################
##
## Execute TEMPLATE in the journalctl domin.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`journalctl_domtrans',`
gen_require(`
type journalctl_t, journalctl_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, journalctl_exec_t, journalctl_t)
')
######################################
##
## Execute journalctl in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`journalctl_exec',`
gen_require(`
type journalctl_exec_t;
')
corecmd_search_bin($1)
can_exec($1, journalctl_exec_t)
allow $1 journalctl_exec_t:file map;
')
########################################
##
## Execute journalctl in the journalctl domain, and
## allow the specified role the journalctl domain.
##
##
##
## Domain allowed to transition
##
##
##
##
## The role to be allowed the journalctl domain.
##
##
#
interface(`journalctl_run',`
gen_require(`
type journalctl_t;
attribute_role journalctl_roles;
')
journalctl_domtrans($1)
roleattribute $2 journalctl_roles;
')
########################################
##
## Role access for journalctl
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
interface(`journalctl_role',`
gen_require(`
type journalctl_t;
attribute_role journalctl_roles;
')
roleattribute $1 journalctl_roles;
journalctl_domtrans($2)
ps_process_pattern($2, journalctl_t)
allow $2 journalctl_t:process { signull signal sigkill };
')