policy_module(lockdev, 1.5.0) ######################################## # # Declarations # attribute_role lockdev_roles; type lockdev_t; type lockdev_exec_t; typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t }; typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t }; userdom_user_application_domain(lockdev_t, lockdev_exec_t) role lockdev_roles types lockdev_t; type lockdev_lock_t; typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t }; typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t }; files_lock_file(lockdev_lock_t) ubac_constrained(lockdev_lock_t) ######################################## # # Local policy # allow lockdev_t self:capability setgid; manage_files_pattern(lockdev_t, lockdev_lock_t, lockdev_lock_t) files_lock_filetrans(lockdev_t, lockdev_lock_t, file) files_read_all_locks(lockdev_t) fs_getattr_xattr_fs(lockdev_t) logging_send_syslog_msg(lockdev_t) userdom_use_inherited_user_terminals(lockdev_t)