policy_module(vlock, 1.2.0) ######################################## # # Declarations # attribute_role vlock_roles; type vlock_t; type vlock_exec_t; application_domain(vlock_t, vlock_exec_t) role vlock_roles types vlock_t; ######################################## # # Local policy # dontaudit vlock_t self:capability { setuid setgid }; allow vlock_t self:fd use; allow vlock_t self:fifo_file rw_fifo_file_perms; kernel_read_system_state(vlock_t) corecmd_list_bin(vlock_t) corecmd_read_bin_symlinks(vlock_t) domain_use_interactive_fds(vlock_t) files_dontaudit_search_home(vlock_t) mls_file_write_all_levels(vlock_t) selinux_dontaudit_getattr_fs(vlock_t) auth_use_pam(vlock_t) init_dontaudit_rw_utmp(vlock_t) logging_send_syslog_msg(vlock_t) term_search_ptys(vlock_t) userdom_dontaudit_search_user_home_dirs(vlock_t) userdom_use_inherited_user_terminals(vlock_t)