Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/contrib/lockdev.if

62 lines
1.2 KiB
Text

## <summary>Library for locking devices.</summary>
#######################################
## <summary>
## Create, read, write, and delete
## lockdev lock files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lockdev_manage_files',`
gen_require(`
type lockdev_lock_t;
')
files_search_var_lib($1)
manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t)
')
########################################
## <summary>
## Role access for lockdev.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
#
interface(`lockdev_role',`
gen_require(`
attribute_role lockdev_roles;
type lockdev_t, lockdev_exec_t;
')
########################################
#
# Declarations
#
roleattribute $1 lockdev_roles;
########################################
#
# Policy
#
domtrans_pattern($2, lockdev_exec_t, lockdev_t)
allow $2 lockdev_t:process { ptrace signal_perms };
ps_process_pattern($2, lockdev_t)
allow lockdev_t $2:process signull;
')