policy_module(dmesg, 1.0)

########################################
#
# Declarations
#

type dmesg_t;
type dmesg_exec_t;
init_system_domain(dmesg_t,dmesg_exec_t)
role system_r types dmesg_t;

########################################
#
# Local policy
#

allow dmesg_t self:capability sys_admin;
dontaudit dmesg_t self:capability sys_tty_config;

allow dmesg_t self:process signal_perms;

kernel_read_kernel_sysctl(dmesg_t)
dev_read_sysfs(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t)

term_dontaudit_use_console(dmesg_t)

domain_use_wide_inherit_fd(dmesg_t)

files_read_generic_etc_files_directory(dmesg_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(dmesg_t)

init_use_fd(dmesg_t)
init_use_script_pty(dmesg_t)

libs_use_ld_so(dmesg_t)
libs_use_shared_libs(dmesg_t)

logging_send_syslog_msg(dmesg_t)
logging_write_generic_logs(dmesg_t)

miscfiles_read_localization(dmesg_t)

userdom_use_sysadm_terms(dmesg_t)
userdom_dontaudit_use_unpriv_user_fd(dmesg_t)

ifdef(`targeted_policy', `
	term_dontaudit_use_unallocated_tty(dmesg_t)
	term_dontaudit_use_generic_pty(dmesg_t)
	files_dontaudit_read_root_file(dmesg_t)
')

optional_policy(`selinux.te',`
	selinux_newrole_sigchld(dmesg_t)
')

optional_policy(`udev.te', `
	udev_read_db(dmesg_t)
')

ifdef(`TODO',`
allow dmesg_t proc_t:dir r_dir_perms;
allow dmesg_t proc_t:lnk_file read;

optional_policy(`rhgb.te', `
allow dmesg_t rhgb_t:process sigchld;
allow dmesg_t rhgb_t:fd use;
allow dmesg_t rhgb_t:fifo_file rw_file_perms;
')

allow dmesg_t autofs_t:dir { search getattr };
') dnl endif TODO