## <module name="hotplug" layer="system">
## <summary>
##	Policy for hotplug system, for supporting the
##	connection and disconnection of devices at runtime.
## </summary>

#######################################
#
# hotplug_domtrans(domain)
#
define(`hotplug_domtrans',`
	requires_block_template(`$0'_depend)

	allow $1 hotplug_exec_t:file rx_file_perms;
	allow $1 hotplug_t:process transition;
	type_transition $1 hotplug_exec_t:process hotplug_t;
	dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };

	allow $1 hotplug_t:fd use;
	allow hotplug_t $1:fd use;
	allow hotplug_t $1:fifo_file rw_file_perms;
	allow hotplug_t $1:process sigchld;
')

define(`hotplug_domtrans_depend',`
	type hotplug_t, hotplug_exec_t;

	class file rx_file_perms;
	class process { transition noatsecure siginh rlimitinh sigchld };
	class fd use;
	class fifo_file rw_file_perms;
')

#######################################
#
# hotplug_exec(domain)
#
define(`hotplug_exec',`
	requires_block_template(`$0'_depend)

	can_exec($1,hotplug_exec_t)

')

define(`hotplug_exec_depend',`
	type hotplug_t;

	class file { getattr read execute execute_no_trans };
')

#######################################
#
# hotplug_use_fd(domain)
#
define(`hotplug_use_fd',`
	requires_block_template(`$0'_depend)

	allow $1 hotplug_t:fd use;
')

define(`hotplug_use_fd_depend',`
	type hotplug_t;

	class fd use;
')

#######################################
#
# hotplug_dontaudit_use_fd(domain)
#
define(`hotplug_dontaudit_use_fd',`
	requires_block_template(`$0'_depend)

	dontaudit $1 hotplug_t:fd use;
')

define(`hotplug_dontaudit_use_fd_depend',`
	type hotplug_t;

	class fd use;
')

########################################
#
# hotplug_dontaudit_search_config(domain)
#
define(`hotplug_dontaudit_search_config',`
	requires_block_template(`$0'_depend)

	dontaudit $1 hotplug_etc_t:dir search;
')

define(`hotplug_dontaudit_search_config_depend',`
	type hotplug_etc_t;

	class dir search;
')

########################################
## <interface name="hotplug_read_config">
##	<description>
##		Read the configuration files for hotplug.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`hotplug_read_config',`
	requires_block_template(`$0'_depend)

	files_search_etc($1)
	allow $1 hotplug_etc_t:file r_file_perms;
	allow $1 hotplug_etc_t:dir r_dir_perms;
	allow $1 hotplug_etc_t:lnk_file r_file_perms;
')

define(`hotplug_read_config_depend',`
	type hotplug_etc_t;

	class file r_file_perms;
	class dir r_dir_perms;
	class lnk_file r_file_perms;
')

## </module>