## <summary>Policy for udev.</summary>

########################################
## <summary>
##	Execute udev in the udev domain.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`udev_domtrans',`
	gen_require(`
		type udev_t, udev_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	domain_auto_trans($1, udev_exec_t, udev_t)

	allow $1 udev_t:fd use;
	allow udev_t $1:fd use;
	allow udev_t $1:fifo_file rw_file_perms;
	allow udev_t $1:process sigchld;
')

########################################
## <summary>
##	Do not audit attempts to read or write
##	to a udev unix datagram socket.
## </summary>
## <param name="domain">
##	Domain to not audit.
## </param>
#
interface(`udev_donaudit_rw_unix_dgram_socket',`
	gen_require(`
		type udev_t;
		class unix_dgram_socket { read write };
	')

	dontaudit $1 udev_t:unix_dgram_socket { read write };
')

########################################
## <summary>
##	Allow process to read list of devices.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`udev_read_db',`
	gen_require(`
		type udev_tdb_t;
		class file r_file_perms;
	')

	dev_list_all_dev_nodes($1)
	allow $1 udev_tdb_t:file r_file_perms;
')

########################################
## <summary>
##	Allow process to modify list of devices.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`udev_rw_db',`
	gen_require(`
		type udev_tdb_t;
		class file rw_file_perms;
	')

	dev_list_all_dev_nodes($1)
	allow $1 udev_tdb_t:file rw_file_perms;
')