#DESC dmesg - control kernel ring buffer
# Author:  Dan Walsh dwalsh@redhat.com
# X-Debian-Packages: util-linux

# Rules for the dmesg_t domain.
# dmesg_exec_t is the type of the dmesg executable.
# while sysadm_t has the sys_admin capability there is no point in using
# dmesg_t when run from sysadm_t, so we use nosysadm.
daemon_base_domain(dmesg, , `nosysadm')

# Rules used for dmesg
allow dmesg_t self:capability sys_admin;
allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod };
allow dmesg_t admin_tty_type:chr_file { getattr read write };
allow dmesg_t sysadm_tty_device_t:chr_file ioctl;
allow dmesg_t var_log_t:file { getattr write };

# for when /usr is not mounted
dontaudit dmesg_t file_t:dir search;