selinux-policy/policy/modules/apps/lockdev.if

## <summary>device locking policy for lockdev</summary>

#######################################
## <summary>
##	The per role template for the lockdev module.
## </summary>
## <desc>
##	<p>
##	This template creates derived domains which are used
##	for lockdev. A derived type is also created to protect
##	the user's device locks.
##	</p>
##	<p>
##	This template is invoked automatically for each user, and
##	generally does not need to be invoked directly
##	by policy writers.
##	</p>
## </desc>
## <param name="userdomain_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The type of the user domain.
##	</summary>
## </param>
## <param name="user_role">
##	<summary>
##	The role associated with the user domain.
##	</summary>
## </param>
#
template(`lockdev_per_role_template',`
	gen_require(`
		type lockdev_exec_t;
	')

	########################################
	#
	# Declarations
	#

	type $1_lockdev_t;
	application_domain($1_lockdev_t, lockdev_exec_t)
	role $3 types $1_lockdev_t;

	type $1_lockdev_lock_t;
	files_lock_file($1_lockdev_lock_t)

	########################################
	#
	# Local policy
	#

	# Use capabilities.
	allow $1_lockdev_t self:capability setgid;
	allow $1_lockdev_t $2:process signull;

	# Transition from the user domain to the derived domain.
	domtrans_pattern($2, lockdev_exec_t, $1_lockdev_t)

	allow $1_lockdev_t $1_lockdev_lock_t:file manage_file_perms;
	files_lock_filetrans($1_lockdev_t, $1_lockdev_lock_t, file)

	files_read_all_locks($1_lockdev_t)

	fs_getattr_xattr_fs($1_lockdev_t)

	logging_send_syslog_msg($1_lockdev_t)

	userdom_use_user_terminals($1, $1_lockdev_t)

	optional_policy(`
		logging_send_syslog_msg($1_t)
	')
')