From 3accc67db559b6a64c74f01c31dd85f565273146 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Oct 10 2012 13:52:27 +0000
Subject: Changes to the lockdev policy module


Ported from Fedora with changes

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

---

diff --git a/lockdev.fc b/lockdev.fc
index 9ba89b5..4fd0fda 100644
--- a/lockdev.fc
+++ b/lockdev.fc
@@ -1 +1,3 @@
 /usr/sbin/lockdev	--	gen_context(system_u:object_r:lockdev_exec_t,s0)
+
+/var/lock/lockdev(/.*)?	gen_context(system_u:object_r:lockdev_lock_t,s0)
diff --git a/lockdev.if b/lockdev.if
index 8e7d279..4313b8b 100644
--- a/lockdev.if
+++ b/lockdev.if
@@ -1,33 +1,42 @@
-## <summary>device locking policy for lockdev</summary>
+## <summary>Library for locking devices.</summary>
 
 ########################################
 ## <summary>
-##	Role access for lockdev
+##	Role access for lockdev.
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role
+##	User domain for the role.
 ##	</summary>
 ## </param>
 #
 interface(`lockdev_role',`
 	gen_require(`
+		attribute_role lockdev_roles;
 		type lockdev_t, lockdev_exec_t;
-		type lockdev_lock_t;
 	')
 
-	role $1 types lockdev_t;
+	########################################
+	#
+	# Declarations
+	#
+
+	roleattribute $1 lockdev_roles;
+
+	########################################
+	#
+	# Policy
+	#
 
-	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, lockdev_exec_t, lockdev_t)
-	allow lockdev_t $2:process signull;
 
-	# allow ps to show lockdev
+	allow $2 lockdev_t:process { ptrace signal_perms };
 	ps_process_pattern($2, lockdev_t)
-	allow $2 lockdev_t:process signal;
+
+	allow lockdev_t $2:process signull;
 ')
diff --git a/lockdev.te b/lockdev.te
index 572b5db..db87831 100644
--- a/lockdev.te
+++ b/lockdev.te
@@ -1,15 +1,18 @@
-policy_module(lockdev, 1.4.0)
+policy_module(lockdev, 1.4.1)
 
 ########################################
 #
 # Declarations
 #
 
+attribute_role lockdev_roles;
+
 type lockdev_t;
 type lockdev_exec_t;
 typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t };
 typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t };
 userdom_user_application_domain(lockdev_t, lockdev_exec_t)
+role lockdev_roles types lockdev_t;
 
 type lockdev_lock_t;
 typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t };
@@ -22,10 +25,9 @@ ubac_constrained(lockdev_lock_t)
 # Local policy
 #
 
-# Use capabilities.
 allow lockdev_t self:capability setgid;
 
-allow lockdev_t lockdev_lock_t:file manage_file_perms;
+manage_files_pattern(lockdev_t, lockdev_lock_t, lockdev_lock_t)
 files_lock_filetrans(lockdev_t, lockdev_lock_t, file)
 
 files_read_all_locks(lockdev_t)