## <summary>Policy for UML</summary>

########################################
## <summary>
##	Role access for uml
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
#
interface(`uml_role',`
	gen_require(`
		type uml_t, uml_exec_t;
		type uml_ro_t, uml_rw_t, uml_tmp_t;
		type uml_devpts_t, uml_tmpfs_t;
	')

	role $1 types uml_t;

	# Transition from the user domain to this domain.
	domtrans_pattern($2, uml_exec_t, uml_t)

	# for mconsole
	allow $2 uml_t:unix_dgram_socket sendto;
	allow uml_t $2:unix_dgram_socket sendto;

	# allow ps, signal
	ps_process_pattern($2, uml_t)
	allow $2 uml_t:process signal_perms;

	allow $2 uml_ro_t:dir list_dir_perms;
	read_files_pattern($2, uml_ro_t, uml_ro_t)
	read_lnk_files_pattern($2, uml_ro_t, uml_ro_t)

	manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
	manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
	manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
	manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
	manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
	relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
	relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
	relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
	relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
	relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

	manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
	manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
	relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
	relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })

	manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t)
	manage_files_pattern($2, uml_tmp_t, uml_tmp_t)
	manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t)
	manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t)
')

########################################
## <summary>
##	Set attributes on uml utility socket files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`uml_setattr_util_sockets',`
	gen_require(`
		type uml_switch_var_run_t;
	')

	allow $1 uml_switch_var_run_t:sock_file setattr;
')

########################################
## <summary>
##	Manage uml utility files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`uml_manage_util_files',`
	gen_require(`
		type uml_switch_var_run_t;
	')

	manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
	manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
')