## <summary>device locking policy for lockdev</summary>

########################################
## <summary>
##	Role access for lockdev
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
#
interface(`lockdev_role',`
	gen_require(`
		type lockdev_t, lockdev_exec_t;
		type lockdev_lock_t;
	')

	role $1 types lockdev_t;

	# Transition from the user domain to the derived domain.
	domtrans_pattern($2, lockdev_exec_t, lockdev_t)
	allow lockdev_t $2:process signull;

	# allow ps to show lockdev
	ps_process_pattern($2, lockdev_t)
	allow $2 lockdev_t:process signal;
')