policy_module(lockdev, 1.4.1)

########################################
#
# Declarations
#

attribute_role lockdev_roles;

type lockdev_t;
type lockdev_exec_t;
typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t };
typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t };
userdom_user_application_domain(lockdev_t, lockdev_exec_t)
role lockdev_roles types lockdev_t;

type lockdev_lock_t;
typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t };
typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t };
files_lock_file(lockdev_lock_t)
ubac_constrained(lockdev_lock_t)

########################################
#
# Local policy
#

allow lockdev_t self:capability setgid;

manage_files_pattern(lockdev_t, lockdev_lock_t, lockdev_lock_t)
files_lock_filetrans(lockdev_t, lockdev_lock_t, file)

files_read_all_locks(lockdev_t)

fs_getattr_xattr_fs(lockdev_t)

logging_send_syslog_msg(lockdev_t)

userdom_use_inherited_user_terminals(lockdev_t)