policy_module(lockdev, 1.7.0)

########################################
#
# Declarations
#

attribute_role lockdev_roles;

type lockdev_t;
type lockdev_exec_t;
userdom_user_application_domain(lockdev_t, lockdev_exec_t)
role lockdev_roles types lockdev_t;

type lockdev_lock_t;
files_lock_file(lockdev_lock_t)
ubac_constrained(lockdev_lock_t)

########################################
#
# Local policy
#

allow lockdev_t self:capability setgid;

manage_files_pattern(lockdev_t, lockdev_lock_t, lockdev_lock_t)
files_lock_filetrans(lockdev_t, lockdev_lock_t, file)

files_read_all_locks(lockdev_t)

fs_getattr_xattr_fs(lockdev_t)

logging_send_syslog_msg(lockdev_t)

userdom_use_user_terminals(lockdev_t)