dphysswapfile: add interfaces and sysadm access

v2:

add swapfile file context

policy/modules/roles/sysadm.te

@@ -378,6 +378,10 @@ optional_policy(`
 	dovecot_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	dphysswapfile_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	dpkg_run(sysadm_t, sysadm_r)
 ')

policy/modules/system/fstools.fc

@@ -106,6 +106,8 @@
 /usr/sbin/zstreamdump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
+/var/swap			--	gen_context(system_u:object_r:swapfile_t,s0)
+
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
 
 /run/blkid(/.*)?		gen_context(system_u:object_r:fsadm_run_t,s0)

policy/modules/system/fstools.if

@@ -209,3 +209,57 @@ interface(`fstools_getattr_swap_files',`
 
 	allow $1 swapfile_t:file getattr;
 ')
+
+########################################
+## <summary>
+##	Ignore access to a swapfile.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fstools_dontaudit_getattr_swap_files',`
+	gen_require(`
+		type swapfile_t;
+	')
+
+	dontaudit $1 swapfile_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Relabel to swapfile.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_relabelto_swap_files',`
+	gen_require(`
+		type swapfile_t;
+	')
+
+	allow $1 swapfile_t:file relabelto;
+')
+
+########################################
+## <summary>
+##	Manage swapfile.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_manage_swap_files',`
+	gen_require(`
+		type swapfile_t;
+	')
+
+	allow $1 swapfile_t:file manage_file_perms;
+')