System shutdown command.

######################################## ##

## Role access for shutdown. ##

## ##

## The prefix of the user role (e.g., user ## is the prefix for user_r). ##

## ## ##

## User domain for the role. ##

## ## ##

## User exec domain for execute and transition access. ##

## ## ##

## Role allowed access ##

## # template(`shutdown_role',` gen_require(` attribute_role shutdown_roles; type shutdown_t; ') roleattribute $4 shutdown_roles; tunable_policy(`shutdown_allow_user_exec_domains',` shutdown_domtrans($3) allow $3 shutdown_t:process { ptrace signal_perms }; ps_process_pattern($3, shutdown_t) ',` shutdown_domtrans($2) allow $2 shutdown_t:process { ptrace signal_perms }; ps_process_pattern($2, shutdown_t) ') optional_policy(` systemd_user_app_status($1, shutdown_t) ') ') ######################################## ##

## Execute a domain transition to run shutdown. ##

## ##

## Domain allowed to transition. ##

## # interface(`shutdown_domtrans',` gen_require(` type shutdown_t, shutdown_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, shutdown_exec_t, shutdown_t) ') ######################################## ##

## Execute shutdown in the shutdown ## domain, and allow the specified role ## the shutdown domain. ##

## ##

## Domain allowed to transition. ##

## ## ##

## Role allowed access. ##

## # interface(`shutdown_run',` gen_require(` attribute_role shutdown_roles; ') shutdown_domtrans($1) roleattribute $2 shutdown_roles; ') ######################################## ##

## Send generic signals to shutdown. ##

## ##

## Domain allowed access. ##

## # interface(`shutdown_signal',` gen_require(` type shutdown_t; ') allow shutdown_t $1:process signal; ') ######################################## ##

## Send SIGCHLD signals to shutdown. ##

## ##

## Domain allowed access. ##

## # interface(`shutdown_sigchld',` gen_require(` type shutdown_t; ') allow $1 shutdown_t:process sigchld; ') ######################################## ##

## Get attributes of shutdown executable files. ##

## ##

## Domain allowed access. ##

## # interface(`shutdown_getattr_exec_files',` gen_require(` type shutdown_exec_t; ') corecmd_search_bin($1) allow $1 shutdown_exec_t:file getattr_file_perms; ')