selinux-refpolicy/policy/modules/services/plymouthd.if

## <summary>Plymouth graphical boot.</summary>

########################################
## <summary>
##	Execute a domain transition to run plymouthd.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`plymouthd_domtrans',`
	gen_require(`
		type plymouthd_t, plymouthd_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
')

########################################
## <summary>
##	Execute plymouthd in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_exec',`
	gen_require(`
		type plymouthd_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, plymouthd_exec_t)
')

########################################
## <summary>
##	Connect to plymouthd using a unix
##	domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_stream_connect',`
	gen_require(`
		type plymouthd_t, plymouthd_spool_t;
	')

	files_search_spool($1)
	stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
')

########################################
## <summary>
##	Execute plymouth in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_exec_plymouth',`
	gen_require(`
		type plymouth_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, plymouth_exec_t)
')

########################################
## <summary>
##	Execute a domain transition to run plymouth.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`plymouthd_domtrans_plymouth',`
	gen_require(`
		type plymouth_t, plymouth_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, plymouth_exec_t, plymouth_t)
')

########################################
## <summary>
##	Search plymouthd spool directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_search_spool',`
	gen_require(`
		type plymouthd_spool_t;
	')

	files_search_spool($1)
	allow $1 plymouthd_spool_t:dir search_dir_perms;
')

########################################
## <summary>
##	Read plymouthd spool files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_read_spool_files',`
	gen_require(`
		type plymouthd_spool_t;
	')

	files_search_spool($1)
	read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
')

########################################
## <summary>
##	Create, read, write, and delete
##	plymouthd spool files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_manage_spool_files',`
	gen_require(`
		type plymouthd_spool_t;
	')

	files_search_spool($1)
	manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
')

########################################
## <summary>
##	Search plymouthd lib directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_search_lib',`
	gen_require(`
		type plymouthd_var_lib_t;
	')

	files_search_var_lib($1)
	allow $1 plymouthd_var_lib_t:dir search_dir_perms;
')

########################################
## <summary>
##	Read plymouthd lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_read_lib_files',`
	gen_require(`
		type plymouthd_var_lib_t;
	')

	files_search_var_lib($1)
	read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')

########################################
## <summary>
##	Read and write plymouthd lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_rw_lib_files',`
	gen_require(`
		type plymouthd_var_lib_t;
	')

	files_search_var_lib($1)
	rw_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')

########################################
## <summary>
##	Create, read, write, and delete
##	plymouthd lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_manage_lib_files',`
	gen_require(`
		type plymouthd_var_lib_t;
	')

	files_search_var_lib($1)
	manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')

########################################
## <summary>
##	Read plymouthd pid files.  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_read_pid_files',`
	refpolicywarn(`$0($*) has been deprecated, please use plymouthd_read_runtime_files() instead.')
	plymouthd_read_runtime_files($1)
')

########################################
## <summary>
##	Delete the plymouthd pid files.  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_delete_pid_files',`
	refpolicywarn(`$0($*) has been deprecated, please use plymouthd_delete_runtime_files() instead.')
	plymouthd_delete_runtime_files($1)
')

########################################
## <summary>
##	Read plymouthd runtime files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_read_runtime_files',`
	gen_require(`
		type plymouthd_runtime_t;
	')

	files_search_runtime($1)
	read_files_pattern($1, plymouthd_runtime_t, plymouthd_runtime_t)
')

########################################
## <summary>
##	Delete the plymouthd runtime files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`plymouthd_delete_runtime_files',`
	gen_require(`
		type plymouthd_runtime_t;
	')

	files_search_runtime($1)
	delete_files_pattern($1, plymouthd_runtime_t, plymouthd_runtime_t)
')

########################################
## <summary>
##	All of the rules required to
##	administrate an plymouthd environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role" unused="true">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`plymouthd_admin',`
	gen_require(`
		type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
		type plymouthd_runtime_t;
	')

	allow $1 plymouthd_t:process { ptrace signal_perms };
	read_files_pattern($1, plymouthd_t, plymouthd_t)

	files_search_spool($1)
	admin_pattern($1, plymouthd_spool_t)

	files_search_var_lib($1)
	admin_pattern($1, plymouthd_var_lib_t)

	files_search_runtime($1)
	admin_pattern($1, plymouthd_runtime_t)
')