module benZfsSnapshotAutomount 1.1;

require {
	type container_file_t;
	type device_t;
	type fs_t;
	type kernel_generic_helper_t;
	type mount_exec_t;
	type unlabeled_t;
	class capability { setgid setuid sys_admin };
	class chr_file { ioctl open read write };
	class dir { mounton search };
	class file { execute open read execute_no_trans map getattr };
	class filesystem mount;
}

#============= kernel_generic_helper_t ==============
allow kernel_generic_helper_t container_file_t:dir search;
allow kernel_generic_helper_t device_t:chr_file { ioctl open read write };
allow kernel_generic_helper_t fs_t:filesystem mount;
allow kernel_generic_helper_t mount_exec_t:file { execute open read execute_no_trans map getattr };
allow kernel_generic_helper_t self:capability { setgid setuid sys_admin };
allow kernel_generic_helper_t unlabeled_t:dir { mounton search };