## <summary>Simple top-like I/O monitor</summary>

########################################
## <summary>
##	Allow execution of iotop in the iotop domain from the target domain.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition to iotop.
## </summary>
## </param>
#
interface(`iotop_domtrans',`
	gen_require(`
		type iotop_t, iotop_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, iotop_exec_t, iotop_t)
')

########################################
## <summary>
##	Execute iotop in the iotop domain, and
##	allow the specified role to access the iotop domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed into the iotop domain.
##	</summary>
## </param>
#
interface(`iotop_run',`
	gen_require(`
		type iotop_t;
		attribute_role iotop_roles;
	')

	iotop_domtrans($1)
	roleattribute $2 iotop_roles;
')

########################################
## <summary>
##	Role allowed to access and manage processes in the iotop domain.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access to iotop
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
#
interface(`iotop_role',`
	gen_require(`
		type iotop_t;
		attribute_role iotop_roles;
	')

	roleattribute $1 iotop_roles;

	iotop_domtrans($2)

	ps_process_pattern($2, iotop_t)
	allow $2 iotop_t:process { signull signal sigkill };
')