policy_module(systemd_hs,0.0.1)

# systemd overrides for 247

gen_require(`

	type init_t;

	type init_var_run_t;

	type kmsg_device_t;

	type proc_kmsg_t;

	type proc_security_t;

	type systemd_hostnamed_t;

	type systemd_localed_t;

	type systemd_logind_t;

	type systemd_resolved_t;

	type systemd_tmpfiles_t;

	type systemd_hwdb_t;

	type systemd_sysctl_t;

	type security_t;

	type tpm_device_t;

	type ramfs_t;

	type shadow_t;

	type syslogd_t;

	type user_tmp_t;

	type systemd_machined_t;

	type system_dbusd_var_run_t;

	type systemd_networkd_t;

')

#============= init_t ==============

allow init_t kmsg_device_t:chr_file mounton;

allow init_t proc_kmsg_t:file { getattr mounton };

allow init_t ramfs_t:file manage_file_perms;

allow init_t tpm_device_t:chr_file { read write open };

allow init_t shadow_t:file { read open };

#============= systemd_hwdb_t ==============

allow systemd_hwdb_t security_t:file { read open };

allow systemd_hwdb_t self:netlink_selinux_socket { create bind };

#============= systemd_sysctl_t ==============

allow systemd_sysctl_t proc_security_t:file read;

#============= syslogd_t ==============

allow syslogd_t user_tmp_t:dir search;

#============= systemd_machined_t ==============

allow systemd_machined_t init_var_run_t:sock_file manage_sock_file_perms;

#============= systemd_networkd_t ==============

allow systemd_networkd_t system_dbusd_var_run_t:sock_file *;

selinux_use_status_page(init_t)

selinux_use_status_page(systemd_hostnamed_t)

selinux_use_status_page(systemd_localed_t)

selinux_use_status_page(systemd_logind_t)

selinux_use_status_page(systemd_resolved_t)

selinux_use_status_page(systemd_tmpfiles_t)

selinux_use_status_page(systemd_hwdb_t)