policy_module(systemd_hs,0.0.1)
# systemd overrides for 247
gen_require(`
type init_t;
type init_var_run_t;
type kmsg_device_t;
type proc_kmsg_t;
type proc_security_t;
type systemd_hostnamed_t;
type systemd_localed_t;
type systemd_logind_t;
type systemd_resolved_t;
type systemd_tmpfiles_t;
type systemd_hwdb_t;
type systemd_sysctl_t;
type security_t;
type tpm_device_t;
type ramfs_t;
type shadow_t;
type syslogd_t;
type user_tmp_t;
type systemd_machined_t;
type system_dbusd_var_run_t;
type systemd_networkd_t;
')
#============= init_t ==============
allow init_t kmsg_device_t:chr_file mounton;
allow init_t proc_kmsg_t:file { getattr mounton };
allow init_t ramfs_t:file manage_file_perms;
allow init_t tpm_device_t:chr_file { read write open };
allow init_t shadow_t:file { read open };
#============= systemd_hwdb_t ==============
allow systemd_hwdb_t security_t:file { read open };
allow systemd_hwdb_t self:netlink_selinux_socket { create bind };
#============= systemd_sysctl_t ==============
allow systemd_sysctl_t proc_security_t:file read;
#============= syslogd_t ==============
allow syslogd_t user_tmp_t:dir search;
#============= systemd_machined_t ==============
allow systemd_machined_t init_var_run_t:sock_file manage_sock_file_perms;
#============= systemd_networkd_t ==============
# watch is not defined on centos stream 8 so use a glob to get around that.
allow systemd_networkd_t system_dbusd_var_run_t:sock_file *;
selinux_use_status_page(init_t)
selinux_use_status_page(systemd_hostnamed_t)
selinux_use_status_page(systemd_localed_t)
selinux_use_status_page(systemd_logind_t)
selinux_use_status_page(systemd_resolved_t)
selinux_use_status_page(systemd_tmpfiles_t)
selinux_use_status_page(systemd_hwdb_t)