policy_module(systemd_hs,0.0.1)

gen_require(`

	type cgroup_t;

	type default_t;

	type init_exec_t;

	type init_t;

	type init_var_run_t;

	type kernel_t;

	type loadkeys_t;

	type syslogd_t;

	type syslogd_var_run_t;

	type system_dbusd_var_run_t;

	type systemd_gpt_generator_t;

	type systemd_network_generator_t;

	type systemd_networkd_t;

	type systemd_userdbd_t;

	type tmpfs_t;

')

#============= init_t ==============

allow init_t self:netlink_netfilter_socket { bind create getattr getopt setopt };

allow init_t self:vsock_socket { bind connect create getopt setopt };

allow init_t syslogd_var_run_t:file { setattr write };

#============= loadkeys_t ==============

allow loadkeys_t default_t:lnk_file read;

allow loadkeys_t init_exec_t:file getattr;

#============= syslogd_t ==============

#!!!! This avc can be allowed using the boolean 'logging_syslogd_list_non_security_dirs'

allow syslogd_t cgroup_t:dir read;

#============= systemd_gpt_generator_t ==============

allow systemd_gpt_generator_t tmpfs_t:filesystem mount;

#============= systemd_network_generator_t ==============

allow systemd_network_generator_t init_var_run_t:file { create getattr open read rename setattr write };

allow systemd_network_generator_t kernel_t:unix_dgram_socket sendto;

#============= systemd_networkd_t ==============

allow systemd_networkd_t system_dbusd_var_run_t:sock_file watch;

#============= systemd_userdbd_t ==============

allow systemd_userdbd_t self:capability sys_resource;