policy_module(systemd_hs,0.0.1)
gen_require(`
type cgroup_t;
type default_t;
type init_exec_t;
type init_t;
type init_var_run_t;
type kernel_t;
type loadkeys_t;
type syslogd_t;
type syslogd_var_run_t;
type system_dbusd_var_run_t;
type systemd_gpt_generator_t;
type systemd_network_generator_t;
type systemd_networkd_t;
type systemd_userdbd_t;
type tmpfs_t;
')
#============= init_t ==============
allow init_t self:netlink_netfilter_socket { bind create getattr getopt setopt };
allow init_t self:vsock_socket { bind connect create getopt setopt };
allow init_t syslogd_var_run_t:file { setattr write };
#============= loadkeys_t ==============
allow loadkeys_t default_t:lnk_file read;
allow loadkeys_t init_exec_t:file getattr;
#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'logging_syslogd_list_non_security_dirs'
allow syslogd_t cgroup_t:dir read;
#============= systemd_gpt_generator_t ==============
allow systemd_gpt_generator_t tmpfs_t:filesystem mount;
#============= systemd_network_generator_t ==============
allow systemd_network_generator_t init_var_run_t:file { create getattr open read rename setattr write };
allow systemd_network_generator_t kernel_t:unix_dgram_socket sendto;
#============= systemd_networkd_t ==============
allow systemd_networkd_t system_dbusd_var_run_t:sock_file watch;
#============= systemd_userdbd_t ==============
allow systemd_userdbd_t self:capability sys_resource;