policy_module(systemd_hs,0.0.1)

# systemd overrides for 247
gen_require(`
	type init_t;
	type init_var_run_t;
	type kmsg_device_t;
	type proc_kmsg_t;
	type proc_security_t;
	type systemd_hostnamed_t;
	type systemd_localed_t;
	type systemd_logind_t;
	type systemd_resolved_t;
	type systemd_tmpfiles_t;
	type systemd_hwdb_t;
	type systemd_sysctl_t;
	type security_t;
	type tpm_device_t;
	type ramfs_t;
	type shadow_t;
	type syslogd_t;
	type user_tmp_t;
	type systemd_machined_t;
	type system_dbusd_var_run_t;
	type systemd_networkd_t;
')

#============= init_t ==============
allow init_t kmsg_device_t:chr_file mounton;
allow init_t proc_kmsg_t:file { getattr mounton };
allow init_t ramfs_t:file manage_file_perms;
allow init_t tpm_device_t:chr_file { read write open };
allow init_t shadow_t:file { read open };

#============= systemd_hwdb_t ==============
allow systemd_hwdb_t security_t:file { read open };
allow systemd_hwdb_t self:netlink_selinux_socket { create bind };

#============= systemd_sysctl_t ==============
allow systemd_sysctl_t proc_security_t:file read;

#============= syslogd_t ==============
allow syslogd_t user_tmp_t:dir search;

#============= systemd_machined_t ==============
allow systemd_machined_t init_var_run_t:sock_file manage_sock_file_perms;

#============= systemd_networkd_t ==============
allow systemd_networkd_t system_dbusd_var_run_t:sock_file *;

selinux_use_status_page(init_t)
selinux_use_status_page(systemd_hostnamed_t)
selinux_use_status_page(systemd_localed_t)
selinux_use_status_page(systemd_logind_t)
selinux_use_status_page(systemd_resolved_t)
selinux_use_status_page(systemd_tmpfiles_t)
selinux_use_status_page(systemd_hwdb_t)