policy_module(systemd, 1.8.4)

#########################################
#
# Declarations
#

## <desc>
## <p>
## Enable support for systemd-tmpfiles to manage all non-security files.
## </p>
## </desc>
gen_tunable(systemd_tmpfiles_manage_all, false)

## <desc>
## <p>
## Allow systemd-nspawn to create a labelled namespace with the same types
## as parent environment
## </p>
## </desc>
gen_tunable(systemd_nspawn_labeled_namespace, false)

attribute systemd_log_parse_env_type;
attribute systemd_tmpfiles_conf_type;
attribute systemd_user_session_type;

type systemd_activate_t;
type systemd_activate_exec_t;
init_system_domain(systemd_activate_t, systemd_activate_exec_t)

type systemd_analyze_t;
type systemd_analyze_exec_t;
init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)

type systemd_backlight_t;
type systemd_backlight_exec_t;
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)

type systemd_backlight_unit_t;
init_unit_file(systemd_backlight_unit_t)

type systemd_backlight_var_lib_t;
files_type(systemd_backlight_var_lib_t)

type systemd_binfmt_t;
type systemd_binfmt_exec_t;
init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)

type systemd_binfmt_unit_t;
init_unit_file(systemd_binfmt_unit_t)

type systemd_gpt_generator_t;
type systemd_gpt_generator_exec_t;
init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)

type systemd_cgroups_t;
type systemd_cgroups_exec_t;
domain_type(systemd_cgroups_t)
domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
role system_r types systemd_cgroups_t;

type systemd_cgroups_runtime_t alias systemd_cgroups_var_run_t;
files_pid_file(systemd_cgroups_runtime_t)
init_daemon_pid_file(systemd_cgroups_runtime_t, dir, "systemd_cgroups")

type systemd_cgtop_t;
type systemd_cgtop_exec_t;
init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)

type systemd_coredump_t;
type systemd_coredump_exec_t;
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)

type systemd_coredump_var_lib_t;
files_type(systemd_coredump_var_lib_t)

type systemd_detect_virt_t;
type systemd_detect_virt_exec_t;
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)

type systemd_hostnamed_t;
type systemd_hostnamed_exec_t;
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)

type systemd_hw_t;
type systemd_hw_exec_t;
init_system_domain(systemd_hw_t, systemd_hw_exec_t)

type systemd_hwdb_t;
files_type(systemd_hwdb_t);

type systemd_journal_t;
files_type(systemd_journal_t)
logging_log_file(systemd_journal_t)

type systemd_locale_t;
type systemd_locale_exec_t;
init_system_domain(systemd_locale_t, systemd_locale_exec_t)

type systemd_logind_t;
type systemd_logind_exec_t;
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)

type systemd_logind_var_lib_t;
files_type(systemd_logind_var_lib_t)

type systemd_logind_runtime_t alias systemd_logind_var_run_t;
files_pid_file(systemd_logind_runtime_t)
init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")

type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
files_pid_file(systemd_logind_inhibit_runtime_t)

type systemd_machined_t;
type systemd_machined_exec_t;
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)

type systemd_machined_runtime_t alias systemd_machined_var_run_t;
files_pid_file(systemd_machined_runtime_t)
init_daemon_pid_file(systemd_machined_runtime_t, dir, "machines")

type systemd_modules_load_t;
type systemd_modules_load_exec_t;
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)

type systemd_networkd_t;
type systemd_networkd_exec_t;
init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)

type systemd_networkd_unit_t;
init_unit_file(systemd_networkd_unit_t)

type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
files_pid_file(systemd_networkd_runtime_t)

type systemd_notify_t;
type systemd_notify_exec_t;
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)

type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
mcs_killall(systemd_nspawn_t)

type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
files_pid_file(systemd_nspawn_runtime_t)

type systemd_nspawn_tmp_t;
files_tmp_file(systemd_nspawn_tmp_t)

type systemd_resolved_t;
type systemd_resolved_exec_t;
init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)

type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
files_pid_file(systemd_resolved_runtime_t)

type systemd_run_t;
type systemd_run_exec_t;
init_daemon_domain(systemd_run_t, systemd_run_exec_t)

type systemd_stdio_bridge_t;
type systemd_stdio_bridge_exec_t;
init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)

type systemd_passwd_agent_t;
type systemd_passwd_agent_exec_t;
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)

type systemd_passwd_runtime_t alias systemd_passwd_var_run_t;
files_pid_file(systemd_passwd_runtime_t)

type systemd_rfkill_t;
type systemd_rfkill_exec_t;
init_daemon_domain(systemd_rfkill_t, systemd_rfkill_exec_t)

type systemd_rfkill_unit_t;
init_unit_file(systemd_rfkill_unit_t)

type systemd_rfkill_var_lib_t;
files_type(systemd_rfkill_var_lib_t)

type systemd_sessions_t;
type systemd_sessions_exec_t;
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)

type systemd_sessions_runtime_t alias systemd_sessions_var_run_t;
files_pid_file(systemd_sessions_runtime_t)
init_daemon_pid_file(systemd_sessions_runtime_t, dir, "systemd_sessions")

type systemd_tmpfiles_t;
type systemd_tmpfiles_exec_t;
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)

type systemd_tmpfiles_conf_t;
files_config_file(systemd_tmpfiles_conf_t)

type systemd_update_done_t;
type systemd_update_done_exec_t;
init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)

type systemd_update_run_t;
files_type(systemd_update_run_t)

type systemd_user_runtime_notify_t;
userdom_user_runtime_content(systemd_user_runtime_notify_t)

type systemd_user_runtime_t;
userdom_user_runtime_content(systemd_user_runtime_t)

#
# Unit file types
#

type power_unit_t;
init_unit_file(power_unit_t)

######################################
#
# Backlight local policy
#

allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };

allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)

systemd_log_parse_environment(systemd_backlight_t)

# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
dev_rw_sysfs(systemd_backlight_t)

# for udev.conf
files_read_etc_files(systemd_backlight_t)

# for /run/udev/data/+backlight*
udev_read_pid_files(systemd_backlight_t)

files_search_var_lib(systemd_backlight_t)

#######################################
#
# Binfmt local policy
#

kernel_read_kernel_sysctls(systemd_binfmt_t)

systemd_log_parse_environment(systemd_binfmt_t)

# Allow to read /etc/binfmt.d/ files
files_read_etc_files(systemd_binfmt_t)

fs_register_binary_executable_type(systemd_binfmt_t)

#######################################
#
# GPT auto generator local policy
#

kernel_read_kernel_sysctls(systemd_gpt_generator_t)

dev_read_sysfs(systemd_gpt_generator_t)
files_list_usr(systemd_gpt_generator_t)
files_read_etc_files(systemd_gpt_generator_t)
fs_getattr_xattr_fs(systemd_gpt_generator_t)
storage_raw_read_fixed_disk(systemd_gpt_generator_t)

systemd_log_parse_environment(systemd_gpt_generator_t)

######################################
#
# Cgroups local policy
#

allow systemd_cgroups_t self:capability net_admin;

kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
# for /proc/cmdline
kernel_read_system_state(systemd_cgroups_t)

mls_fd_use_all_levels(systemd_cgroups_t)

selinux_getattr_fs(systemd_cgroups_t)

# write to /run/systemd/cgroups-agent
init_dgram_send(systemd_cgroups_t)
init_stream_connect(systemd_cgroups_t)
# for /proc/1/environ
init_read_state(systemd_cgroups_t)

seutil_libselinux_linked(systemd_cgroups_t)

systemd_log_parse_environment(systemd_cgroups_t)

ifdef(`enable_mls',`
	kernel_ranged_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t, s0 - mls_systemhigh)
')

######################################
#
# coredump local policy
#

allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
allow systemd_coredump_t self:capability { setgid setuid setpcap };
allow systemd_coredump_t self:process { getcap setcap setfscreate };

manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)

kernel_read_kernel_sysctls(systemd_coredump_t)
kernel_read_system_state(systemd_coredump_t)
kernel_rw_pipes(systemd_coredump_t)
kernel_use_fds(systemd_coredump_t)

corecmd_exec_bin(systemd_coredump_t)
corecmd_read_all_executables(systemd_coredump_t)

dev_write_kmsg(systemd_coredump_t)

files_read_etc_files(systemd_coredump_t)
files_search_var_lib(systemd_coredump_t)

fs_getattr_xattr_fs(systemd_coredump_t)

selinux_getattr_fs(systemd_coredump_t)

init_list_var_lib_dirs(systemd_coredump_t)
init_read_state(systemd_coredump_t)
init_search_pids(systemd_coredump_t)
init_write_runtime_socket(systemd_coredump_t)

logging_send_syslog_msg(systemd_coredump_t)

seutil_search_default_contexts(systemd_coredump_t)


#######################################
#
# Hostnamed policy
#

allow systemd_hostnamed_t self:capability sys_admin;

kernel_read_kernel_sysctls(systemd_hostnamed_t)

dev_read_sysfs(systemd_hostnamed_t)

files_read_etc_files(systemd_hostnamed_t)

seutil_read_file_contexts(systemd_hostnamed_t)

sysnet_etc_filetrans_config(systemd_hostnamed_t)
sysnet_manage_config(systemd_hostnamed_t)

systemd_log_parse_environment(systemd_hostnamed_t)

optional_policy(`
	dbus_connect_system_bus(systemd_hostnamed_t)
	dbus_system_bus_client(systemd_hostnamed_t)
	init_dbus_chat(systemd_hostnamed_t)
')

optional_policy(`
	networkmanager_dbus_chat(systemd_hostnamed_t)
')

#########################################
#
# hw local policy
#

kernel_read_kernel_sysctls(systemd_hw_t)

allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabelfrom relabelto };
files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)

files_search_pids(systemd_hw_t)

selinux_get_fs_mount(systemd_hw_t)

init_read_state(systemd_hw_t)

seutil_read_config(systemd_hw_t)
seutil_read_file_contexts(systemd_hw_t)

#######################################
#
# locale local policy
#

kernel_read_kernel_sysctls(systemd_locale_t)

files_read_etc_files(systemd_locale_t)

seutil_read_file_contexts(systemd_locale_t)

systemd_log_parse_environment(systemd_locale_t)

optional_policy(`
	dbus_connect_system_bus(systemd_locale_t)
	dbus_system_bus_client(systemd_locale_t)
')

######################################
#
# systemd log parse enviroment
#

# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
dontaudit systemd_log_parse_env_type self:capability net_admin;

kernel_read_system_state(systemd_log_parse_env_type)

dev_write_kmsg(systemd_log_parse_env_type)

term_use_console(systemd_log_parse_env_type)

init_read_state(systemd_log_parse_env_type)

logging_send_syslog_msg(systemd_log_parse_env_type)

#########################################
#
# Logind local policy
#

allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
allow systemd_logind_t self:fifo_file rw_fifo_file_perms;

allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)

manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;

manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t, dir, "inhibit")

allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;

kernel_read_kernel_sysctls(systemd_logind_t)

dev_getattr_dri_dev(systemd_logind_t)
dev_getattr_generic_usb_dev(systemd_logind_t)
dev_getattr_kvm_dev(systemd_logind_t)
dev_getattr_sound_dev(systemd_logind_t)
dev_getattr_video_dev(systemd_logind_t)
dev_manage_wireless(systemd_logind_t)
dev_read_urand(systemd_logind_t)
dev_rw_dri(systemd_logind_t)
dev_rw_input_dev(systemd_logind_t)
dev_rw_sysfs(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
dev_setattr_generic_usb_dev(systemd_logind_t)
dev_setattr_input_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
dev_setattr_video_dev(systemd_logind_t)

domain_obj_id_change_exemption(systemd_logind_t)

files_read_etc_files(systemd_logind_t)
files_search_pids(systemd_logind_t)

fs_getattr_cgroup(systemd_logind_t)
fs_getattr_tmpfs(systemd_logind_t)
fs_getattr_tmpfs_dirs(systemd_logind_t)
fs_list_tmpfs(systemd_logind_t)
fs_mount_tmpfs(systemd_logind_t)
fs_read_cgroup_files(systemd_logind_t)
fs_read_efivarfs_files(systemd_logind_t)
fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
fs_unmount_tmpfs(systemd_logind_t)

selinux_get_enforce_mode(systemd_logind_t)

storage_getattr_removable_dev(systemd_logind_t)
storage_getattr_scsi_generic_dev(systemd_logind_t)
storage_setattr_removable_dev(systemd_logind_t)
storage_setattr_scsi_generic_dev(systemd_logind_t)

term_setattr_unallocated_ttys(systemd_logind_t)
term_use_unallocated_ttys(systemd_logind_t)

auth_manage_faillog(systemd_logind_t)

init_dbus_send_script(systemd_logind_t)
init_get_all_units_status(systemd_logind_t)
init_get_system_status(systemd_logind_t)
init_read_utmp(systemd_logind_t)
init_service_start(systemd_logind_t)
init_service_status(systemd_logind_t)
init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)

locallogin_read_state(systemd_logind_t)

seutil_libselinux_linked(systemd_logind_t)
seutil_read_default_contexts(systemd_logind_t)
seutil_read_file_contexts(systemd_logind_t)

systemd_log_parse_environment(systemd_logind_t)
systemd_start_power_units(systemd_logind_t)

udev_list_pids(systemd_logind_t)
udev_read_db(systemd_logind_t)
udev_read_pid_files(systemd_logind_t)

userdom_delete_all_user_runtime_dirs(systemd_logind_t)
userdom_delete_all_user_runtime_files(systemd_logind_t)
userdom_delete_all_user_runtime_named_pipes(systemd_logind_t)
userdom_delete_all_user_runtime_named_sockets(systemd_logind_t)
userdom_delete_all_user_runtime_symlinks(systemd_logind_t)
# user_tmp_t is for the dbus-1 directory
userdom_list_user_tmp(systemd_logind_t)
userdom_manage_user_runtime_dirs(systemd_logind_t)
userdom_manage_user_runtime_root_dirs(systemd_logind_t)
userdom_mounton_user_runtime_dirs(systemd_logind_t)
userdom_read_all_users_state(systemd_logind_t)
userdom_relabel_user_tmpfs_dirs(systemd_logind_t)
userdom_relabel_user_tmpfs_files(systemd_logind_t)
userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
userdom_relabelto_user_runtime_dirs(systemd_logind_t)
userdom_setattr_user_ttys(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)

# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
# Once a newer systemd (v229 or later) is in RHEL (or patch is cherry-picked) this should be able to be removed.
ifdef(`distro_redhat',`
	userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
	userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
')

optional_policy(`
	dbus_connect_system_bus(systemd_logind_t)
	dbus_system_bus_client(systemd_logind_t)
')

optional_policy(`
	devicekit_dbus_chat_disk(systemd_logind_t)
	devicekit_dbus_chat_power(systemd_logind_t)
')

optional_policy(`
	modemmanager_dbus_chat(systemd_logind_t)
')

optional_policy(`
	networkmanager_dbus_chat(systemd_logind_t)
')

optional_policy(`
	policykit_dbus_chat(systemd_logind_t)
')

optional_policy(`
	xserver_read_state(systemd_logind_t)
	xserver_dbus_chat(systemd_logind_t)
	xserver_dbus_chat_xdm(systemd_logind_t)
	xserver_read_xdm_state(systemd_logind_t)
')

optional_policy(`
	unconfined_dbus_send(systemd_logind_t)
')

#########################################
#
# machined local policy
#

allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
allow systemd_machined_t self:process setfscreate;
allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };

manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;

kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)

files_read_etc_files(systemd_machined_t)

fs_getattr_cgroup(systemd_machined_t)
fs_getattr_tmpfs(systemd_machined_t)
fs_read_nsfs_files(systemd_machined_t)

selinux_getattr_fs(systemd_machined_t)

init_read_script_state(systemd_machined_t)
init_get_system_status(systemd_machined_t)
init_read_state(systemd_machined_t)
init_service_start(systemd_machined_t)
init_service_status(systemd_machined_t)
init_start_system(systemd_machined_t)
init_stop_system(systemd_machined_t)
init_get_generic_units_status(systemd_machined_t)
init_start_generic_units(systemd_machined_t)
init_stop_generic_units(systemd_machined_t)

logging_send_syslog_msg(systemd_machined_t)

seutil_search_default_contexts(systemd_machined_t)

optional_policy(`
	init_dbus_chat(systemd_machined_t)
	init_dbus_send_script(systemd_machined_t)

	dbus_connect_system_bus(systemd_machined_t)
	dbus_system_bus_client(systemd_machined_t)
')

########################################
#
# modules-load local policy
#

kernel_load_module(systemd_modules_load_t)
kernel_read_kernel_sysctls(systemd_modules_load_t)
kernel_request_load_module(systemd_modules_load_t)

dev_read_sysfs(systemd_modules_load_t)

files_read_etc_files(systemd_modules_load_t)

modutils_read_module_config(systemd_modules_load_t)
modutils_read_module_deps(systemd_modules_load_t)
modutils_read_module_objects(systemd_modules_load_t)

systemd_log_parse_environment(systemd_modules_load_t)

########################################
#
# networkd local policy
#

allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
allow systemd_networkd_t self:netlink_generic_socket create_socket_perms;
allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
allow systemd_networkd_t self:packet_socket create_socket_perms;
allow systemd_networkd_t self:process { getcap setcap setfscreate };
allow systemd_networkd_t self:rawip_socket create_socket_perms;
allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow systemd_networkd_t self:udp_socket create_socket_perms;
allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;

manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)

kernel_read_system_state(systemd_networkd_t)
kernel_read_kernel_sysctls(systemd_networkd_t)
kernel_read_network_state(systemd_networkd_t)
kernel_request_load_module(systemd_networkd_t)
kernel_rw_net_sysctls(systemd_networkd_t)

corecmd_bin_entry_type(systemd_networkd_t)
corecmd_exec_bin(systemd_networkd_t)

corenet_rw_tun_tap_dev(systemd_networkd_t)
corenet_udp_bind_dhcpc_port(systemd_networkd_t)
corenet_udp_bind_generic_node(systemd_networkd_t)

dev_read_urand(systemd_networkd_t)
dev_read_sysfs(systemd_networkd_t)
dev_write_kmsg(systemd_networkd_t)

files_read_etc_files(systemd_networkd_t)

auth_use_nsswitch(systemd_networkd_t)

init_dgram_send(systemd_networkd_t)
init_read_state(systemd_networkd_t)

logging_send_syslog_msg(systemd_networkd_t)

miscfiles_read_localization(systemd_networkd_t)

sysnet_read_config(systemd_networkd_t)

systemd_log_parse_environment(systemd_networkd_t)

optional_policy(`
	dbus_system_bus_client(systemd_networkd_t)
	dbus_connect_system_bus(systemd_networkd_t)

	systemd_dbus_chat_hostnamed(systemd_networkd_t)
')

optional_policy(`
	udev_read_db(systemd_networkd_t)
	udev_read_pid_files(systemd_networkd_t)
')

########################################
#
# systemd_notify local policy
#
allow systemd_notify_t self:capability chown;
allow systemd_notify_t self:process { setfscreate setsockcreate };

allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(systemd_notify_t)

files_read_etc_files(systemd_notify_t)
files_read_usr_files(systemd_notify_t)

fs_getattr_cgroup_files(systemd_notify_t)

auth_use_nsswitch(systemd_notify_t)

init_rw_stream_sockets(systemd_notify_t)

miscfiles_read_localization(systemd_notify_t)

########################################
#
# Nspawn local policy
#

allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;

allow systemd_nspawn_t systemd_journal_t:dir search;

allow systemd_nspawn_t systemd_machined_t:dbus send_msg;

allow systemd_nspawn_t systemd_nspawn_runtime_t:dir manage_dir_perms;
allow systemd_nspawn_t systemd_nspawn_runtime_t:file manage_file_perms;
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, dir)

files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
# for /tmp/.#inaccessible*
allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;

# for /run/systemd/nspawn/incoming in chroot
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;

kernel_mount_proc(systemd_nspawn_t)
kernel_mounton_sysctl_dirs(systemd_nspawn_t)
kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
kernel_mounton_message_if(systemd_nspawn_t)
kernel_mounton_proc(systemd_nspawn_t)
kernel_mounton_sysctl_dirs(systemd_nspawn_t)
kernel_read_kernel_sysctls(systemd_nspawn_t)
kernel_read_system_state(systemd_nspawn_t)
kernel_remount_proc(systemd_nspawn_t)

corecmd_exec_shell(systemd_nspawn_t)
corecmd_search_bin(systemd_nspawn_t)

corenet_rw_tun_tap_dev(systemd_nspawn_t)

dev_getattr_fs(systemd_nspawn_t)
dev_manage_sysfs_dirs(systemd_nspawn_t)
dev_mounton_sysfs_dirs(systemd_nspawn_t)
dev_mount_sysfs(systemd_nspawn_t)
dev_read_rand(systemd_nspawn_t)
dev_read_urand(systemd_nspawn_t)

files_getattr_tmp_dirs(systemd_nspawn_t)
files_manage_etc_files(systemd_nspawn_t)
files_manage_mnt_dirs(systemd_nspawn_t)
files_mounton_mnt(systemd_nspawn_t)
files_mounton_root(systemd_nspawn_t)
files_mounton_tmp(systemd_nspawn_t)
files_read_kernel_symbol_table(systemd_nspawn_t)
files_setattr_pid_dirs(systemd_nspawn_t)

fs_getattr_tmpfs(systemd_nspawn_t)
fs_manage_tmpfs_chr_files(systemd_nspawn_t)
fs_mount_tmpfs(systemd_nspawn_t)
fs_remount_tmpfs(systemd_nspawn_t)
fs_remount_xattr_fs(systemd_nspawn_t)
fs_read_cgroup_files(systemd_nspawn_t)

term_getattr_generic_ptys(systemd_nspawn_t)
term_getattr_pty_fs(systemd_nspawn_t)
term_mount_devpts(systemd_nspawn_t)
term_search_ptys(systemd_nspawn_t)
term_setattr_generic_ptys(systemd_nspawn_t)
term_use_ptmx(systemd_nspawn_t)

init_domtrans_script(systemd_nspawn_t)
init_getrlimit(systemd_nspawn_t)
init_kill_scripts(systemd_nspawn_t)
init_read_state(systemd_nspawn_t)
init_search_run(systemd_nspawn_t)
init_write_runtime_socket(systemd_nspawn_t)
init_spec_domtrans_script(systemd_nspawn_t)

miscfiles_manage_localization(systemd_nspawn_t)

# for writing inside chroot
sysnet_manage_config(systemd_nspawn_t)

userdom_manage_user_home_dirs(systemd_nspawn_t)

tunable_policy(`systemd_nspawn_labeled_namespace',`
	corecmd_exec_bin(systemd_nspawn_t)
	corecmd_exec_shell(systemd_nspawn_t)

	dev_mounton(systemd_nspawn_t)
	dev_setattr_generic_dirs(systemd_nspawn_t)

	# manage etc symlinks for /etc/localtime
	files_manage_etc_symlinks(systemd_nspawn_t)
	files_mounton_pid_dirs(systemd_nspawn_t)
	files_search_home(systemd_nspawn_t)

	fs_getattr_cgroup(systemd_nspawn_t)
	fs_manage_cgroup_dirs(systemd_nspawn_t)
	fs_manage_tmpfs_dirs(systemd_nspawn_t)
	fs_manage_tmpfs_files(systemd_nspawn_t)
	fs_manage_tmpfs_symlinks(systemd_nspawn_t)
	fs_mount_cgroup(systemd_nspawn_t)
	fs_mounton_cgroup(systemd_nspawn_t)
	fs_mounton_tmpfs(systemd_nspawn_t)
	fs_mounton_tmpfs_files(systemd_nspawn_t)
	fs_remount_cgroup(systemd_nspawn_t)
	fs_search_tmpfs(systemd_nspawn_t)
	fs_unmount_cgroup(systemd_nspawn_t)
	fs_write_cgroup_files(systemd_nspawn_t)

	selinux_getattr_fs(systemd_nspawn_t)
	selinux_remount_fs(systemd_nspawn_t)
	selinux_search_fs(systemd_nspawn_t)

	init_domtrans(systemd_nspawn_t)

	logging_search_logs(systemd_nspawn_t)

	seutil_search_default_contexts(systemd_nspawn_t)
')

optional_policy(`
	allow systemd_machined_t systemd_nspawn_t:dbus send_msg;

	dbus_system_bus_client(systemd_nspawn_t)

	optional_policy(`
		unconfined_dbus_send(systemd_machined_t)
	')
')

optional_policy(`
	virt_manage_virt_content(systemd_nspawn_t)
')

#######################################
#
# systemd_passwd_agent_t local policy
#

allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;

manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file })

kernel_read_system_state(systemd_passwd_agent_t)
kernel_stream_connect(systemd_passwd_agent_t)

dev_create_generic_dirs(systemd_passwd_agent_t)
dev_read_generic_files(systemd_passwd_agent_t)
dev_write_generic_sock_files(systemd_passwd_agent_t)
dev_write_kmsg(systemd_passwd_agent_t)

files_read_etc_files(systemd_passwd_agent_t)

fs_getattr_xattr_fs(systemd_passwd_agent_t)

selinux_get_enforce_mode(systemd_passwd_agent_t)
selinux_getattr_fs(systemd_passwd_agent_t)

term_read_console(systemd_passwd_agent_t)

auth_use_nsswitch(systemd_passwd_agent_t)

init_create_runtime_dirs(systemd_passwd_agent_t)
init_read_runtime_pipes(systemd_passwd_agent_t)
init_read_state(systemd_passwd_agent_t)
init_read_utmp(systemd_passwd_agent_t)
init_stream_connect(systemd_passwd_agent_t)

logging_send_syslog_msg(systemd_passwd_agent_t)

miscfiles_read_localization(systemd_passwd_agent_t)

seutil_search_default_contexts(systemd_passwd_agent_t)

userdom_use_user_ttys(systemd_passwd_agent_t)
userdom_use_user_ptys(systemd_passwd_agent_t)

optional_policy(`
	getty_use_fds(systemd_passwd_agent_t)
')

optional_policy(`
	lvm_signull(systemd_passwd_agent_t)
')

optional_policy(`
	plymouthd_stream_connect(systemd_passwd_agent_t)
')


#######################################
#
# Rfkill local policy
#

manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)

kernel_read_kernel_sysctls(systemd_rfkill_t)

dev_read_sysfs(systemd_rfkill_t)
dev_rw_wireless(systemd_rfkill_t)

# Allow reading /etc/udev/udev.conf
files_read_etc_files(systemd_rfkill_t)

# Allow reading /run/udev/data/+rfkill:rfkill0
udev_read_pid_files(systemd_rfkill_t)

systemd_log_parse_environment(systemd_rfkill_t)

#########################################
#
# Resolved local policy
#

allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
allow systemd_resolved_t self:process { getcap setcap setfscreate signal };

allow systemd_resolved_t self:tcp_socket { accept listen };

manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
init_pid_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)

dev_read_sysfs(systemd_resolved_t)

kernel_read_crypto_sysctls(systemd_resolved_t)
kernel_read_kernel_sysctls(systemd_resolved_t)
kernel_read_net_sysctls(systemd_resolved_t)

corenet_tcp_bind_generic_node(systemd_resolved_t)
corenet_tcp_bind_dns_port(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
corenet_udp_bind_generic_node(systemd_resolved_t)
corenet_udp_bind_dns_port(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)

auth_use_nsswitch(systemd_resolved_t)

init_dgram_send(systemd_resolved_t)

seutil_read_file_contexts(systemd_resolved_t)

systemd_log_parse_environment(systemd_resolved_t)
systemd_read_networkd_runtime(systemd_resolved_t)

optional_policy(`
	dbus_connect_system_bus(systemd_resolved_t)
	dbus_system_bus_client(systemd_resolved_t)
')

#########################################
#
# Sessions local policy
#

allow systemd_sessions_t self:process setfscreate;

allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
files_pid_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)

kernel_read_kernel_sysctls(systemd_sessions_t)

selinux_get_enforce_mode(systemd_sessions_t)
selinux_get_fs_mount(systemd_sessions_t)

seutil_read_config(systemd_sessions_t)
seutil_read_default_contexts(systemd_sessions_t)
seutil_read_file_contexts(systemd_sessions_t)

systemd_log_parse_environment(systemd_sessions_t)

#########################################
#
# Tmpfiles local policy
#

allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin };
allow systemd_tmpfiles_t self:process { setfscreate getcap };

allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;

allow systemd_tmpfiles_t systemd_sessions_runtime_t:file { relabelfrom relabelto manage_file_perms };

manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };

allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;

kernel_getattr_proc(systemd_tmpfiles_t)
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
kernel_read_network_state(systemd_tmpfiles_t)

dev_getattr_fs(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)

files_create_lock_dirs(systemd_tmpfiles_t)
files_manage_all_pid_dirs(systemd_tmpfiles_t)
files_delete_usr_files(systemd_tmpfiles_t)
files_list_home(systemd_tmpfiles_t)
files_list_locks(systemd_tmpfiles_t)
files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
files_manage_var_dirs(systemd_tmpfiles_t)
files_manage_var_lib_dirs(systemd_tmpfiles_t)
files_purge_tmp(systemd_tmpfiles_t)
files_read_etc_files(systemd_tmpfiles_t)
files_read_etc_runtime_files(systemd_tmpfiles_t)
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
files_relabel_var_dirs(systemd_tmpfiles_t)
files_relabel_var_lib_dirs(systemd_tmpfiles_t)
files_relabelfrom_home(systemd_tmpfiles_t)
files_relabelto_home(systemd_tmpfiles_t)
files_relabelto_etc_dirs(systemd_tmpfiles_t)
# for /etc/mtab
files_manage_etc_symlinks(systemd_tmpfiles_t)

fs_getattr_tmpfs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
fs_list_tmpfs(systemd_tmpfiles_t)

selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_search_fs(systemd_tmpfiles_t)

auth_append_lastlog(systemd_tmpfiles_t)
auth_manage_faillog(systemd_tmpfiles_t)
auth_manage_lastlog(systemd_tmpfiles_t)
auth_manage_login_records(systemd_tmpfiles_t)
auth_manage_var_auth(systemd_tmpfiles_t)
auth_relabel_lastlog(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)

init_manage_utmp(systemd_tmpfiles_t)
init_manage_var_lib_files(systemd_tmpfiles_t)
# for /proc/1/environ
init_read_state(systemd_tmpfiles_t)

init_relabel_utmp(systemd_tmpfiles_t)
init_relabel_var_lib_dirs(systemd_tmpfiles_t)

logging_manage_generic_logs(systemd_tmpfiles_t)
logging_manage_generic_log_dirs(systemd_tmpfiles_t)
logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t)
logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)

miscfiles_manage_man_pages(systemd_tmpfiles_t)
miscfiles_relabel_man_cache(systemd_tmpfiles_t)

seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)

sysnet_manage_config(systemd_tmpfiles_t)
sysnet_relabel_config(systemd_tmpfiles_t)

systemd_log_parse_environment(systemd_tmpfiles_t)

userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)

tunable_policy(`systemd_tmpfiles_manage_all',`
	# systemd-tmpfiles can be configured to manage anything.
	# have a last-resort option for users to do this.
	files_manage_non_security_dirs(systemd_tmpfiles_t)
	files_manage_non_security_files(systemd_tmpfiles_t)
	files_relabel_non_security_dirs(systemd_tmpfiles_t)
	files_relabel_non_security_files(systemd_tmpfiles_t)
')

optional_policy(`
	dbus_read_lib_files(systemd_tmpfiles_t)
	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
')

optional_policy(`
	apt_use_fds(systemd_tmpfiles_t)
	dpkg_script_rw_inherited_pipes(systemd_tmpfiles_t)
')

optional_policy(`
	xfs_create_tmp_dirs(systemd_tmpfiles_t)
')

optional_policy(`
	xserver_create_console_pipes(systemd_tmpfiles_t)
	xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t)
	xserver_relabel_console_pipes(systemd_tmpfiles_t)
	xserver_setattr_console_pipes(systemd_tmpfiles_t)
')

#########################################
#
# Update Done local policy
#

allow systemd_update_done_t self:process setfscreate;

allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;

files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)

kernel_read_kernel_sysctls(systemd_update_done_t)

seutil_read_file_contexts(systemd_update_done_t)

systemd_log_parse_environment(systemd_update_done_t)

#########################################
#
# User session (systemd --user) local policy
#

allow systemd_user_session_type self:capability { dac_read_search sys_resource };
dontaudit systemd_user_session_type self:capability dac_override;
allow systemd_user_session_type self:process setfscreate;
allow systemd_user_session_type self:udp_socket create_socket_perms;
allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms;
allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr read setopt };

allow systemd_user_session_type systemd_user_runtime_t:dir manage_dir_perms;
allow systemd_user_session_type systemd_user_runtime_t:sock_file { create write };
userdom_user_runtime_filetrans(systemd_user_session_type, systemd_user_runtime_t, dir)

allow systemd_user_session_type systemd_user_runtime_notify_t:sock_file create;
type_transition systemd_user_session_type systemd_user_runtime_t:sock_file systemd_user_runtime_notify_t "notify";

dev_write_sysfs_dirs(systemd_user_session_type)
dev_read_sysfs(systemd_user_session_type)

files_read_etc_files(systemd_user_session_type)
files_list_usr(systemd_user_session_type)

fs_getattr_cgroup(systemd_user_session_type)
fs_rw_cgroup_files(systemd_user_session_type)
fs_manage_cgroup_dirs(systemd_user_session_type)

init_signal(systemd_user_session_type)

kernel_read_kernel_sysctls(systemd_user_session_type)

mount_list_runtime(systemd_user_session_type)

storage_getattr_fixed_disk_dev(systemd_user_session_type)

# for systemd to read udev status
udev_read_pid_files(systemd_user_session_type)
udev_list_pids(systemd_user_session_type)