policy_module(minimum_temp_fixes, 1.0)

require {
	type sshd_t;
	type lib_t;
	type init_t;
	type unconfined_t;
	type systemd_localed_t;
	type systemd_logind_t;
	type unconfined_service_t;
	type chkpwd_t;
	type bin_t;
	type fsadm_t;
	type getty_t;
	type systemd_tmpfiles_t;
	type systemd_systemctl_exec_t;
	type unconfined_dbusd_t;
	type rtkit_daemon_t;
	type system_dbusd_t;
	class dir mounton;
	class dbus { acquire_svc send_msg };
	class nscd { getgrp shmemgrp shmemhost shmempwd getpwd gethost getserv shmemserv };
	class process { execmem transition };
	class file { entrypoint execmod };
}

#============= chkpwd_t ==============
allow chkpwd_t unconfined_service_t:nscd { shmempwd getpwd };
files_map_var_lib_files(chkpwd_t)
files_read_var_lib_files(chkpwd_t)
files_write_generic_pid_sockets(chkpwd_t)

#============= fsadm_t ==============
allow fsadm_t unconfined_service_t:nscd { shmemgrp shmempwd };

#============= getty_t ==============
allow getty_t unconfined_service_t:nscd shmemgrp;
files_map_var_lib_files(getty_t)
files_read_var_lib_files(getty_t)
files_write_generic_pid_sockets(getty_t)

#============= init_t ==============
allow init_t bin_t:dir mounton;
allow init_t lib_t:dir mounton;
allow init_t self:process execmem;
allow init_t unconfined_service_t:dbus { acquire_svc send_msg };
allow init_t unconfined_service_t:nscd { gethost getserv shmemhost shmemserv shmemgrp shmempwd getpwd };
files_manage_generic_spool(init_t)
corenet_udp_bind_generic_node(init_t)
files_map_var_lib_files(init_t)
files_read_var_files(init_t)
files_manage_var_files(init_t)
storage_raw_read_removable_device(init_t)

#============= sshd_t ==============
allow sshd_t unconfined_service_t:nscd { shmemgrp shmemhost shmempwd getgrp getpwd };
files_exec_generic_pid_files(sshd_t)
files_map_var_lib_files(sshd_t)
files_read_var_lib_files(sshd_t)
files_write_generic_pid_sockets(sshd_t)
unconfined_server_dbus_chat(sshd_t)

#============= systemd_localed_t ==============
allow systemd_localed_t unconfined_service_t:dbus { acquire_svc send_msg };
files_write_generic_pid_sockets(systemd_localed_t)

#============= systemd_logind_t ==============
allow systemd_logind_t unconfined_service_t:dbus { acquire_svc send_msg };
allow systemd_logind_t unconfined_service_t:nscd { shmempwd getpwd };
files_map_var_lib_files(systemd_logind_t)
files_read_var_lib_files(systemd_logind_t)
files_write_generic_pid_sockets(systemd_logind_t)
systemd_dbus_chat_logind(systemd_logind_t)

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t unconfined_service_t:nscd { getpwd getgrp shmemgrp shmempwd };
files_map_var_lib_files(systemd_tmpfiles_t)

#============= unconfined_service_t ==============
allow unconfined_service_t unconfined_t:process transition;
init_dbus_chat(unconfined_service_t)
unconfined_server_dbus_chat(unconfined_service_t)

#============= unconfined_t ==============
allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
allow unconfined_t unconfined_service_t:nscd { shmemgrp shmempwd getgrp gethost getpwd getserv shmemhost shmemserv };

#============= unconfined_dbusd_t ==============
allow unconfined_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };

#============= rtkit_daemon_t ==============
allow rtkit_daemon_t unconfined_service_t:nscd { getpwd shmempwd };

#============= system_dbusd_t ==============
allow system_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };