policy_module(targeted_temp_fixes, 1.0)

require {
	type iptables_t;
	type nscd_t;
	type lib_t;
	type bin_t;
	type init_t;
	type irqbalance_t;
	type iptables_var_lib_t;
	type postfix_master_t;
	type firewalld_t;
	type postfix_map_exec_t;
        type xdm_t;
        type groupadd_t;
        type useradd_t;
        class netlink_selinux_socket { bind create };
	class dir { add_name mounton write };
	class file { create execute execute_no_trans getattr ioctl lock open read };
}

#============= firewalld_t ==============
allow firewalld_t iptables_var_lib_t:dir { add_name write };
allow firewalld_t iptables_var_lib_t:file { create lock open read };

#============= init_t ==============
allow init_t bin_t:dir mounton;
allow init_t lib_t:dir mounton;
allow init_t postfix_map_exec_t:file { execute execute_no_trans getattr ioctl open read };
files_rw_var_files(init_t)
fwupd_manage_cache_dirs(init_t)
ntp_read_drift_files(init_t)

#============= iptables_t ==============
kernel_rw_pipes(iptables_t)

#============= irqbalance_t ==============
init_nnp_daemon_domain(irqbalance_t)

#============= nscd_t ==============
files_exec_generic_pid_files(nscd_t)

#============= postfix_master_t ==============
files_read_var_lib_files(postfix_master_t)
files_read_var_lib_symlinks(postfix_master_t)

#============= xdm_t ==============
# KDE write to home directories
userdom_manage_user_home_content_files(xdm_t)

#============= groupadd_t ==============                                                                                                                                                       allow groupadd_t self:netlink_selinux_socket { bind create };
allow useradd_t self:netlink_selinux_socket { bind create };                                                                                                                                   
selinux_compute_access_vector(groupadd_t)
selinux_compute_access_vector(useradd_t)