module VerityBook 1.0; require { type policykit_auth_t; type policykit_t; type sssd_t; type system_dbusd_var_run_t; type iscsi_unit_file_t; type etc_t; type systemd_timedated_t; type var_t; type usr_t; type NetworkManager_t; type systemd_networkd_var_run_t; type default_t; type lib_t; type machineid_t; type avahi_t; type xdm_t; type shadow_t; type cupsd_t; type semanage_store_t; type var_lib_t; type init_t; type systemd_tmpfiles_t; type accountsd_t; type init_var_lib_t; type getty_var_run_t; type useradd_t; type systemd_gpt_generator_t; type system_cronjob_tmp_t; type init_var_run_t; type svirt_t; type user_home_dir_t; type chkpwd_t; type xdm_var_lib_t; type container_t; type kvm_device_t; class sock_file { create write }; class file { create getattr map open read relabelfrom relabelto rename setattr unlink write }; class process { dyntransition setcurrent }; class dir { add_name create getattr read write search mounton map }; class process2 nnp_transition; class service { reload status stop }; class dbus send_msg; class sock_file { read write }; class lnk_file { getattr read }; class chr_file { getattr ioctl open read write }; } #============= container_t ============== allow container_t kvm_device_t:chr_file getattr; allow container_t kvm_device_t:chr_file { ioctl open read write }; #============= NetworkManager_t ============== allow NetworkManager_t iscsi_unit_file_t:service { reload status }; #============= accountsd_t ============== allow accountsd_t var_lib_t:file { create getattr open read rename unlink write }; allow accountsd_t shadow_t:file map; #============= avahi_t ============== allow avahi_t xdm_t:dbus send_msg; #============= cupsd_t ============== allow cupsd_t etc_t:file { rename unlink }; #============= init_t ============== # because of initramfs doing 'load_policy -i' allow init_t self:process { dyntransition setcurrent }; allow init_t semanage_store_t:file map; allow init_t system_cronjob_tmp_t:dir mounton; #============= init_t ============== allow init_t systemd_timedated_t:process2 nnp_transition; allow init_t var_t:dir create; allow init_t var_t:file { create open read rename setattr write }; allow init_t machineid_t:file { create write relabelto read setattr open }; #============= systemd_gpt_generator_t ============== # because /efi has no selinux label yet allow systemd_gpt_generator_t default_t:dir read; #============= systemd_timedated_t ============== allow systemd_timedated_t init_var_lib_t:dir { add_name getattr write search }; allow systemd_timedated_t init_var_lib_t:file { create open setattr write getattr read }; allow systemd_timedated_t init_var_lib_t:lnk_file { getattr read }; allow systemd_timedated_t init_var_run_t:dir { add_name write }; allow systemd_timedated_t init_var_run_t:file { create open write }; allow systemd_timedated_t system_dbusd_var_run_t:dir read; allow systemd_timedated_t system_dbusd_var_run_t:sock_file read; allow systemd_timedated_t systemd_networkd_var_run_t:dir read; #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t shadow_t:file { getattr relabelfrom relabelto }; #============= useradd_t ============== allow useradd_t var_t:file { getattr open read write }; #============= xdm_t ============== allow xdm_t avahi_t:dbus send_msg; allow xdm_t getty_var_run_t:file getattr; allow xdm_t lib_t:service stop; allow xdm_t xdm_var_lib_t:dir map; #============= svirt_t ============== allow svirt_t user_home_dir_t:dir read; #============= chkpwd_t ============== allow chkpwd_t usr_t:file map; #============= policykit_auth_t ============== allow policykit_auth_t var_lib_t:file read; allow policykit_auth_t var_lib_t:sock_file write; #============= policykit_t ============== allow policykit_t var_lib_t:file read; allow policykit_t var_lib_t:sock_file write; #============= sssd_t ============== allow sssd_t var_lib_t:file read; allow sssd_t var_lib_t:sock_file { create write };