module FedoraBook 1.0;

require {
	type accountsd_t;
    type auditd_t;
	type default_t;
	type geoclue_t;
	type geoclue_tmp_t;
	type init_t;
	type init_exec_t;
	type init_var_run_t;
	type lib_t;
	type machineid_t;
	type security_t;
	type semanage_store_t;
	type shadow_t;
	type system_dbusd_t;
	type system_dbusd_var_run_t;
	type systemd_gpt_generator_t;
	type systemd_tmpfiles_t;
	type unconfined_t;
	type unlabeled_t;
	type useradd_t;
	type var_lib_t;
	type var_run_t;
	type xdm_t;
	class dir { add_name write read setattr };
	class file { execute getattr setattr map read open relabelto write create };
	class sock_file { read };
	class lnk_file read;
	class security setenforce;
	class service stop;
	class system { reload status stop };
}

#============= accountsd_t ==============
allow accountsd_t shadow_t:file map;

#============= geoclue_t ==============
allow geoclue_t geoclue_tmp_t:file execute;

#============= system_dbusd_t ==============
allow system_dbusd_t init_var_run_t:lnk_file read;

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t shadow_t:file getattr;
allow systemd_tmpfiles_t shadow_t:file read;
allow systemd_tmpfiles_t shadow_t:file open;
allow systemd_tmpfiles_t shadow_t:file relabelto;

#============= useradd_t ==============
allow useradd_t unlabeled_t:dir { add_name write };

#============= init_t ==============
allow init_t var_lib_t:dir setattr;
allow init_t system_dbusd_var_run_t:sock_file read;
allow init_t security_t:security setenforce;
allow init_t semanage_store_t:file map;
allow init_t machineid_t:file { create write relabelto read setattr open };

#============= xdm_t ==============
allow xdm_t var_run_t:dir setattr;
allow xdm_t lib_t:service stop;
allow xdm_t unconfined_t:system { reload status stop };

#============= systemd_gpt_generator_t ==============
allow systemd_gpt_generator_t default_t:dir read;

#============= auditd_t ==============
allow auditd_t init_var_run_t:lnk_file read;