policy_module(ovirt, 1.0)

gen_require(`
    type initrc_tmp_t;
    type mount_t;
    type setfiles_t;
    type net_conf_t;
    type collectd_t;
    type virt_etc_t;
    type virt_var_run_t;
    type virtd_exec_t;
    type loadkeys_t;
    type etc_t;
    type init_t;
    type shadow_t;
    type passwd_file_t;
    type systemd_localed_t;
    type systemd_unit_file_t;
    type policykit_t;
    type local_login_t;
    type var_log_t;
')

#============= collectd_t ==============
allow collectd_t passwd_file_t:file { open read };
allow collectd_t virtd_exec_t:file getattr;
allow collectd_t virt_etc_t:file read;
allow collectd_t virt_var_run_t:sock_file write;

#============= systemd_localed_t ==============
allow systemd_localed_t etc_t:file { write rename create setattr };
allow systemd_localed_t init_t:dbus send_msg;
allow systemd_localed_t systemd_unit_file_t:service start;
allow systemd_localed_t ovirt_t:dbus send_msg;

#============= misc ==============
allow mount_t shadow_t:file mounton;
allow setfiles_t net_conf_t:file read;
allow loadkeys_t initrc_tmp_t:file read;
allow policykit_t ovirt_t:dbus send_msg;
allow local_login_t var_log_t:file { write create };

type ovirt_t;
type ovirt_exec_t;
init_daemon_domain(ovirt_t, ovirt_exec_t)
unconfined_domain(ovirt_t)
unconfined_domain(mount_t)