policy_module(hypervkvp, 1.0.0)

########################################
#
# Declarations
#

attribute hyperv_domain;

type hypervkvp_t, hyperv_domain;
type hypervkvp_exec_t;
init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)

type hypervkvp_initrc_exec_t;
init_script_file(hypervkvp_initrc_exec_t)

type hypervkvp_unit_file_t;
systemd_unit_file(hypervkvp_unit_file_t)

type hypervkvp_var_lib_t;
files_type(hypervkvp_var_lib_t)

type hypervkvp_tmp_t;
files_tmpfs_file(hypervkvp_tmp_t)

type hypervvssd_t, hyperv_domain;
type hypervvssd_exec_t;
init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)

type hypervvssd_unit_file_t;
systemd_unit_file(hypervvssd_unit_file_t)

########################################
#
# hyperv domain local policy
#

allow hyperv_domain self:capability net_admin;
allow hyperv_domain self:netlink_socket create_socket_perms;

allow hyperv_domain self:fifo_file rw_fifo_file_perms;
allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;

corecmd_exec_shell(hyperv_domain)
corecmd_exec_bin(hyperv_domain)

dev_read_sysfs(hyperv_domain)

########################################
#
# hypervkvp local policy
#

allow hypervkvp_t self:capability sys_ptrace;
allow hypervkvp_t self:process setfscreate;
allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;

manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)

manage_files_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
manage_dirs_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
files_tmp_filetrans(hypervkvp_t, hypervkvp_tmp_t, { file dir })

kernel_read_system_state(hypervkvp_t)
kernel_read_network_state(hypervkvp_t)
kernel_request_load_module(hypervkvp_t)
kernel_rw_net_sysctls(hypervkvp_t)

corecmd_getattr_all_executables(hypervkvp_t)

dev_rw_hypervkvp(hypervkvp_t)

domain_read_all_domains_state(hypervkvp_t)

seutil_exec_setfiles(hypervkvp_t)
seutil_read_file_contexts(hypervkvp_t)

domain_read_all_domains_state(hypervkvp_t)

dev_read_urand(hypervkvp_t)

files_dontaudit_search_home(hypervkvp_t)
files_dontaudit_getattr_non_security_files(hypervkvp_t)

fs_getattr_all_fs(hypervkvp_t)
fs_read_hugetlbfs_files(hypervkvp_t)
fs_list_hugetlbfs(hypervkvp_t)

auth_use_nsswitch(hypervkvp_t)

logging_send_syslog_msg(hypervkvp_t)
logging_read_syslog_config(hypervkvp_t)

libs_exec_ldconfig(hypervkvp_t)

modutils_domtrans_kmod(hypervkvp_t)

seutil_domtrans_setfiles(hypervkvp_t)

sysnet_dns_name_resolve(hypervkvp_t)
sysnet_domtrans_dhcpc(hypervkvp_t)
sysnet_domtrans_ifconfig(hypervkvp_t)

sysnet_manage_dhcpc_pid(hypervkvp_t)
sysnet_signal_dhcpc(hypervkvp_t)

sysnet_manage_config(hypervkvp_t)
sysnet_read_dhcpc_state(hypervkvp_t)
sysnet_read_dhcp_config(hypervkvp_t)
sysnet_etc_filetrans_config(hypervkvp_t)

systemd_exec_systemctl(hypervkvp_t)

userdom_dontaudit_search_admin_dir(hypervkvp_t)

optional_policy(`
    brctl_domtrans(hypervkvp_t)
')

optional_policy(`
    dbus_read_pid_files(hypervkvp_t)
    dbus_system_bus_client(hypervkvp_t)
')

optional_policy(`
    hostname_exec(hypervkvp_t)
')

optional_policy(`
    firewalld_dbus_chat(hypervkvp_t)
')

optional_policy(`
    netutils_domtrans_ping(hypervkvp_t)
    netutils_domtrans(hypervkvp_t)
')

optional_policy(`
    networkmanager_read_pid_files(hypervkvp_t)
    networkmanager_dbus_chat(hypervkvp_t)
')

optional_policy(`
    sysnet_exec_ifconfig(hypervkvp_t)
')

optional_policy(`
    rpm_exec(hypervkvp_t)
')

########################################
#
# hypervvssd local policy
#

allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };

dev_rw_hypervvssd(hypervvssd_t)

files_list_boot(hypervvssd_t)

files_list_all_mountpoints(hypervvssd_t)
files_write_all_mountpoints(hypervvssd_t)
files_list_non_auth_dirs(hypervvssd_t)

logging_send_syslog_msg(hypervvssd_t)

storage_raw_read_fixed_disk(hypervvssd_t)