module xenstored_policy 1.0;

require {
	type xenstored_t;
	type device_t;
	type sysctl_fs_t;
	type initrc_t;
	class unix_stream_socket accept;
	class dir search;
	class file { read open };
	class chr_file { read write open };
}

#============= xenstored_t ==============
allow xenstored_t device_t:chr_file { read write open };
allow xenstored_t initrc_t:unix_stream_socket accept;
allow xenstored_t sysctl_fs_t:dir search;
allow xenstored_t sysctl_fs_t:file { read open };
#============= xenstored_t ==============
# src="xenstored_t" tgt="device_t" class="chr_file", perms="{ read write }"
# comm="oxenstored" exe="" path=""
allow xenstored_t device_t:chr_file { read write };
# src="xenstored_t" tgt="sysctl_fs_t" class="dir", perms="search"
# comm="oxenstored" exe="" path=""
allow xenstored_t sysctl_fs_t:dir search;