policy_module(ostree, 1.3.0)

require {
        type init_t;
        type root_t;
        type var_log_t;
        type games_data_t;
        type var_yp_t;
        type systemd_tmpfiles_t;
        type local_login_t;
        type admin_home_t;
        type ldconfig_cache_t;
        type var_t;
        type var_run_t;
        class lnk_file { relabelfrom relabelto read getattr };
        class dir { relabelfrom relabelto create setattr write };
}

# init_t
allow init_t admin_home_t:lnk_file { read getattr };
allow init_t root_t:dir { write };

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t games_data_t:dir relabelto;
allow systemd_tmpfiles_t var_log_t:dir create;
allow systemd_tmpfiles_t var_run_t:lnk_file { relabelfrom relabelto };
allow systemd_tmpfiles_t var_t:dir { create relabelfrom relabelto setattr };
allow systemd_tmpfiles_t var_yp_t:dir relabelto;
allow systemd_tmpfiles_t ldconfig_cache_t:dir { relabelfrom relabelto setattr };
allow systemd_tmpfiles_t var_t:dir { relabelfrom relabelto setattr };

#============= local_login_t ==============
allow local_login_t admin_home_t:lnk_file read;