policy_module(anvil-subnode, 1.1.0)

########################################
#
# Declarations
#


########################################
#
# Local policy
#

# Use existing types; don't declare unless it's new.
#
require {
	type mnt_t;
	type sysctl_vm_t;
	type svirt_t;
	type virsh_t;
	class file { getattr open read };
}


#============= drbd_t ==============
# drbd rules will be provided by drbd-utils package.


#============= virsh_t ==============
# Needed for virsh to access the domain XMLs under /mnt.
allow virsh_t mnt_t:file { open read };


#============= svirt_t ==============
# Workaround until QEMU fixes its policy for RHEL/Almalinux >= 9.4
allow svirt_t sysctl_vm_t:file { getattr open read };