module local_openvpn 1.0;

require {
	type lib_t;
	type NetworkManager_runtime_t;
	type openvpn_t;
	type NetworkManager_t;
	type systemd_machined_t;
	type selinux_config_t;
	type xdg_data_t;
	class file { execute_no_trans getattr open read };
	class unix_stream_socket connectto;
	class dir { add_name search };
	class process { getcap setcap };
	class sock_file create;
	class lnk_file read;
}

#============= NetworkManager_t ==============
allow NetworkManager_t lib_t:file execute_no_trans;
allow NetworkManager_t openvpn_t:unix_stream_socket connectto;
allow NetworkManager_t systemd_machined_t:unix_stream_socket connectto;

#============= openvpn_t ==============
allow openvpn_t NetworkManager_runtime_t:dir add_name;
allow openvpn_t NetworkManager_runtime_t:sock_file create;
allow openvpn_t lib_t:file execute_no_trans;
allow openvpn_t self:process { getcap setcap };
allow openvpn_t selinux_config_t:lnk_file read;
allow openvpn_t systemd_machined_t:unix_stream_socket connectto;
allow openvpn_t xdg_data_t:dir search;
allow openvpn_t xdg_data_t:file { getattr open read };