Description: Make systemd work
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-09-13

Index: refpolicy/policy/modules/contrib/apache.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.te
+++ refpolicy/policy/modules/contrib/apache.te
@@ -527,6 +527,10 @@ seutil_dontaudit_search_config(httpd_t)
 
 userdom_use_unpriv_users_fds(httpd_t)
 
+ifdef(`init_systemd', `
+	systemd_manage_passwd_run(httpd_t)
+')
+
 ifdef(`TODO',`
 	tunable_policy(`allow_httpd_mod_auth_pam',`
 		auth_domtrans_chk_passwd(httpd_t)
Index: refpolicy/policy/modules/contrib/cron.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/cron.te
+++ refpolicy/policy/modules/contrib/cron.te
@@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t)
 init_read_state(crond_t)
 init_rw_utmp(crond_t)
 init_spec_domtrans_script(crond_t)
+init_stop_all_units(system_cronjob_t)
+init_start_all_units(system_cronjob_t)
+init_get_generic_units_status(system_cronjob_t)
+init_status(system_cronjob_t)
 
 auth_domtrans_chk_passwd(crond_t)
 auth_manage_var_auth(crond_t)
@@ -417,6 +421,17 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_use_logind_fds(crond_t)
+	systemd_write_inherited_logind_sessions_pipes(crond_t)
+')
+optional_policy(`
+	systemd_dbus_chat_logind(system_cronjob_t)
+	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+	# so cron jobs can restart daemons
+	init_stream_connect(system_cronjob_t)
+')
+
+optional_policy(`
 	udev_read_db(crond_t)
 ')
 
Index: refpolicy/policy/modules/contrib/networkmanager.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/networkmanager.te
+++ refpolicy/policy/modules/contrib/networkmanager.te
@@ -327,6 +327,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_use_logind_fds(NetworkManager_t)
+	systemd_read_logind_sessions_files(NetworkManager_t)
+')
+
+optional_policy(`
 	udev_exec(NetworkManager_t)
 	udev_read_db(NetworkManager_t)
 	udev_read_pid_files(NetworkManager_t)
Index: refpolicy/policy/modules/kernel/devices.te
===================================================================
--- refpolicy.orig/policy/modules/kernel/devices.te
+++ refpolicy/policy/modules/kernel/devices.te
@@ -21,6 +21,9 @@ files_mountpoint(device_t)
 files_associate_tmp(device_t)
 fs_xattr_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
+optional_policy(`
+	systemd_tmpfiles_manage_object(device_t, fifo_file)
+')
 
 #
 # Type for /dev/agpgart
Index: refpolicy/policy/modules/kernel/files.te
===================================================================
--- refpolicy.orig/policy/modules/kernel/files.te
+++ refpolicy/policy/modules/kernel/files.te
@@ -10,6 +10,7 @@ attribute files_unconfined_type;
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
+attribute spoolfile;
 attribute configfile;
 
 # For labeling types that are to be polyinstantiated
@@ -171,6 +172,10 @@ type var_run_t;
 files_pid_file(var_run_t)
 files_mountpoint(var_run_t)
 
+optional_policy(`
+	systemd_tmpfiles_manage_object(var_run_t, lnk_file)
+')
+
 #
 # var_spool_t is the type of /var/spool
 #
Index: refpolicy/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy.orig/policy/modules/kernel/kernel.te
+++ refpolicy/policy/modules/kernel/kernel.te
@@ -332,6 +332,8 @@ optional_policy(`
 
 optional_policy(`
 	init_sigchld(kernel_t)
+	init_dyntrans(kernel_t)
+	domain_dyntrans_type(kernel_t)
 ')
 
 optional_policy(`
Index: refpolicy/policy/modules/services/ssh.te
===================================================================
--- refpolicy.orig/policy/modules/services/ssh.te
+++ refpolicy/policy/modules/services/ssh.te
@@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',`
 ')
 
 optional_policy(`
+	systemd_write_inherited_logind_sessions_pipes(sshd_t)
+	systemd_dbus_chat_logind(sshd_t)
+')
+
+optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
 
Index: refpolicy/policy/modules/system/authlogin.te
===================================================================
--- refpolicy.orig/policy/modules/system/authlogin.te
+++ refpolicy/policy/modules/system/authlogin.te
@@ -30,6 +30,9 @@ role system_r types chkpwd_t;
 
 type faillog_t;
 logging_log_file(faillog_t)
+optional_policy(`
+	systemd_tmpfiles_manage_object(faillog_t, file)
+')
 
 type lastlog_t;
 logging_log_file(lastlog_t)
@@ -82,6 +85,9 @@ application_domain(utempter_t, utempter_
 type var_auth_t;
 files_type(var_auth_t)
 files_mountpoint(var_auth_t)
+optional_policy(`
+	systemd_tmpfiles_manage_object(var_auth_t, dir)
+')
 
 type wtmp_t;
 logging_log_file(wtmp_t)
Index: refpolicy/policy/modules/system/init.fc
===================================================================
--- refpolicy.orig/policy/modules/system/init.fc
+++ refpolicy/policy/modules/system/init.fc
@@ -78,6 +78,8 @@ ifdef(`distro_gentoo', `
 /var/run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/wd_keepalive\.pid --	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/sm-notify\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 
 ifdef(`distro_debian',`
Index: refpolicy/policy/modules/system/init.if
===================================================================
--- refpolicy.orig/policy/modules/system/init.if
+++ refpolicy/policy/modules/system/init.if
@@ -101,6 +101,44 @@ interface(`init_script_domain',`
 	domtrans_pattern(init_run_all_scripts_domain, $2, $1)
 ')
 
+
+#######################################
+## <summary>
+##  Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Type to be used as a domain.
+##  </summary>
+## </param>
+## <param name="entry_point">
+##  <summary>
+##  Type of the program to be used as an entry point to this domain.
+##  </summary>
+## </param>
+#
+interface(`init_systemd_domain',`
+    gen_require(`
+        type init_t;
+        role system_r;
+    ')
+
+    domain_type($1)
+    domain_entry_file($1,$2)
+
+    role system_r types $1;
+
+    ifdef(`init_systemd',`
+        domtrans_pattern(init_t,$2,$1)
+        allow init_t $1:unix_stream_socket create_stream_socket_perms;
+        allow init_t $1:unix_dgram_socket create_socket_perms;
+	allow $1 init_t:unix_stream_socket ioctl;
+        allow $1 init_t:unix_dgram_socket sendto;
+	# need write to /var/run/systemd/notify
+	init_write_pid_socket($1)
+    ')
+')
+
 ########################################
 ## <summary>
 ##	Create a domain which can be started by init.
@@ -127,7 +165,11 @@ interface(`init_domain',`
 
 	role system_r types $1;
 
-	domtrans_pattern(init_t, $2, $1)
+	ifdef(`init_systemd', `
+		domtrans_pattern(init_t, $2, $1)
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+		allow $1 init_t:unix_dgram_socket sendto;
+	')
 
 	ifdef(`init_systemd',`
 		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
@@ -164,10 +206,12 @@ interface(`init_ranged_domain',`
 
 	ifdef(`enable_mcs',`
 		range_transition init_t $2:process $3;
+		range_transition initrc_t $2:process $3;
 	')
 
 	ifdef(`enable_mls',`
 		range_transition init_t $2:process $3;
+		range_transition initrc_t $2:process $3;
 		mls_rangetrans_target($1)
 	')
 ')
@@ -210,8 +254,10 @@ interface(`init_ranged_domain',`
 interface(`init_daemon_domain',`
 	gen_require(`
 		type initrc_t;
+		type init_t;
 		role system_r;
 		attribute daemon;
+		attribute initrc_transition_domain;
 	')
 
 	typeattribute $1 daemon;
@@ -223,6 +269,12 @@ interface(`init_daemon_domain',`
 
 	domtrans_pattern(initrc_t, $2, $1)
 
+	ifdef(`init_systemd', `
+		domtrans_pattern(init_t, $2, $1)
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+		allow $1 init_t:unix_dgram_socket sendto;
+	')
+
 	# daemons started from init will
 	# inherit fds from init for the console
 	init_dontaudit_use_fds($1)
@@ -292,6 +344,7 @@ interface(`init_daemon_domain',`
 interface(`init_ranged_daemon_domain',`
 	gen_require(`
 		type initrc_t;
+		type init_t;
 	')
 
 	ifdef(`init_systemd',`
@@ -301,11 +354,13 @@ interface(`init_ranged_daemon_domain',`
 
 		ifdef(`enable_mcs',`
 			range_transition initrc_t $2:process $3;
+			range_transition init_t $2:process $3;
 		')
 
 		ifdef(`enable_mls',`
 			range_transition initrc_t $2:process $3;
 			mls_rangetrans_target($1)
+			range_transition init_t $2:process $3;
 		')
 	')
 ')
@@ -400,8 +455,10 @@ interface(`init_system_domain',`
 	gen_require(`
 		type initrc_t;
 		role system_r;
+		attribute systemprocess;
 	')
 
+	typeattribute $1 systemprocess;
 	application_domain($1, $2)
 
 	role system_r types $1;
@@ -459,6 +516,7 @@ interface(`init_system_domain',`
 interface(`init_ranged_system_domain',`
 	gen_require(`
 		type initrc_t;
+		type init_t;
 	')
 
 	ifdef(`init_systemd',`
@@ -468,15 +526,35 @@ interface(`init_ranged_system_domain',`
 
 		ifdef(`enable_mcs',`
 			range_transition initrc_t $2:process $3;
+			range_transition init_t $2:process $3;
 		')
 
 		ifdef(`enable_mls',`
 			range_transition initrc_t $2:process $3;
+			range_transition init_t $2:process $3;
 			mls_rangetrans_target($1)
 		')
 	')
 ')
 
+######################################
+## <summary>
+##  Allow domain dyntransition to init_t domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`init_dyntrans',`
+	gen_require(`
+		type init_t;
+	')
+
+	dyntrans_pattern($1, init_t)
+')
+
 ########################################
 ## <summary>
 ##	Mark the file type as a daemon pid file, allowing initrc_t
@@ -563,7 +641,6 @@ interface(`init_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`init_exec',`
 	gen_require(`
@@ -574,6 +651,25 @@ interface(`init_exec',`
 	can_exec($1, init_exec_t)
 ')
 
+#######################################
+## <summary>
+##  Dontaudit getattr on the init program.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_dontaudit_getattr_exec',`
+    gen_require(`
+        type init_exec_t;
+    ')
+
+	dontaudit $1 init_exec_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Execute the rc application in the caller domain.
@@ -660,6 +756,24 @@ interface(`init_sigchld',`
 
 ########################################
 ## <summary>
+##	Send generic signals to init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_signal',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Connect to init with a unix socket.
 ## </summary>
 ## <param name="domain">
@@ -675,6 +789,7 @@ interface(`init_stream_connect',`
 
 	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
 	files_search_pids($1)
+	allow $1 init_t:unix_stream_socket getattr;
 ')
 
 ########################################
@@ -809,6 +924,42 @@ interface(`init_udp_send',`
 
 ########################################
 ## <summary>
+##	start service (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_system_start',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system start;
+')
+
+########################################
+## <summary>
+##	stop service (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_system_stop',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system stop;
+')
+
+########################################
+## <summary>
 ##	Get all service status (systemd).
 ## </summary>
 ## <param name="domain">
@@ -983,29 +1134,50 @@ interface(`init_dbus_chat',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="file_type">
-##	<summary>
-##	The type of the object to be created
-##	</summary>
-## </param>
-## <param name="object_class">
+#
+interface(`init_manage_var_lib_files',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	relabel dirs in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The object class.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+#
+interface(`init_relabel_var_lib_dirs',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	allow $1 init_var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	list /var/lib/systemd/ dir
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`init_manage_var_lib_files',`
+interface(`init_list_var_lib_dirs',`
 	gen_require(`
 		type init_var_lib_t;
 	')
 
-	manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
-	files_search_var_lib($1)
+	allow $1 init_var_lib_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -1149,19 +1321,25 @@ interface(`init_telinit',`
 		type initctl_t;
 	')
 
+	corecmd_exec_bin($1)
+
 	dev_list_all_dev_nodes($1)
 	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
 
 	init_exec($1)
 
-	tunable_policy(`init_upstart',`
+	ifdef(`init_systemd',`
 		gen_require(`
 			type init_t;
 		')
 
+		ps_process_pattern($1, init_t)
+		allow $1 init_t:process signal;
 		# upstart uses a datagram socket instead of initctl pipe
 		allow $1 self:unix_dgram_socket create_socket_perms;
 		allow $1 init_t:unix_dgram_socket sendto;
+		#576913
+		allow $1 init_t:unix_stream_socket connectto;
 	')
 ')
 
@@ -1171,7 +1349,7 @@ interface(`init_telinit',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1269,19 +1447,59 @@ interface(`init_spec_domtrans_script',`
 #
 interface(`init_domtrans_script',`
 	gen_require(`
-		type initrc_t, initrc_exec_t;
+		type initrc_t;
+		attribute init_script_file_type;
+		attribute initrc_transition_domain;
 	')
+	typeattribute $1 initrc_transition_domain;
 
 	files_list_etc($1)
-	domtrans_pattern($1, initrc_exec_t, initrc_t)
+	domtrans_pattern($1, init_script_file_type, initrc_t)
 
 	ifdef(`enable_mcs',`
-		range_transition $1 initrc_exec_t:process s0;
+		range_transition $1 init_script_file_type:process s0;
 	')
 
 	ifdef(`enable_mls',`
-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
+##	Execute a file in a bin directory
+##	in the initrc_t domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_bin_domtrans_spec',`
+	gen_require(`
+		type initrc_t;
 	')
+
+	corecmd_bin_domtrans($1, initrc_t)
+')
+
+########################################
+## <summary>
+##	kill a initrc_t process
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_kill_initrc',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process sigkill;
 ')
 
 ########################################
@@ -1337,9 +1555,14 @@ interface(`init_script_file_domtrans',`
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
 		type initrc_t;
+		attribute initrc_transition_domain;
 	')
 
+	typeattribute $1 initrc_transition_domain;
+	# service script searches all filesystems via mountpoint
+	fs_search_all($1)
 	domtrans_pattern($1, $2, initrc_t)
+	allow $1 $2:file ioctl;
 	files_search_etc($1)
 ')
 
@@ -1494,7 +1717,9 @@ interface(`init_ptrace',`
 		type init_t;
 	')
 
-	allow $1 init_t:process ptrace;
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 init_t:process ptrace;
+	')
 ')
 
 ########################################
@@ -1612,6 +1837,24 @@ interface(`init_read_all_script_files',`
 
 #######################################
 ## <summary>
+##	Dontaudit getattr all init script files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	dontaudit $1 init_script_file_type:file getattr;
+')
+
+#######################################
+## <summary>
 ##	Dontaudit read all init script files.
 ## </summary>
 ## <param name="domain">
@@ -1663,12 +1906,7 @@ interface(`init_read_script_state',`
 	')
 
 	kernel_search_proc($1)
-	read_files_pattern($1, initrc_t, initrc_t)
-	read_lnk_files_pattern($1, initrc_t, initrc_t)
-	list_dirs_pattern($1, initrc_t, initrc_t)
-
-	# should move this to separate interface
-	allow $1 initrc_t:process getattr;
+	ps_process_pattern($1, initrc_t)
 ')
 
 ########################################
@@ -1868,6 +2106,60 @@ interface(`init_rw_script_stream_sockets
 	allow $1 initrc_t:unix_stream_socket rw_socket_perms;
 ')
 
+#######################################
+## <summary>
+##  Dontaudit Connect to init with a unix socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##     Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`init_dontaudit_stream_connect',`
+	gen_require(`
+		type init_t;
+	')
+
+	dontaudit $1 init_t:unix_stream_socket connectto;
+')
+
+######################################
+## <summary>
+##  Dontaudit getattr to init with a unix socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_stream_socket',`
+	gen_require(`
+		type init_t;
+	')
+
+	dontaudit $1 init_t:unix_stream_socket getattr;
+')
+
+######################################
+## <summary>
+##  Dontaudit read and write to init with a unix socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`init_dontaudit_rw_stream_socket',`
+	gen_require(`
+		type init_t;
+	')
+
+	dontaudit $1 init_t:unix_stream_socket { getattr read write };
+')
+
 ########################################
 ## <summary>
 ##	Dont audit the specified domain connecting to
@@ -2015,6 +2307,25 @@ interface(`init_getattr_script_status_fi
 
 ########################################
 ## <summary>
+##	Manage init script
+##	status files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_manage_script_status_files',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	manage_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read init script
 ##	status files.
 ## </summary>
@@ -2092,6 +2403,24 @@ interface(`init_rw_script_tmp_files',`
 
 ########################################
 ## <summary>
+##	Read and write init script inherited temporary data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_inherited_script_tmp_files',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	allow $1 initrc_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>
@@ -2164,6 +2493,24 @@ interface(`init_read_utmp',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_read_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	dontaudit $1 initrc_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write utmp.
 ## </summary>
 ## <param name="domain">
@@ -2252,7 +2599,7 @@ interface(`init_dontaudit_rw_utmp',`
 		type initrc_var_run_t;
 	')
 
-	dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+	dontaudit $1 initrc_var_run_t:file rw_file_perms;
 ')
 
 ########################################
@@ -2276,6 +2623,24 @@ interface(`init_manage_utmp',`
 
 ########################################
 ## <summary>
+##	relabel from/to utmp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_relabel_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	allow $1 initrc_var_run_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Create files in /var/run with the
 ##	utmp file type.
 ## </summary>
@@ -2293,6 +2658,116 @@ interface(`init_pid_filetrans_utmp',`
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 ')
 
+######################################
+## <summary>
+##  Allow search  directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_search_pid_dirs',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:dir search_dir_perms;
+')
+
+######################################
+## <summary>
+##  Allow listing of the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_list_pid_dirs',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+##  Create a directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_create_pid_dirs',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:dir list_dir_perms;
+    create_dirs_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+#######################################
+## <summary>
+##  Start and stop a service file under /run/systemd/system
+##  Should we have a different type for this?
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`start_stop_init_var_run_service',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:service { start status stop };
+')
+
+#######################################
+## <summary>
+##	Create objects in /run/systemd directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="object_name">
+##	<summary>
+##	The name of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`init_named_pid_filetrans',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	files_search_pids($1)
+	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
@@ -2505,6 +2980,269 @@ interface(`init_reload_all_units',`
 	allow $1 systemdunit:service reload;
 ')
 
+#######################################
+## <summary>
+##	All perms on all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_manage_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service all_service_perms;
+	')
+
+	allow $1 systemdunit:service all_service_perms;
+	allow $1 systemdunit:file getattr;
+')
+
+########################################
+## <summary>
+##	Transition to system_r when execute an init script
+## </summary>
+## <desc>
+##      <p>
+##	Execute a init script in a specified role
+##      </p>
+##      <p>
+##      No interprocess communication (signals, pipes,
+##      etc.) is provided by this interface since
+##      the domains are not owned by this module.
+##      </p>
+## </desc>
+## <param name="source_role">
+##	<summary>
+##	Role to transition from.
+##	</summary>
+## </param>
+#
+interface(`init_script_role_transition',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	role_transition $1 init_script_file_type system_r;
+')
+
+########################################
+## <summary>
+##	Start and stop init_script_file_type services
+## </summary>
+## <param name="domain">
+##	<summary>
+##	domain that can start and stop the services
+##	</summary>
+## </param>
+#
+interface(`init_script_service_restart',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	allow $1 init_script_file_type:service { start status stop };
+')
+
+########################################
+## <summary>
+##	dontaudit read and write an leaked init scrip file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_script_leaks',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	dontaudit $1 initrc_t:tcp_socket { read write };
+	dontaudit $1 initrc_t:udp_socket { read write };
+	dontaudit $1 initrc_t:unix_dgram_socket { read write };
+	dontaudit $1 initrc_t:unix_stream_socket { read write };
+	dontaudit $1 initrc_t:shm rw_shm_perms;
+	init_dontaudit_use_script_ptys($1)
+	init_dontaudit_use_script_fds($1)
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to ioctl an
+##  init with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_ioctl_stream_sockets',`
+    gen_require(`
+        type init_t;
+    ')
+
+    allow $1 init_t:unix_stream_socket ioctl;
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to write to
+##  init sock file.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_write_pid_socket',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Send a message to init over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_stream_send',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket sendto;
+')
+
+########################################
+## <summary>
+##	Create a file type used for init socket files.
+## </summary>
+## <desc>
+##	<p>
+##	This defines a type that init can create sock_file within for
+##	impersonation purposes
+##	</p>
+## </desc>
+## <param name="script_file">
+##	<summary>
+##	Type to be used for a sock file.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`init_sock_file',`
+	gen_require(`
+		attribute init_sock_file_type;
+	')
+
+	typeattribute $1 init_sock_file_type;
+
+')
+
+########################################
+## <summary>
+##	Read init unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_pipes',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+##	Get the system status information from init
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_status',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+##	Tell init to reboot the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reboot',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system reboot;
+')
+
+########################################
+## <summary>
+##	Tell init to halt the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_halt',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system halt;
+')
+
+########################################
+## <summary>
+##	Tell init to do an unknown access.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_undefined',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system undefined;
+')
+
 ########################################
 ## <summary>
 ##      Init will execute a shell in the specified domain.
@@ -2525,3 +3263,76 @@ interface(`init_shell_domtrans',`
 	allow $1 init_t:fifo_file rw_file_perms;
 	allow $1 init_t:process sigchld;
 ')
+
+########################################
+## <summary>
+##      Allow getting service status of initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Target domain
+##      </summary>
+## </param>
+#
+interface(`initrc_service_status',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	allow $1 initrc_exec_t:service status;
+')
+
+########################################
+## <summary>
+##      Allow manage service for initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Target domain
+##      </summary>
+## </param>
+#
+interface(`initrc_manage_service',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	allow $1 initrc_exec_t:service { start stop status };
+')
+
+########################################
+## <summary>
+##      Rename and unlink init_var_run_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      domain
+##      </summary>
+## </param>
+#
+interface(`rename_unlink_init_var_run',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:file { rename getattr unlink };
+')
+
+########################################
+## <summary>
+##      Read initrc_t files for /proc/pid/cgroup etc
+## </summary>
+## <param name="domain">
+##      <summary>
+##      domain
+##      </summary>
+## </param>
+#
+interface(`read_initrc_files',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:dir search;
+	allow $1 initrc_t:file read_file_perms;
+')
Index: refpolicy/policy/modules/system/init.te
===================================================================
--- refpolicy.orig/policy/modules/system/init.te
+++ refpolicy/policy/modules/system/init.te
@@ -16,13 +16,31 @@ gen_require(`
 ## </desc>
 gen_tunable(init_upstart, false)
 
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty, false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core, false)
+
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
 attribute systemdunit;
+attribute initrc_transition_domain;
+# Attribute used for systemd so domains can allow systemd to create sock_files
+attribute init_sock_file_type;
 
 # Mark process types as daemons
 attribute daemon;
+attribute systemprocess;
 
 # Mark file type as a daemon pid file
 attribute daemonpidfile;
@@ -33,7 +51,7 @@ attribute daemonrundir;
 #
 # init_t is the domain of the init process.
 #
-type init_t;
+type init_t, initrc_transition_domain;
 type init_exec_t;
 domain_type(init_t)
 domain_entry_file(init_t, init_exec_t)
@@ -66,6 +84,7 @@ type initrc_exec_t, init_script_file_typ
 domain_type(initrc_t)
 domain_entry_file(initrc_t, initrc_exec_t)
 init_named_socket_activation(initrc_t, init_var_run_t)
+allow init_run_all_scripts_domain systemdunit:service { status start stop };
 role system_r types initrc_t;
 # should be part of the true block
 # of the below init_upstart tunable
@@ -110,6 +129,7 @@ ifdef(`enable_mls',`
 
 # Use capabilities. old rule:
 allow init_t self:capability ~sys_module;
+allow init_t self:capability2 { wake_alarm block_suspend };
 # is ~sys_module really needed? observed:
 # sys_boot
 # sys_tty_config
@@ -128,6 +148,9 @@ allow init_t initrc_t:unix_stream_socket
 allow init_t init_var_run_t:file manage_file_perms;
 files_pid_filetrans(init_t, init_var_run_t, file)
 
+# for systemd to manage service file symlinks
+allow init_t init_var_run_t:file manage_lnk_file_perms;
+
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
 
@@ -147,6 +170,7 @@ dev_rw_generic_chr_files(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
+domain_getattr_all_domains(init_t)
 domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
@@ -272,7 +296,9 @@ ifdef(`init_systemd',`
 
 	term_relabel_pty_dirs(init_t)
 
-	clock_read_adjtime(init_t)
+	optional_policy(`
+		clock_read_adjtime(init_t)
+	')
 
 	logging_manage_pid_sockets(init_t)
 	logging_send_audit_msgs(init_t)
@@ -342,6 +368,17 @@ optional_policy(`
 ')
 
 optional_policy(`
+	udev_read_db(init_t)
+	udev_relabelto_db(init_t)
+	udev_create_kobject_uevent_socket(init_t)
+')
+
+#optional_policy(`
+#	xserver_relabel_xdm_tmp_dirs(init_t)
+#	xserver_manage_xdm_tmp_dirs(init_t)
+#')
+
+optional_policy(`
 	unconfined_domain(init_t)
 ')
 
@@ -395,6 +432,7 @@ manage_files_pattern(initrc_t, initrc_tm
 manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -437,6 +475,7 @@ corenet_sendrecv_all_client_packets(init
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
+dev_dontaudit_read_kmsg(initrc_t)
 dev_write_kmsg(initrc_t)
 dev_write_rand(initrc_t)
 dev_write_urand(initrc_t)
@@ -447,8 +486,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
+dev_setattr_generic_dirs(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
@@ -456,17 +497,16 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
 domain_signull_all_domains(initrc_t)
 domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-domain_dontaudit_ptrace_all_domains(initrc_t)
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
@@ -474,6 +514,7 @@ domain_dontaudit_getattr_all_udp_sockets
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
+domain_obj_id_change_exemption(initrc_t)
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
@@ -481,8 +522,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
 files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
@@ -496,8 +539,12 @@ files_manage_generic_spool(initrc_t)
 # cjp: not sure why these are here; should use mount policy
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
 
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
@@ -507,9 +554,13 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
+mcs_file_read_all(initrc_t)
+mcs_file_write_all(initrc_t)
 mcs_killall(initrc_t)
 mcs_process_set_categories(initrc_t)
 
@@ -519,6 +570,7 @@ mls_process_read_all_levels(initrc_t)
 mls_process_write_all_levels(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
 
 selinux_get_enforce_mode(initrc_t)
 
@@ -550,7 +602,11 @@ logging_read_audit_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
+
+optional_policy(`
+	init_status(initrc_t)
+')
 
 optional_policy(`
 	modutils_read_module_config(initrc_t)
@@ -563,7 +619,7 @@ userdom_read_user_home_content_files(ini
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.
-userdom_use_user_terminals(initrc_t)
+userdom_use_inherited_user_terminals(initrc_t)
 
 ifdef(`distro_debian',`
 	kernel_getattr_core_if(initrc_t)
@@ -621,7 +677,9 @@ ifdef(`distro_gentoo',`
 	files_mountpoint(initrc_state_t)
 
 	# init scripts touch this
-	clock_dontaudit_write_adjtime(initrc_t)
+	optional_policy(`
+		clock_dontaudit_write_adjtime(initrc_t)
+	')
 
 	logging_send_audit_msgs(initrc_t)
 
@@ -635,6 +693,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
+		abrt_manage_pid_files(initrc_t)
+	')
+
+	optional_policy(`
 		alsa_read_lib(initrc_t)
 	')
 
@@ -655,7 +717,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
-	kernel_dontaudit_use_fds(initrc_t)
+	kernel_use_fds(initrc_t)
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
@@ -690,6 +752,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
+	miscfiles_filetrans_named_content(initrc_t)
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
@@ -699,8 +762,35 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		abrt_manage_pid_files(initrc_t)
+	')
+
+	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
+		bind_manage_config(initrc_t)
 		bind_write_config(initrc_t)
+		bind_setattr_zone_dirs(initrc_t)
+	')
+
+	optional_policy(`
+		devicekit_append_inherited_log_files(initrc_t)
+	')
+
+	optional_policy(`
+		dirsrvadmin_read_config(initrc_t)
+		dirsrv_manage_var_run(initrc_t)
+	')
+
+	optional_policy(`
+		gnome_manage_gconf_config(initrc_t)
+	')
+
+	optional_policy(`
+		ldap_read_db_files(initrc_t)
+	')
+
+	optional_policy(`
+		pulseaudio_stream_connect(initrc_t)
 	')
 
 	optional_policy(`
@@ -708,14 +798,27 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
+	optional_policy(`
+		rpcbind_stream_connect(initrc_t)
+	')
 
 	optional_policy(`
 		sysnet_rw_dhcp_config(initrc_t)
 		sysnet_manage_config(initrc_t)
+		sysnet_manage_dhcpc_state(initrc_t)
+		sysnet_relabelfrom_dhcpc_state(initrc_t)
+		sysnet_relabelfrom_net_conf(initrc_t)
+		sysnet_relabelto_net_conf(initrc_t)
+		sysnet_filetrans_named_content(initrc_t)
+	')
+
+	optional_policy(`
+		wdmd_manage_pid_files(initrc_t)
 	')
 
 	optional_policy(`
 		xserver_delete_log(initrc_t)
+		xserver_manage_user_fonts_dir(initrc_t)
 	')
 ')
 
@@ -738,9 +841,11 @@ ifdef(`init_systemd',`
 	files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
 
 	create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+	allow initrc_t systemd_unit_t:service reload;
 
 	manage_files_pattern(initrc_t, systemdunit, systemdunit)
 	manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+	allow initrc_t systemdunit:service reload;
 
 	kernel_dgram_send(initrc_t)
 
@@ -773,6 +878,8 @@ ifdef(`init_systemd',`
 	seutil_read_file_contexts(initrc_t)
 
 	systemd_start_power_units(initrc_t)
+	allow initrc_t init_t:system { status reboot halt reload };
+	dev_null_manage_service(initrc_t)
 
 	optional_policy(`
 		# create /var/lock/lvm/
@@ -780,6 +887,32 @@ ifdef(`init_systemd',`
 	')
 ')
 
+domain_dontaudit_use_interactive_fds(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+	term_use_unallocated_ttys(daemon)
+	term_use_generic_ptys(daemon)
+	term_use_all_ttys(daemon)
+	term_use_all_ptys(daemon)
+',`
+	term_dontaudit_use_unallocated_ttys(daemon)
+	term_dontaudit_use_generic_ptys(daemon)
+	term_dontaudit_use_all_ttys(daemon)
+	term_dontaudit_use_all_ptys(daemon)
+ ')
+
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+	files_manage_root_files(daemon)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(daemon)
+	unconfined_dontaudit_rw_stream(daemon)
+	userdom_dontaudit_read_user_tmp_files(daemon)
+	userdom_dontaudit_write_user_tmp_files(daemon)
+')
+
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
@@ -792,6 +925,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
+	# webmin seems to cause this.
+	apache_search_sys_content(daemon)
 ')
 
 optional_policy(`
@@ -813,6 +948,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
+	domain_setpriority_all_domains(initrc_t)
 ')
 
 optional_policy(`
@@ -829,6 +965,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_read_pipes(initrc_t)
+	# managing /etc/cron.d/mailman content
+	cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
@@ -845,9 +987,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
+	dbus_manage_lib_files(initrc_t)
+
+	init_dbus_chat(initrc_t)
 
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
+		consolekit_manage_log(initrc_t)
 	')
 
 	optional_policy(`
@@ -889,6 +1035,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	modutils_read_module_config(initrc_t)
+	modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
 	inn_exec_config(initrc_t)
 ')
 
@@ -929,6 +1080,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
+	lpd_manage_spool(init_t)
 ')
 
 optional_policy(`
@@ -947,6 +1099,7 @@ optional_policy(`
 
 optional_policy(`
 	mta_read_config(initrc_t)
+	mta_write_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
@@ -969,6 +1122,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	plymouthd_stream_connect(initrc_t)
+')
+
+optional_policy(`
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
@@ -981,6 +1138,7 @@ optional_policy(`
 	puppet_rw_tmp(initrc_t)
 ')
 
+
 optional_policy(`
 	quota_manage_flags(initrc_t)
 ')
@@ -1011,8 +1169,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
-	# why is this needed:
-	rpm_manage_db(initrc_t)
 ')
 
 optional_policy(`
@@ -1030,10 +1186,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
+ifdef(`enabled_mls',`
 optional_policy(`
 	# allow init scripts to su
 	su_restricted_domain_template(initrc, initrc_t, system_r)
 ')
+')
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
@@ -1049,7 +1207,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	udev_rw_db(initrc_t)
 	udev_manage_pid_files(initrc_t)
 	udev_manage_pid_dirs(initrc_t)
 	udev_manage_rules_files(initrc_t)
@@ -1066,6 +1223,10 @@ optional_policy(`
 
 optional_policy(`
 	unconfined_domain(initrc_t)
+	domain_role_change_exemption(initrc_t)
+	mcs_file_read_all(initrc_t)
+	mcs_file_write_all(initrc_t)
+	mcs_killall(initrc_t)
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
@@ -1075,6 +1236,15 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
+
+	optional_policy(`
+		rtkit_scheduled(initrc_t)
+	')
+')
+
+optional_policy(`
+	rpm_read_db(initrc_t)
+	rpm_delete_db(initrc_t)
 ')
 
 optional_policy(`
@@ -1100,3 +1270,267 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
+
+userdom_dontaudit_rw_stream(daemon)
+
+logging_inherit_append_all_logs(daemon)
+
+optional_policy(`
+	# sudo service restart causes this
+	unconfined_signull(daemon)
+')
+
+
+optional_policy(`
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_dontaudit_rw_nfs_files(daemon)
+	')
+	tunable_policy(`use_samba_home_dirs',`
+		fs_dontaudit_rw_cifs_files(daemon)
+	')
+')
+
+init_rw_script_stream_sockets(daemon)
+
+optional_policy(`
+	abrt_stream_connect(daemon)
+')
+
+optional_policy(`
+	fail2ban_read_lib_files(daemon)
+')
+
+init_rw_stream_sockets(daemon)
+
+allow init_t var_run_t:dir relabelto;
+
+init_stream_connect(initrc_t)
+init_start_all_units(initrc_t)
+init_stop_all_units(initrc_t)
+
+allow initrc_t daemon:process siginh;
+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow daemon initrc_transition_domain:fd use;
+
+storage_raw_rw_fixed_disk(init_t)
+
+optional_policy(`
+	modutils_domtrans_insmod(init_t)
+')
+
+optional_policy(`
+	postfix_list_spool(init_t)
+	mta_read_aliases(init_t)
+')
+
+ifdef(`init_systemd',`
+	allow init_t self:system { status reboot halt reload };
+
+	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+	allow init_t self:process { setsockcreate setfscreate setrlimit };
+	allow init_t self:process { getcap setcap };
+	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+	# Until systemd is fixed
+	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+	allow init_t self:udp_socket create_socket_perms;
+	allow init_t self:netlink_route_socket create_netlink_socket_perms;
+	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+	allow init_t self:capability2 audit_read;
+
+	kernel_list_unlabeled(init_t)
+	kernel_read_network_state(init_t)
+	kernel_rw_kernel_sysctl(init_t)
+	kernel_rw_net_sysctls(init_t)
+	kernel_read_all_sysctls(init_t)
+	kernel_read_software_raid_state(init_t)
+	kernel_unmount_debugfs(init_t)
+	kernel_setsched(init_t)
+
+	dev_write_kmsg(init_t)
+	dev_write_urand(init_t)
+	dev_rw_lvm_control(init_t)
+	dev_rw_autofs(init_t)
+	dev_manage_generic_symlinks(init_t)
+	dev_manage_generic_dirs(init_t)
+	dev_manage_generic_files(init_t)
+	dev_read_generic_chr_files(init_t)
+	dev_relabel_generic_dev_dirs(init_t)
+	dev_relabel_all_dev_nodes(init_t)
+	dev_relabel_all_dev_files(init_t)
+	dev_manage_sysfs_dirs(init_t)
+	dev_relabel_sysfs_dirs(init_t)
+	# systemd writes to /dev/watchdog on shutdown
+	dev_write_watchdog(init_t)
+
+	files_search_all(init_t)
+	files_mounton_all_mountpoints(init_t)
+	files_unmount_all_file_type_fs(init_t)
+	files_manage_all_pid_dirs(init_t)
+	files_manage_generic_tmp_dirs(init_t)
+	files_relabel_all_pid_dirs(init_t)
+	files_relabel_all_pid_files(init_t)
+	files_create_all_pid_sockets(init_t)
+	files_delete_all_pids(init_t)
+	files_exec_generic_pid_files(init_t)
+	files_create_all_pid_pipes(init_t)
+	files_create_all_spool_sockets(init_t)
+	files_delete_all_spool_sockets(init_t)
+	files_manage_urandom_seed(init_t)
+	files_list_locks(init_t)
+	files_list_spool(init_t)
+	files_list_var(init_t)
+	files_create_lock_dirs(init_t)
+	files_relabel_all_lock_dirs(init_t)
+
+	fs_getattr_all_fs(init_t)
+	fs_manage_cgroup_dirs(init_t)
+	fs_manage_cgroup_files(init_t)
+	fs_manage_hugetlbfs_dirs(init_t)
+	fs_manage_tmpfs_dirs(init_t)
+	fs_mount_all_fs(init_t)
+	fs_unmount_all_fs(init_t)
+	fs_remount_all_fs(init_t)
+	fs_list_auto_mountpoints(init_t)
+	fs_search_cgroup_dirs(daemon)
+
+	selinux_compute_create_context(init_t)
+	selinux_validate_context(init_t)
+	selinux_unmount_fs(init_t)
+
+	storage_getattr_removable_dev(init_t)
+
+	term_relabel_ptys_dirs(init_t)
+
+	auth_relabel_login_records(init_t)
+	auth_relabel_pam_console_data_dirs(init_t)
+
+	init_read_script_state(init_t)
+
+	seutil_read_file_contexts(init_t)
+
+	systemd_manage_unit_dirs(init_t)
+	systemd_manage_all_unit_files(init_t)
+
+	create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
+	allow initrc_t init_script_file_type:service { stop start status reload };
+
+
+')
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
+optional_policy(`
+	systemd_filetrans_named_content(init_t)
+')
+
+optional_policy(`
+	lvm_rw_pipes(init_t)
+')
+
+ifdef(`init_systemd',`
+	allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+	allow init_t daemon:unix_dgram_socket create_socket_perms;
+	allow init_t daemon:tcp_socket create_stream_socket_perms;
+	allow init_t daemon:udp_socket create_socket_perms;
+	allow daemon init_t:unix_dgram_socket sendto;
+	# need write to /var/run/systemd/notify
+	init_write_pid_socket(daemon)
+	allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+# daemons started from init will
+# inherit fds from init for the console
+init_dontaudit_use_fds(daemon)
+term_dontaudit_use_console(daemon)
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(daemon)
+
+allow init_t daemon:process siginh;
+
+ifdef(`hide_broken_symptoms',`
+	# RHEL4 systems seem to have a stray
+	# fds open from the initrd
+	ifdef(`distro_rhel4',`
+		kernel_dontaudit_use_fds(daemon)
+	')
+
+	dontaudit daemon init_t:dir search_dir_perms;
+')
+
+optional_policy(`
+	nscd_socket_use(daemon)
+')
+
+optional_policy(`
+	puppet_rw_tmp(daemon)
+')
+
+allow initrc_t systemprocess:process siginh;
+allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow systemprocess initrc_transition_domain:fd use;
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
+
+ifdef(`init_systemd',`
+	# Handle upstart/systemd direct transition to a executable
+	allow init_t systemprocess:process { dyntransition siginh };
+	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+	allow systemprocess init_t:unix_dgram_socket sendto;
+	allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+ifdef(`hide_broken_symptoms',`
+	# RHEL4 systems seem to have a stray
+	# fds open from the initrd
+	ifdef(`distro_rhel4',`
+		kernel_dontaudit_use_fds(systemprocess)
+	')
+')
+
+userdom_dontaudit_search_user_home_dirs(systemprocess)
+userdom_dontaudit_rw_stream(systemprocess)
+userdom_dontaudit_write_user_tmp_files(systemprocess)
+
+tunable_policy(`allow_daemons_use_tty',`
+   term_use_all_ttys(systemprocess)
+   term_use_all_ptys(systemprocess)
+',`
+   term_dontaudit_use_all_ttys(systemprocess)
+   term_dontaudit_use_all_ptys(systemprocess)
+')
+
+# these apps are often redirect output to random log files
+logging_inherit_append_all_logs(systemprocess)
+
+optional_policy(`
+	abrt_stream_connect(systemprocess)
+')
+
+optional_policy(`
+	cron_rw_pipes(systemprocess)
+')
+
+optional_policy(`
+	puppet_rw_tmp(systemprocess)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(systemprocess)
+	unconfined_dontaudit_rw_stream(systemprocess)
+	userdom_dontaudit_read_user_tmp_files(systemprocess)
+')
+
+init_rw_script_stream_sockets(systemprocess)
+
+role system_r types systemprocess;
+role system_r types daemon;
+
+#ifdef(`enable_mls',`
+#	mls_rangetrans_target(systemprocess)
+#')
+
Index: refpolicy/policy/modules/system/logging.fc
===================================================================
--- refpolicy.orig/policy/modules/system/logging.fc
+++ refpolicy/policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -67,7 +68,6 @@ ifdef(`distro_redhat',`
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
 /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
 /var/run/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-/var/run/log/journal(/.*)?	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/rsyslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
@@ -86,3 +86,16 @@ ifdef(`distro_redhat',`
 /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
+/opt/zimbra/log(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
+/opt/Symantec/scspagent/IDS/system(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/lib/systemd/systemd-kmsg-syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/usr/local/centreon/log(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/sbin/audispd	--	gen_context(system_u:object_r:audisp_exec_t,s0)
+/usr/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+/usr/sbin/auditctl	--	gen_context(system_u:object_r:auditctl_exec_t,s0)
+/usr/sbin/auditd	--	gen_context(system_u:object_r:auditd_exec_t,s0)
+/usr/sbin/minilogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
Index: refpolicy/policy/modules/system/miscfiles.te
===================================================================
--- refpolicy.orig/policy/modules/system/miscfiles.te
+++ refpolicy/policy/modules/system/miscfiles.te
@@ -40,6 +40,9 @@ files_type(locale_t)
 #
 type man_t alias catman_t;
 files_type(man_t)
+optional_policy(`
+	systemd_tmpfiles_manage_object(man_t, dir)
+')
 
 type man_cache_t;
 files_type(man_cache_t)
Index: refpolicy/policy/modules/system/udev.te
===================================================================
--- refpolicy.orig/policy/modules/system/udev.te
+++ refpolicy/policy/modules/system/udev.te
@@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
 dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
+allow udev_t self:capability2 { wake_alarm block_suspend };
 allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
@@ -82,8 +82,16 @@ files_pid_filetrans(udev_t, udev_var_run
 
 kernel_read_system_state(udev_t)
 kernel_request_load_module(udev_t)
-# systemd-udevd needs kernel_load_module
+modutils_read_module_objects(udev_t)
+
+# systemd-udevd needs kernel_load_module and files_read_kernel_modules
 kernel_load_module(udev_t)
+files_read_kernel_modules(udev_t)
+# systemd-udevd searches /run/systemd
+init_search_pid_dirs(udev_t)
+# for hdparm init script run by udev
+initrc_service_status(udev_t)
+
 kernel_getattr_core_if(udev_t)
 kernel_use_fds(udev_t)
 kernel_read_device_sysctls(udev_t)
@@ -178,6 +186,10 @@ sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
+systemd_read_logind_sessions_files(udev_t)
+init_start_all_units(udev_t)
+init_stop_all_units(udev_t)
+
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_debian',`
Index: refpolicy/policy/modules/system/logging.te
===================================================================
--- refpolicy.orig/policy/modules/system/logging.te
+++ refpolicy/policy/modules/system/logging.te
@@ -94,6 +94,26 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
 ')
 
+ifdef(`init_systemd', `
+	dev_read_kmsg(syslogd_t)
+	dev_write_kmsg(syslogd_t)
+	allow syslogd_t self:capability sys_ptrace;
+	init_read_pipes(syslogd_t)
+	init_read_state(syslogd_t)
+	allow syslogd_t init_var_run_t:file { read write create open };
+	allow syslogd_t var_run_t:dir create;
+	init_create_pid_dirs(syslogd_t)
+	kernel_read_ring_buffer(syslogd_t)
+	dev_read_urand(syslogd_t)
+	domain_read_all_domains_state(syslogd_t)
+	manage_systemd_journal_files(syslogd_t)
+
+	# for systemd-journal
+	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+	allow syslogd_t self:capability2 audit_read;
+	rename_unlink_init_var_run(syslogd_t)
+')
+
 ########################################
 #
 # Auditctl local policy
@@ -228,6 +248,9 @@ optional_policy(`
 	udev_read_db(auditd_t)
 ')
 
+# for systemd but can not be conditional
+filetrans_pattern(syslogd_t, var_run_t, syslogd_tmp_t, dir, "log")
+
 ########################################
 #
 # audit dispatcher local policy
@@ -394,6 +417,9 @@ allow syslogd_t syslog_conf_t:file read_
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
+
+seutil_read_config(syslogd_t)
 
 # create/append log files.
 manage_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -414,6 +440,7 @@ files_search_var_lib(syslogd_t)
 # manage pid file
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
 
 kernel_read_system_state(syslogd_t)
 kernel_read_network_state(syslogd_t)
Index: refpolicy/policy/modules/services/xserver.if
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.if
+++ refpolicy/policy/modules/services/xserver.if
@@ -620,6 +620,42 @@ interface(`xserver_setattr_console_pipes
 
 ########################################
 ## <summary>
+##	Create the X windows console named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_console_pipes',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file create;
+')
+
+########################################
+## <summary>
+##	Label the X windows console named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`relabelto_setattr_xconsole_pipes',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto setattr };
+')
+
+########################################
+## <summary>
 ##	Read and write the X windows console named pipe.
 ## </summary>
 ## <param name="domain">
@@ -1120,6 +1156,42 @@ interface(`xserver_dontaudit_getattr_xdm
 
 ########################################
 ## <summary>
+##	Search xdm_tmp_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`xserver_search_xdm_tmp',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir search;
+')
+
+########################################
+## <summary>
+##	Create xdm_tmp_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_dir',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir create;
+')
+
+########################################
+## <summary>
 ##	Execute the X server in the X server domain.
 ## </summary>
 ## <param name="domain">
@@ -1313,3 +1385,41 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Allow reading xserver_t files to get cgroup and sessionid
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`read_xserver_files',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	allow $1 xserver_t:dir search;
+	allow $1 xserver_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	talk to xserver_t by dbus
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_dbus_chat',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	allow $1 xserver_t:dbus send_msg;
+	allow xserver_t $1:dbus send_msg;
+')
Index: refpolicy/policy/modules/system/udev.if
===================================================================
--- refpolicy.orig/policy/modules/system/udev.if
+++ refpolicy/policy/modules/system/udev.if
@@ -280,6 +280,25 @@ interface(`udev_search_pids',`
 
 ########################################
 ## <summary>
+##	list udev pid content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_list_pids',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 udev_var_run_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	udev pid directories
 ## </summary>
@@ -398,3 +417,21 @@ interface(`udev_create_kobject_uevent_so
 
         allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
 ')
+
+#######################################
+## <summary>
+##      Allow udev_t to write to a unix_stream_socket
+## </summary>
+## <param name="domain">
+##      <summary>
+##      domain to connect to
+##      </summary>
+## </param>
+#
+interface(`udev_write_socket',`
+        gen_require(`
+                type udev_t;
+	')
+
+	allow udev_t $1:unix_stream_socket connectto;
+')
Index: refpolicy/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/logrotate.te
+++ refpolicy/policy/modules/contrib/logrotate.te
@@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
 #
 
 allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
 allow logrotate_t self:fd use;
 allow logrotate_t self:key manage_key_perms;
 allow logrotate_t self:fifo_file rw_fifo_file_perms;
@@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t)
 auth_use_nsswitch(logrotate_t)
 
 init_all_labeled_script_domtrans(logrotate_t)
+init_get_generic_units_status(logrotate_t)
+init_get_all_units_status(logrotate_t)
+init_dbus_chat(logrotate_t)
+init_stream_connect(logrotate_t)
+
+dbus_system_bus_client(logrotate_t)
+init_write_pid_socket(logrotate_t)
 
 logging_manage_all_logs(logrotate_t)
 logging_send_syslog_msg(logrotate_t)
@@ -126,6 +133,8 @@ ifdef(`distro_debian',`
 	logging_read_syslog_config(logrotate_t)
 ')
 
+init_manage_all_units(logrotate_t)
+
 optional_policy(`
 	abrt_manage_cache(logrotate_t)
 ')
Index: refpolicy/policy/modules/system/lvm.te
===================================================================
--- refpolicy.orig/policy/modules/system/lvm.te
+++ refpolicy/policy/modules/system/lvm.te
@@ -219,6 +219,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_
 files_etc_filetrans(lvm_t, lvm_metadata_t, file)
 files_search_mnt(lvm_t)
 
+kernel_request_load_module(lvm_t)
 kernel_get_sysvipc_info(lvm_t)
 kernel_read_system_state(lvm_t)
 # Read system variables in /proc/sys
@@ -301,6 +302,11 @@ init_dontaudit_getattr_initctl(lvm_t)
 init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
 
+# for systemd-cryptsetup to talk to /run/systemd/journal/socket
+init_stream_connect(lvm_t)
+# for systemd-cryptsetup
+kernel_read_crypto_sysctls(lvm_t)
+
 # for systemd-cryptsetup
 dev_write_kmsg(lvm_t)
 
Index: refpolicy/policy/modules/system/miscfiles.if
===================================================================
--- refpolicy.orig/policy/modules/system/miscfiles.if
+++ refpolicy/policy/modules/system/miscfiles.if
@@ -579,6 +579,25 @@ interface(`miscfiles_manage_man_pages',`
 
 ########################################
 ## <summary>
+##	relabel man cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_relabel_man_cache',`
+	gen_require(`
+		type man_cache_t;
+	')
+
+	relabel_dirs_pattern($1, man_cache_t, man_cache_t)
+	relabel_files_pattern($1, man_cache_t, man_cache_t)
+')
+
+########################################
+## <summary>
 ##	Read man cache content.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/filesystem.if
+++ refpolicy/policy/modules/kernel/filesystem.if
@@ -827,6 +827,26 @@ interface(`fs_read_cgroup_files',`
 
 ########################################
 ## <summary>
+##	Read cgroup lnk_files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cgroup_links',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	Write cgroup files.
 ## </summary>
 ## <param name="domain">
@@ -4025,6 +4045,24 @@ interface(`fs_relabelfrom_tmpfs',`
 ')
 
 ########################################
+## <summary>
+##	Relabel from tmpfs_t dir
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_dir',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir relabelfrom;
+')
+
+########################################
 ## <summary>
 ##	Get the attributes of tmpfs directories.
 ## </summary>
Index: refpolicy/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dpkg.te
+++ refpolicy/policy/modules/contrib/dpkg.te
@@ -236,6 +236,7 @@ kernel_read_system_state(dpkg_script_t)
 
 corecmd_exec_all_executables(dpkg_script_t)
 
+dev_null_manage_service(dpkg_script_t)
 dev_list_sysfs(dpkg_script_t)
 # Use named file transition to fix this
 # dev_manage_generic_blk_files(dpkg_script_t)
@@ -281,6 +282,12 @@ files_manage_non_auth_files(dpkg_script_
 
 init_all_labeled_script_domtrans(dpkg_script_t)
 init_use_script_fds(dpkg_script_t)
+init_status(dpkg_script_t)
+init_reload(dpkg_script_t)
+init_system_stop(dpkg_script_t)
+init_telinit(dpkg_script_t)
+initrc_manage_service(dpkg_script_t)
+init_script_service_restart(dpkg_script_t)
 
 libs_exec_ld_so(dpkg_script_t)
 libs_exec_lib_files(dpkg_script_t)
@@ -295,6 +302,12 @@ modutils_run_depmod(dpkg_script_t, dpkg_
 modutils_run_insmod(dpkg_script_t, dpkg_roles)
 ')
 
+optional_policy(`
+	dirmngr_service_manage(dpkg_script_t)
+')
+
+init_manage_all_units(dpkg_script_t)
+
 seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
 seutil_run_setfiles(dpkg_script_t, dpkg_roles)
 
Index: refpolicy/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dbus.te
+++ refpolicy/policy/modules/contrib/dbus.te
@@ -144,6 +144,14 @@ userdom_dontaudit_use_unpriv_user_fds(sy
 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 
 optional_policy(`
+	# for /run/systemd/users/*
+	systemd_read_logind_pids(system_dbusd_t)
+	systemd_use_logind_fds(system_dbusd_t)
+	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+	systemd_login_write_pid_pipe(system_dbusd_t)
+')
+
+optional_policy(`
 	bluetooth_stream_connect(system_dbusd_t)
 ')
 
Index: refpolicy/policy/modules/contrib/dirmngr.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/dirmngr.if
+++ refpolicy/policy/modules/contrib/dirmngr.if
@@ -2,6 +2,25 @@
 
 ########################################
 ## <summary>
+##	Allow a domain to restart dirmngr
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dirmngr_service_manage',`
+	gen_require(`
+		type dirmngr_initrc_exec_t;
+	')
+
+	allow $1 dirmngr_initrc_exec_t:service { status start stop };
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an dirmngr environment.
 ## </summary>
Index: refpolicy/policy/modules/system/unconfined.te
===================================================================
--- refpolicy.orig/policy/modules/system/unconfined.te
+++ refpolicy/policy/modules/system/unconfined.te
@@ -59,6 +59,17 @@ ifdef(`direct_sysadm_daemon',`
 ')
 
 optional_policy(`
+	init_status(unconfined_t)
+	init_reload(unconfined_t)
+	initrc_manage_service(unconfined_t)
+	dev_null_manage_service(unconfined_t)
+	init_get_all_units_status(unconfined_t)
+	init_start_all_units(unconfined_t)
+	init_stop_all_units(unconfined_t)
+	init_reload_all_units(unconfined_t)
+')
+
+optional_policy(`
 	ada_domtrans(unconfined_t)
 ')
 
Index: refpolicy/policy/modules/kernel/devices.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/devices.if
+++ refpolicy/policy/modules/kernel/devices.if
@@ -1794,6 +1794,24 @@ interface(`dev_rw_cpu_microcode',`
 
 ########################################
 ## <summary>
+##	Create and setattr the CPU microcode device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_cpu_microcode',`
+	gen_require(`
+		type device_t, cpu_device_t;
+	')
+
+	allow $1 cpu_device_t:chr_file { setattr create };
+')
+
+########################################
+## <summary>
 ##	Read the kernel crash device
 ## </summary>
 ## <param name="domain">
@@ -3259,6 +3277,25 @@ interface(`dev_create_null_dev',`
 
 ########################################
 ## <summary>
+##	Manage services with script type null_device_t for when
+##	/lib/systemd/system/something.service is a link to /dev/null
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_null_manage_service',`
+	gen_require(`
+		type null_device_t;
+	')
+
+	allow $1 null_device_t:service { status start stop reload };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of the BIOS non-volatile RAM device.
 ## </summary>
@@ -3970,6 +4007,24 @@ interface(`dev_getattr_sysfs_dirs',`
 
 ########################################
 ## <summary>
+##	mounton sysfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mounton_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of sysfs filesystem
 ## </summary>
 ## <param name="domain">
@@ -3988,6 +4043,24 @@ interface(`dev_getattr_sysfs',`
 
 ########################################
 ## <summary>
+##	mount a sysfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Do not audit getting the attributes of sysfs filesystem
 ## </summary>
 ## <param name="domain">
@@ -4873,6 +4946,24 @@ interface(`dev_rw_wireless',`
 
 ########################################
 ## <summary>
+##	manage the wireless device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_wireless',`
+	gen_require(`
+		type device_t, wireless_device_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, wireless_device_t)
+')
+
+########################################
+## <summary>
 ##	Read and write Xen devices.
 ## </summary>
 ## <param name="domain">
@@ -5177,3 +5268,33 @@ interface(`dev_create_generic_pipes',`
        allow $1 device_t:dir search_dir_perms;
        allow $1 device_t:file setattr_file_perms;
 ')
+
+
+########################################
+## <summary>
+##      Create lots of device types that systemd-tmpfiles creates
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`create_devices_for_systemd_tmpfiles',`
+        gen_require(`
+                type device_t, event_device_t, fuse_device_t, loop_control_device_t, lvm_control_t, ppp_device_t;
+        ')
+
+	allow $1 autofs_device_t:chr_file { getattr setattr relabelfrom relabelto create };
+	allow $1 device_t:dir { getattr setattr relabelfrom relabelto create };
+	allow $1 device_t:chr_file { getattr setattr relabelfrom relabelto create };
+	allow $1 event_device_t:chr_file { getattr setattr relabelfrom relabelto create };
+	allow $1 fuse_device_t:chr_file { getattr setattr relabelfrom relabelto create };
+	allow $1 loop_control_device_t:chr_file { getattr setattr relabelfrom relabelto create };
+	allow $1 lvm_control_t:chr_file { getattr setattr relabelfrom relabelto create };
+	allow $1 ppp_device_t:chr_file { getattr setattr relabelfrom relabelto create };
+	allow $1 tty_device_t:chr_file { getattr setattr relabelfrom relabelto create };
+	allow $1 tun_tap_device_t:chr_file { getattr setattr relabelfrom relabelto create };
+	allow $1 vhost_device_t:chr_file { getattr setattr relabelfrom relabelto create };
+	allow $1 sound_device_t:chr_file { getattr setattr relabelfrom relabelto create };
+')
Index: refpolicy/policy/modules/system/logging.if
===================================================================
--- refpolicy.orig/policy/modules/system/logging.if
+++ refpolicy/policy/modules/system/logging.if
@@ -549,6 +549,9 @@ interface(`logging_send_syslog_msg',`
 	# will write to the console.
 	term_write_console($1)
 	term_dontaudit_read_console($1)
+
+	# because systemd is now using /run/systemd/journal/dev-log
+	init_search_pid_dirs($1)
 ')
 
 ########################################
@@ -1158,3 +1161,23 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
+
+########################################
+## <summary>
+##	setattr for syslogd_tmp_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_set_perms_syslogd_tmp',`
+	gen_require(`
+		type syslogd_tmp_t;
+	')
+
+	allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto };
+')
+
Index: refpolicy/policy/modules/system/locallogin.te
===================================================================
--- refpolicy.orig/policy/modules/system/locallogin.te
+++ refpolicy/policy/modules/system/locallogin.te
@@ -151,6 +151,11 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+optional_policy(`
+	systemd_dbus_chat_logind(local_login_t)
+	systemd_write_inherited_logind_sessions_pipes(local_login_t)
+')
+
 tunable_policy(`console_login',`
 	# Able to relabel /dev/console to user tty types.
 	term_relabel_console(local_login_t)
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.if
+++ refpolicy/policy/modules/system/userdomain.if
@@ -1102,6 +1102,10 @@ template(`userdom_unpriv_user_template',
 	optional_policy(`
 		setroubleshoot_stream_connect($1_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_logind($1_t)
+	')
 ')
 
 #######################################
@@ -2811,6 +2815,26 @@ interface(`userdom_read_user_tmpfs_files
 
 ########################################
 ## <summary>
+##	relabel to/from user tmpfs files type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabel_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom };
+	allow $1 user_tmpfs_t:file { relabelto relabelfrom };
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
 ##	Search users runtime directories.
 ## </summary>
 ## <param name="domain">
@@ -2869,6 +2893,24 @@ interface(`userdom_manage_user_runtime_r
 
 ########################################
 ## <summary>
+##	relabel to/from user_runtime_root_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabel_user_runtime_root_dirs',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete user
 ##	runtime dirs.
 ## </summary>
@@ -2925,6 +2967,42 @@ interface(`userdom_relabelto_user_runtim
 ')
 
 ########################################
+## <summary>
+##	Relabel from user runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabelfrom_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
+##	unlink user runtime files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_unlink_user_runtime_files',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:file unlink;
+')
+
+########################################
 ## <summary>
 ##	Create objects in the pid directory
 ##	with an automatic type transition to
Index: refpolicy/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/policykit.te
+++ refpolicy/policy/modules/contrib/policykit.te
@@ -100,6 +100,15 @@ auth_use_nsswitch(policykit_t)
 userdom_getattr_all_users(policykit_t)
 userdom_read_all_users_state(policykit_t)
 
+# for /run/systemd/machines
+systemd_read_machines(policykit_t)
+
+# for /run/systemd/seats/seat*
+systemd_read_logind_sessions_files(policykit_t)
+
+# for /run/systemd/users/*
+systemd_read_logind_pids(policykit_t)
+
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
 
Index: refpolicy/policy/modules/contrib/dbus.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/dbus.if
+++ refpolicy/policy/modules/contrib/dbus.if
@@ -88,6 +88,10 @@ template(`dbus_role_template',`
 	ifdef(`hide_broken_symptoms',`
 		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
 	')
+
+	optional_policy(`
+		systemd_read_logind_pids($1_dbusd_t)
+	')
 ')
 
 #######################################
Index: refpolicy/policy/modules/system/authlogin.if
===================================================================
--- refpolicy.orig/policy/modules/system/authlogin.if
+++ refpolicy/policy/modules/system/authlogin.if
@@ -155,9 +155,18 @@ interface(`auth_login_pgm_domain',`
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
 
+	userdom_search_user_runtime($1)
+	userdom_read_user_tmpfs_files($1)
+
 	tunable_policy(`allow_polyinstantiation',`
 		files_polyinstantiate_all($1)
 	')
+
+	optional_policy(`
+		systemd_logind_read_process_state($1)
+		systemd_write_inherited_logind_sessions_pipes($1)
+		systemd_passwd_agent_inherits_fd($1)
+	')
 ')
 
 ########################################
@@ -961,6 +970,23 @@ interface(`auth_rw_var_auth',`
     rw_files_pattern($1, var_auth_t, var_auth_t)
 ')
 
+#######################################
+## <summary>
+##  mount on /var/auth
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`auth_mounton_var_auth',`
+	gen_require(`
+		type var_auth_t;
+	')
+
+	allow $1 var_auth_t:dir mounton;
+')
 ########################################
 ## <summary>
 ##	Manage var auth files. Used by various other applications
Index: refpolicy/policy/modules/contrib/xfs.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/xfs.if
+++ refpolicy/policy/modules/contrib/xfs.if
@@ -21,6 +21,25 @@ interface(`xfs_read_sockets',`
 
 ########################################
 ## <summary>
+##	Create xfs temporary dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xfs_create_dirs',`
+	gen_require(`
+		type xfs_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 xfs_tmp_t:dir create;
+')
+
+########################################
+## <summary>
 ##	Connect to xfs with a unix
 ##	domain stream socket.
 ## </summary>
Index: refpolicy/policy/modules/kernel/files.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/files.if
+++ refpolicy/policy/modules/kernel/files.if
@@ -2667,6 +2667,24 @@ interface(`files_setattr_etc_dirs',`
 
 ########################################
 ## <summary>
+##	relabel directories to etc_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir relabelto;
+')
+
+########################################
+## <summary>
 ##	List the contents of /etc directories.
 ## </summary>
 ## <param name="domain">
@@ -2908,6 +2926,42 @@ interface(`files_get_etc_unit_status',`
 	allow $1 etc_t:service status;
 ')
 
+########################################
+## <summary>
+##	start etc_t service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_etc_unit_start',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service start;
+')
+
+########################################
+## <summary>
+##	stop etc_t service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_etc_unit_stop',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service stop;
+')
+
 #######################################
 ## <summary>
 ##	Relabel from and to generic files in /etc.
@@ -3680,6 +3734,24 @@ interface(`files_relabelto_home',`
 
 ########################################
 ## <summary>
+##	Relabel from user home root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelfrom_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
 ##	Create objects in /home.
 ## </summary>
 ## <param name="domain">
@@ -5595,6 +5667,30 @@ interface(`files_search_var_lib',`
 
 ########################################
 ## <summary>
+##	Create and label /var/lib and /var/log
+## </summary>
+## <desc>
+##	<p>
+##	This allows programs to setup directories under /var
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`create_relabel_var_lib_log',`
+	gen_require(`
+		type var_t, var_lib_t, var_log_t;
+	')
+
+	allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto manage_dir_perms };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to search the
 ##	contents of /var/lib.
 ## </summary>
@@ -6415,6 +6511,27 @@ interface(`files_dontaudit_ioctl_all_pid
 
 ########################################
 ## <summary>
+##     create and manage all pidfile directories
+##     in the /var/run directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_manage_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+		type var_run_t;
+	')
+
+	create_dirs_pattern($1,var_run_t,pidfile)
+	allow $1 pidfile:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
 ##     manage all pidfile directories
 ##     in the /var/run directory.
 ## </summary>
@@ -6989,3 +7106,4 @@ interface(`files_delete_all_non_security
 
         allow $1 non_security_file_type:file_class_set unlink;
 ')
+
Index: refpolicy/policy/modules/system/unconfined.if
===================================================================
--- refpolicy.orig/policy/modules/system/unconfined.if
+++ refpolicy/policy/modules/system/unconfined.if
@@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
 		class dbus all_dbus_perms;
 		class nscd all_nscd_perms;
 		class passwd all_passwd_perms;
+		class service all_service_perms;
 	')
 
 	# Use most Linux capabilities
@@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
 	files_unconfined($1)
 	fs_unconfined($1)
 	selinux_unconfined($1)
+	files_get_etc_unit_status($1)
+	files_etc_unit_start($1)
+	files_etc_unit_stop($1)
 
 	tunable_policy(`allow_execheap',`
 		# Allow making the stack executable via mprotect.
Index: refpolicy/policy/modules/system/systemd.if
===================================================================
--- refpolicy.orig/policy/modules/system/systemd.if
+++ refpolicy/policy/modules/system/systemd.if
@@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
 	')
 
 	files_search_pids($1)
-	read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+	allow $1 systemd_logind_var_run_t:dir list_dir_perms;
+	allow $1 systemd_logind_var_run_t:file read_file_perms;
 ')
 
 ######################################
@@ -190,3 +191,640 @@ interface(`systemd_start_power_units',`
 
 	allow $1 power_unit_t:service start;
 ')
+
+######################################
+## <summary>
+##      Allow domain to search systemd unit dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_search_unit_dirs',`
+        gen_require(`
+                attribute systemdunit;
+        ')
+
+	files_search_var_lib($1)
+	allow $1 systemdunit:dir search_dir_perms;
+')
+
+######################################
+## <summary>
+##      Allow domain to list systemd unit dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_list_unit_dirs',`
+        gen_require(`
+                attribute systemdunit;
+        ')
+
+	files_search_var_lib($1)
+	allow $1 systemdunit:dir list_dir_perms;
+')
+
+#####################################
+## <summary>
+##      Allow domain to getattr all systemd unit files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_getattr_unit_files',`
+        gen_require(`
+                attribute systemdunit;
+        ')
+
+    files_search_var_lib($1)
+    allow $1 systemdunit:file getattr_file_perms;
+')
+
+######################################
+## <summary>
+##      Allow domain to read all systemd unit files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_read_unit_files',`
+        gen_require(`
+                attribute systemdunit;
+        ')
+
+	files_search_var_lib($1)
+	allow $1 systemdunit:file read_file_perms;
+	allow $1 systemdunit:lnk_file read_lnk_file_perms;
+	allow $1 systemdunit:dir list_dir_perms;
+')
+
+#####################################
+## <summary>
+##      Dontaudit domain to read all systemd unit files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##	Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`systemd_dontaudit_read_unit_files',`
+        gen_require(`
+                attribute systemdunit;
+        ')
+
+        dontaudit $1 systemdunit:file read_file_perms;
+')
+
+######################################
+## <summary>
+##	Read systemd_login PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_list_pid_dirs',`
+	gen_require(`
+		type systemd_logind_var_run_t;
+	')
+
+	init_search_pid_dirs($1)
+	files_search_pids($1)
+	list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+##	Write systemd_login named pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_write_pid_pipe',`
+	gen_require(`
+		type systemd_logind_var_run_t;
+	')
+
+	init_search_pid_dirs($1)
+	files_search_pids($1)
+	allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
+')
+
+######################################
+## <summary>
+##	Read logind sessions files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_read_logind_sessions_files',`
+	gen_require(`
+		type systemd_sessions_var_run_t;
+	')
+
+	init_search_pid_dirs($1)
+	allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
+	read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
+')
+
+######################################
+## <summary>
+##	Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+	gen_require(`
+		type systemd_logind_t, systemd_sessions_var_run_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+	allow $1 systemd_sessions_var_run_t:fifo_file write;
+	allow systemd_logind_t $1:process signal;
+')
+
+#######################################
+## <summary>
+##  Execute a domain transition to run systemd-tmpfiles.
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfiles_domtrans',`
+    gen_require(`
+        type systemd_tmpfiles_t, systemd_tmpfiles_exec_t;
+    ')
+
+    domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
+')
+
+#######################################
+## <summary>
+##  Allow systemd_tmpfiles_t to manage filesystem objects
+## </summary>
+## <param name="type">
+## <summary>
+##  type of object to manage
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+##  object class to manage
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfiles_manage_object',`
+    gen_require(`
+        type systemd_tmpfiles_t;
+    ')
+
+    allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run systemd-tty-ask-password-agent.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_domtrans',`
+	gen_require(`
+		type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+	')
+
+	domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+')
+
+#######################################
+## <summary>
+##  Execute systemd-tty-ask-password-agent in the caller domain
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_exec',`
+    gen_require(`
+        type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+    ')
+
+	can_exec($1, systemd_passwd_agent_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run systemd_notify.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_notify_domtrans',`
+	gen_require(`
+		type systemd_notify_t, systemd_notify_exec_t;
+	')
+
+	domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t)
+')
+
+########################################
+## <summary>
+##	Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and
+##	allow the specified role the systemd_passwd_agent domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the systemd_passwd_agent domain.
+##	</summary>
+## </param>
+#
+interface(`systemd_passwd_agent_run',`
+	gen_require(`
+		type systemd_passwd_agent_t;
+	')
+
+	systemd_passwd_agent_domtrans($1)
+	role $2 types systemd_passwd_agent_t;
+')
+
+########################################
+## <summary>
+##	Role access for systemd_passwd_agent
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`systemd_passwd_agent_role',`
+	gen_require(`
+              type systemd_passwd_agent_t;
+	')
+
+	role $1 types systemd_passwd_agent_t;
+
+	systemd_passwd_agent_domtrans($2)
+
+	ps_process_pattern($2, systemd_passwd_agent_t)
+	allow $2 systemd_passwd_agent_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send generic signals to systemd_passwd_agent processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_signal_passwd_agent',`
+	gen_require(`
+              type systemd_passwd_agent_t;
+	')
+
+	allow $1 systemd_passwd_agent_t:process signal;
+')
+
+########################################
+## <summary>
+##	allow systemd_passwd_agent to inherit fds
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that owns the fds
+##	</summary>
+## </param>
+#
+interface(`systemd_passwd_agent_inherits_fd',`
+	gen_require(`
+              type systemd_passwd_agent_t;
+	')
+
+	allow systemd_passwd_agent_t $1:fd use;
+')
+
+######################################
+## <summary>
+##  Allow to domain to read systemd-passwd pipe
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_read_fifo_file_passwd_run',`
+    gen_require(`
+        type systemd_passwd_var_run_t;
+    ')
+
+    read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+')
+
+#######################################
+## <summary>
+##  Send generic signals to systemd_passwd_agent processes.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_manage_passwd_run',`
+	gen_require(`
+		type systemd_passwd_agent_t;
+		type systemd_passwd_var_run_t;
+	')
+
+	manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+	manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+	allow systemd_passwd_agent_t $1:process signull;
+	allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
+')
+
+######################################
+## <summary>
+##  Template for temporary sockets and files in /dev/.systemd/ask-password
+##  which are used by systemd-passwd-agent
+## </summary>
+## <param name="userdomain_prefix">
+##  <summary>
+##  The prefix of the domain (e.g., user
+##  is the prefix for user_t).
+##  </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_dev_template',`
+        gen_require(`
+                type systemd_passwd_agent_t;
+        ')
+
+	type systemd_$1_device_t;
+        files_type(systemd_$1_device_t)
+        dev_associate(systemd_$1_device_t)
+
+	dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
+	init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
+        allow $1_t systemd_$1_device_t:file manage_file_perms;
+        allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
+
+	allow systemd_passwd_agent_t $1_t:process signull;
+        allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto;
+	allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
+        allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	manage systemd unit dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_unit_dirs',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	manage_dirs_pattern($1, systemdunit, systemdunit)
+')
+
+########################################
+## <summary>
+##	manage all systemd unit files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_all_unit_files',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	manage_files_pattern($1, systemdunit, systemdunit)
+	manage_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
+########################################
+## <summary>
+##	manage all systemd unit lnk_files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_all_unit_lnk_files',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	manage_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
+########################################
+## <summary>
+##	Transition to systemd named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_filetrans_named_content',`
+	gen_require(`
+		type systemd_passwd_var_run_t;
+	')
+
+	init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+	init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
+
+########################################
+## <summary>
+##	Get the system status information from systemd_login
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_status',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:system status;
+')
+
+########################################
+## <summary>
+##	Tell systemd_login to reboot the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_reboot',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:system reboot;
+')
+
+########################################
+## <summary>
+##	Tell systemd_login to halt the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_halt',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:system halt;
+')
+
+########################################
+## <summary>
+##	Tell systemd_login to do an unknown access.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_undefined',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:system undefined;
+')
+
+########################################
+## <summary>
+##	Allow domain to create/manage systemd_journal_log_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`manage_systemd_journal_files',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	manage_dirs_pattern($1, systemd_journal_log_t, systemd_journal_log_t)
+	manage_files_pattern($1, systemd_journal_log_t, systemd_journal_log_t)
+')
+
+########################################
+## <summary>
+##	Allow systemd_logind_t to read process state for cgroup file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain systemd_logind_t may access.
+##	</summary>
+## </param>
+#
+interface(`systemd_logind_read_process_state',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow systemd_logind_t $1:dir list_dir_perms;
+	allow systemd_logind_t $1:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow reading /run/systemd/machines
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can access the machines files
+##	</summary>
+## </param>
+#
+interface(`systemd_read_machines',`
+	gen_require(`
+		type systemd_machined_var_run_t;
+	')
+
+	allow $1 systemd_machined_var_run_t:dir list_dir_perms;
+	allow $1 systemd_machined_var_run_t:file read_file_perms;
+')
+
Index: refpolicy/policy/modules/system/systemd.te
===================================================================
--- refpolicy.orig/policy/modules/system/systemd.te
+++ refpolicy/policy/modules/system/systemd.te
@@ -36,6 +36,13 @@ domain_type(systemd_cgroups_t)
 domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
 role system_r types systemd_cgroups_t;
 
+type systemd_notify_t;
+type systemd_notify_exec_t;
+init_systemd_domain(systemd_notify_t, systemd_notify_exec_t)
+
+type systemd_journal_log_t;
+files_type(systemd_journal_log_t)
+
 type systemd_cgroups_var_run_t;
 files_pid_file(systemd_cgroups_var_run_t)
 init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
@@ -48,6 +55,9 @@ type systemd_coredump_t;
 type systemd_coredump_exec_t;
 init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
 
+type systemd_coredump_var_lib_t;
+files_type(systemd_coredump_var_lib_t)
+
 type systemd_detect_virt_t;
 type systemd_detect_virt_exec_t;
 init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
@@ -76,9 +86,18 @@ type systemd_machined_t;
 type systemd_machined_exec_t;
 init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
 
+type systemd_machined_var_run_t;
+files_pid_file(systemd_machined_var_run_t)
+init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
+
 type systemd_nspawn_t;
 type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+kernel_unconfined(systemd_nspawn_t)
+
+type systemd_nspawn_var_run_t;
+files_pid_file(systemd_nspawn_var_run_t)
+init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
 
 type systemd_resolved_t;
 type systemd_resolved_exec_t;
@@ -99,6 +118,9 @@ type systemd_passwd_agent_t;
 type systemd_passwd_agent_exec_t;
 init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
 
+type systemd_passwd_var_run_t;
+files_pid_file(systemd_passwd_var_run_t)
+
 type systemd_sessions_t;
 type systemd_sessions_exec_t;
 init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
@@ -113,6 +135,12 @@ type systemd_kmod_conf_t;
 files_config_file(systemd_kmod_conf_t)
 init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
 
+manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_log_t, systemd_journal_log_t)
+manage_files_pattern(systemd_tmpfiles_t, systemd_journal_log_t, systemd_journal_log_t)
+allow systemd_tmpfiles_t systemd_journal_log_t:dir { relabelfrom relabelto };
+allow systemd_tmpfiles_t systemd_journal_log_t:file { relabelfrom relabelto };
+logging_log_file(systemd_journal_log_t)
+
 #
 # Unit file types
 #
@@ -140,11 +168,40 @@ logging_send_syslog_msg(systemd_log_pars
 
 ######################################
 #
+# backlight local policy
+#
+
+kernel_read_system_state(systemd_backlight_t)
+allow systemd_backlight_t self:unix_dgram_socket connected_socket_perms;
+dev_write_kmsg(systemd_backlight_t)
+logging_send_syslog_msg(systemd_backlight_t)
+dev_read_sysfs(systemd_backlight_t)
+allow systemd_backlight_t self:unix_dgram_socket connect;
+init_read_state(systemd_backlight_t)
+# for /run/udev/data/+backlight*
+udev_read_pid_files(systemd_backlight_t)
+
+# for udev.conf
+files_read_etc_files(systemd_backlight_t)
+
+######################################
+#
 # Cgroups local policy
 #
 
 kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
 kernel_dgram_send(systemd_cgroups_t)
+init_dgram_send(systemd_cgroups_t)
+
+allow systemd_cgroups_t self:capability net_admin;
+
+selinux_get_fs_mount(systemd_cgroups_t)
+seutil_read_config(systemd_cgroups_t)
+
+# for /proc/1/environ
+init_read_state(systemd_cgroups_t)
+# for /proc/cmdline
+kernel_read_system_state(systemd_cgroups_t)
 
 init_stream_connect(systemd_cgroups_t)
 
@@ -170,6 +227,36 @@ optional_policy(`
 
 #######################################
 #
+# coredump policy
+#
+
+files_read_etc_files(systemd_coredump_t)
+files_search_var_lib(systemd_coredump_t)
+
+kernel_use_fds(systemd_coredump_t)
+dev_write_kmsg(systemd_coredump_t)
+kernel_read_system_state(systemd_coredump_t)
+allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
+allow systemd_coredump_t self:capability { setgid setuid setpcap };
+allow systemd_coredump_t self:process { getcap setcap setfscreate };
+
+init_search_pid_dirs(systemd_coredump_t)
+init_read_state(systemd_coredump_t)
+init_list_var_lib_dirs(systemd_coredump_t)
+init_write_pid_socket(systemd_coredump_t)
+logging_send_syslog_msg(systemd_coredump_t)
+kernel_read_kernel_sysctls(systemd_coredump_t)
+kernel_rw_pipes(systemd_coredump_t)
+fs_getattr_xattr_fs(systemd_coredump_t)
+
+selinux_getattr_fs(systemd_coredump_t)
+seutil_search_default_contexts(systemd_coredump_t)
+manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
+corecmd_exec_bin(systemd_coredump_t)
+corecmd_read_all_executables(systemd_coredump_t)
+
+#######################################
+#
 # Hostnamed policy
 #
 
@@ -180,28 +267,51 @@ files_read_etc_files(systemd_hostnamed_t
 seutil_read_file_contexts(systemd_hostnamed_t)
 
 systemd_log_parse_environment(systemd_hostnamed_t)
+dev_read_sysfs(systemd_hostnamed_t)
 
 optional_policy(`
 	dbus_system_bus_client(systemd_hostnamed_t)
 	dbus_connect_system_bus(systemd_hostnamed_t)
 ')
 
+optional_policy(`
+	networkmanager_dbus_chat(systemd_hostnamed_t)
+')
+
 #########################################
 #
 # Logind local policy
 #
 
-allow systemd_logind_t self:capability { fowner sys_tty_config chown dac_override };
-allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:process { getcap setfscreate };
 allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
 allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
 
+allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
+allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;
+allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms;
+
 allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
 init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
+
+read_initrc_files(systemd_logind_t)
+
+domain_obj_id_change_exemption(systemd_logind_t)
+selinux_get_fs_mount(systemd_logind_t)
+selinux_get_enforce_mode(systemd_logind_t)
+seutil_read_config(systemd_logind_t)
+seutil_read_default_contexts(systemd_logind_t)
+seutil_read_file_contexts(systemd_logind_t)
+
+fs_getattr_cgroup(systemd_logind_t)
+fs_read_cgroup_files(systemd_logind_t)
 
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
+allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
 files_search_pids(systemd_logind_t)
 
 kernel_read_kernel_sysctls(systemd_logind_t)
@@ -212,14 +322,24 @@ dev_rw_sysfs(systemd_logind_t)
 dev_rw_input_dev(systemd_logind_t)
 dev_getattr_dri_dev(systemd_logind_t)
 dev_setattr_dri_dev(systemd_logind_t)
+dev_getattr_kvm_dev(systemd_logind_t)
+dev_setattr_kvm_dev(systemd_logind_t)
 dev_getattr_sound_dev(systemd_logind_t)
 dev_setattr_sound_dev(systemd_logind_t)
+dev_read_urand(systemd_logind_t)
+dev_rw_dri(systemd_logind_t)
+dev_manage_wireless(systemd_logind_t)
 
 files_read_etc_files(systemd_logind_t)
 
 fs_read_efivarfs_files(systemd_logind_t)
 
 fs_getattr_tmpfs(systemd_logind_t)
+fs_mount_tmpfs(systemd_logind_t)
+fs_unmount_tmpfs(systemd_logind_t)
+fs_getattr_tmpfs_dirs(systemd_logind_t)
+fs_list_tmpfs(systemd_logind_t)
+fs_relabelfrom_tmpfs_dir(systemd_logind_t)
 
 storage_getattr_removable_dev(systemd_logind_t)
 storage_setattr_removable_dev(systemd_logind_t)
@@ -227,12 +347,18 @@ storage_getattr_scsi_generic_dev(systemd
 storage_setattr_scsi_generic_dev(systemd_logind_t)
 
 term_use_unallocated_ttys(systemd_logind_t)
+term_setattr_unallocated_ttys(systemd_logind_t)
 
 init_get_all_units_status(systemd_logind_t)
 init_start_all_units(systemd_logind_t)
 init_stop_all_units(systemd_logind_t)
 init_service_status(systemd_logind_t)
 init_service_start(systemd_logind_t)
+init_get_system_status(systemd_logind_t)
+init_system_start(systemd_logind_t)
+init_system_stop(systemd_logind_t)
+start_stop_init_var_run_service(systemd_logind_t)
+init_dbus_send_script(systemd_logind_t)
 
 locallogin_read_state(systemd_logind_t)
 
@@ -241,14 +367,246 @@ systemd_start_power_units(systemd_logind
 
 udev_read_db(systemd_logind_t)
 udev_read_pid_files(systemd_logind_t)
+udev_list_pids(systemd_logind_t)
 
 userdom_use_user_ttys(systemd_logind_t)
+userdom_setattr_user_ttys(systemd_logind_t)
+userdom_manage_user_runtime_root_dirs(systemd_logind_t)
+userdom_manage_user_runtime_dirs(systemd_logind_t)
+userdom_mounton_user_runtime_dirs(systemd_logind_t)
+userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
+userdom_relabelto_user_runtime_dirs(systemd_logind_t)
+userdom_read_all_users_state(systemd_logind_t)
+userdom_manage_tmp_role(system_r, systemd_logind_t)
+userdom_manage_tmpfs_role(system_r, systemd_logind_t)
+userdom_relabel_user_tmpfs_files(systemd_logind_t)
+userdom_unlink_user_runtime_files(systemd_logind_t)
 
 optional_policy(`
 	dbus_system_bus_client(systemd_logind_t)
 	dbus_connect_system_bus(systemd_logind_t)
 ')
 
+optional_policy(`
+	networkmanager_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
+	devicekit_dbus_chat_power(systemd_logind_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
+	xserver_read_xdm_state(systemd_logind_t)
+	xserver_dbus_chat(systemd_logind_t)
+	xserver_dbus_chat_xdm(systemd_logind_t)
+	read_xserver_files(systemd_logind_t)
+	relabelto_setattr_xconsole_pipes(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+	unconfined_dbus_send(systemd_logind_t)
+')
+
+#######################################
+#
+# systemd_passwd_agent_t local policy
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+
+fs_getattr_xattr_fs(systemd_passwd_agent_t)
+kernel_read_system_state(systemd_passwd_agent_t)
+kernel_stream_connect(systemd_passwd_agent_t)
+init_read_state(systemd_passwd_agent_t)
+
+selinux_get_enforce_mode(systemd_passwd_agent_t)
+selinux_getattr_fs(systemd_passwd_agent_t)
+seutil_search_default_contexts(systemd_passwd_agent_t)
+
+files_read_etc_files(systemd_passwd_agent_t)
+
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
+dev_write_kmsg(systemd_passwd_agent_t)
+logging_send_syslog_msg(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+
+init_create_pid_dirs(systemd_passwd_agent_t)
+init_read_pipes(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+userdom_use_user_ptys(systemd_passwd_agent_t)
+
+optional_policy(`
+        lvm_signull(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+        plymouthd_stream_connect(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+	getty_use_fds(systemd_passwd_agent_t)
+')
+
+#########################################
+#
+# machined local policy
+#
+
+allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:process setfscreate;
+allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
+kernel_read_kernel_sysctls(systemd_machined_t)
+logging_send_syslog_msg(systemd_machined_t)
+kernel_read_system_state(systemd_machined_t)
+init_read_state(systemd_machined_t)
+init_service_start(systemd_machined_t)
+init_service_status(systemd_machined_t)
+
+read_initrc_files(systemd_machined_t)
+
+fs_getattr_tmpfs(systemd_machined_t)
+fs_getattr_cgroup(systemd_machined_t)
+
+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
+allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
+
+init_get_system_status(systemd_machined_t)
+start_stop_init_var_run_service(systemd_machined_t)
+
+selinux_getattr_fs(systemd_machined_t)
+seutil_search_default_contexts(systemd_machined_t)
+
+files_read_etc_files(systemd_machined_t)
+init_system_start(systemd_machined_t)
+init_system_stop(systemd_machined_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_machined_t)
+	dbus_connect_system_bus(systemd_machined_t)
+')
+optional_policy(`
+	init_dbus_chat(systemd_machined_t)
+	init_dbus_send_script(systemd_machined_t)
+')
+
+#########################################
+#
+# nspawn local policy
+#
+
+allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
+allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
+
+allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
+allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
+
+# for /run/systemd/nspawn/incoming in chroot
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
+
+allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
+
+kernel_read_system_state(systemd_nspawn_t)
+kernel_read_kernel_sysctls(systemd_nspawn_t)
+
+allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:capability2 wake_alarm;
+
+init_domtrans_script(systemd_nspawn_t)
+init_search_pid_dirs(systemd_nspawn_t)
+init_read_state(systemd_nspawn_t)
+init_write_pid_socket(systemd_nspawn_t)
+init_kill_initrc(systemd_nspawn_t)
+dev_getattr_fs(systemd_nspawn_t)
+term_getattr_pty_fs(systemd_nspawn_t)
+term_search_ptys(systemd_nspawn_t)
+term_getattr_generic_ptys(systemd_nspawn_t)
+term_setattr_generic_ptys(systemd_nspawn_t)
+term_use_ptmx(systemd_nspawn_t)
+fs_manage_tmpfs_chr_files(systemd_nspawn_t)
+fs_getattr_tmpfs(systemd_nspawn_t)
+corecmd_search_bin(systemd_nspawn_t)
+corecmd_exec_shell(systemd_nspawn_t)
+userdom_manage_user_home_dirs(systemd_nspawn_t)
+dev_manage_sysfs_dirs(systemd_nspawn_t)
+dev_mount_sysfs(systemd_nspawn_t)
+dev_mounton_sysfs_dirs(systemd_nspawn_t)
+files_manage_mnt_dirs(systemd_nspawn_t)
+files_mounton_mnt(systemd_nspawn_t)
+files_mounton_tmp(systemd_nspawn_t)
+fs_mount_tmpfs(systemd_nspawn_t)
+fs_remount_tmpfs(systemd_nspawn_t)
+dev_read_rand(systemd_nspawn_t)
+dev_read_urand(systemd_nspawn_t)
+corenet_rw_tun_tap_dev(systemd_nspawn_t)
+files_manage_etc_files(systemd_nspawn_t)
+
+# for writing inside chroot
+sysnet_manage_config(systemd_nspawn_t)
+
+# most of the following is for when a chroot has the same labels as a regular
+# root filesystem
+
+init_spec_domtrans_script(systemd_nspawn_t)
+
+selinux_getattr_fs(systemd_nspawn_t)
+selinux_search_fs(systemd_nspawn_t)
+seutil_search_default_contexts(systemd_nspawn_t)
+
+logging_search_logs(systemd_nspawn_t)
+
+fs_getattr_cgroup(systemd_nspawn_t)
+fs_mounton_cgroup(systemd_nspawn_t)
+fs_write_cgroup_files(systemd_nspawn_t)
+fs_mount_cgroup(systemd_nspawn_t)
+fs_remount_cgroup(systemd_nspawn_t)
+fs_manage_cgroup_dirs(systemd_nspawn_t)
+
+corecmd_exec_shell(systemd_nspawn_t)
+dev_setattr_generic_dirs(systemd_nspawn_t)
+files_search_home(systemd_nspawn_t)
+kernel_mounton_sysctl_dir(systemd_nspawn_t)
+kernel_mounton_kmsg_file(systemd_nspawn_t)
+kernel_mounton_kernel_sysctl_file(systemd_nspawn_t)
+kernel_mounton_proc(systemd_nspawn_t)
+kernel_mount_proc(systemd_nspawn_t)
+kernel_remount_proc(systemd_nspawn_t)
+
+fs_manage_tmpfs_symlinks(systemd_nspawn_t)
+fs_search_tmpfs(systemd_nspawn_t)
+fs_manage_tmpfs_dirs(systemd_nspawn_t)
+fs_manage_tmpfs_files(systemd_nspawn_t)
+fs_mounton_tmpfs(systemd_nspawn_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_nspawn_t)
+')
+
+optional_policy(`
+	virt_manage_virt_content(systemd_nspawn_t)
+')
+
 #########################################
 #
 # Resolved local policy
@@ -290,6 +648,13 @@ optional_policy(`
 allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
 files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
 
+selinux_get_fs_mount(systemd_sessions_t)
+selinux_get_enforce_mode(systemd_sessions_t)
+seutil_read_config(systemd_sessions_t)
+seutil_read_default_contexts(systemd_sessions_t)
+allow systemd_sessions_t self:process setfscreate;
+seutil_read_file_contexts(systemd_sessions_t)
+
 systemd_log_parse_environment(systemd_sessions_t)
 
 #########################################
@@ -297,24 +662,85 @@ systemd_log_parse_environment(systemd_se
 # Tmpfiles local policy
 #
 
-allow systemd_tmpfiles_t self:capability  { fowner chown fsetid dac_override mknod };
+allow systemd_tmpfiles_t self:capability  { chown dac_override fowner fsetid net_admin sys_admin mknod };
 allow systemd_tmpfiles_t self:process { setfscreate getcap };
 
+allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
+
+userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+kernel_read_network_state(systemd_tmpfiles_t)
 
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
 dev_read_urand(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+files_create_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+
+sysnet_create_config(systemd_tmpfiles_t)
+
+fs_getattr_xattr_fs(systemd_tmpfiles_t)
+create_relabel_var_lib_log(systemd_tmpfiles_t)
+
+seutil_read_config(systemd_tmpfiles_t)
+selinux_get_fs_mount(systemd_tmpfiles_t)
+selinux_search_fs(systemd_tmpfiles_t)
+
+files_list_home(systemd_tmpfiles_t)
+files_relabelto_home(systemd_tmpfiles_t)
+files_relabelfrom_home(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_relabel_man_cache(systemd_tmpfiles_t)
+files_create_lock_dirs(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+init_manage_utmp(systemd_tmpfiles_t)
+init_relabel_utmp(systemd_tmpfiles_t)
+init_manage_var_lib_files(systemd_tmpfiles_t)
+init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+files_delete_usr_files(systemd_tmpfiles_t)
+
+logging_manage_generic_logs(systemd_tmpfiles_t)
+logging_set_perms_syslogd_tmp(systemd_tmpfiles_t)
+
+optional_policy(`
+	dbus_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+	xserver_create_xdm_tmp_dir(systemd_tmpfiles_t)
+	xserver_create_console_pipes(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+	xfs_create_dirs(systemd_tmpfiles_t)
+')
+
+# for /proc/1/environ
+init_read_state(systemd_tmpfiles_t)
+
+# for /proc/cmdline
+kernel_read_system_state(systemd_tmpfiles_t)
+
+# to search for something under /proc/sys/kernel
+kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 
 files_read_etc_files(systemd_tmpfiles_t)
+files_relabelto_etc_dirs(systemd_tmpfiles_t)
 files_relabel_all_lock_dirs(systemd_tmpfiles_t)
 files_relabel_all_pid_dirs(systemd_tmpfiles_t)
 files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+# for /etc/mtab
+files_manage_etc_symlinks(systemd_tmpfiles_t)
 
 auth_manage_var_auth(systemd_tmpfiles_t)
 auth_manage_login_records(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
+auth_manage_faillog(systemd_tmpfiles_t)
 
 seutil_read_file_contexts(systemd_tmpfiles_t)
 
@@ -328,3 +754,26 @@ tunable_policy(`systemd_tmpfiles_manage_
 	files_relabel_non_security_dirs(systemd_tmpfiles_t)
 	files_relabel_non_security_files(systemd_tmpfiles_t)
 ')
+
+########################################
+#
+# systemd_notify local policy
+#
+allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(systemd_notify_t)
+
+files_read_etc_files(systemd_notify_t)
+files_read_usr_files(systemd_notify_t)
+
+fs_getattr_cgroup_files(systemd_notify_t)
+
+auth_use_nsswitch(systemd_notify_t)
+
+init_rw_stream_sockets(systemd_notify_t)
+
+miscfiles_read_localization(systemd_notify_t)
Index: refpolicy/policy/modules/system/systemd.fc
===================================================================
--- refpolicy.orig/policy/modules/system/systemd.fc
+++ refpolicy/policy/modules/system/systemd.fc
@@ -7,6 +7,7 @@
 /bin/systemd-stdio-bridge	--	gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
 /bin/systemd-tmpfiles		--	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 /bin/systemd-tty-ask-password-agent		--			gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/usr/bin/systemd-notify		--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 
 /usr/lib/systemd/systemd-activate	--	gen_context(system_u:object_r:systemd_activate_exec_t,s0)
 /usr/lib/systemd/systemd-backlight	--	gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
@@ -29,14 +30,20 @@
 /usr/lib/systemd/system/[^/]*sleep.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/[^/]*suspend.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 
+/var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
 
 /var/run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /var/run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 
 /var/run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
-/var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-/var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /var/run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /var/run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
+/var/run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
 /var/run/tmpfiles\.d/kmod.conf	gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
+
+/var/log/journal(/.*)?		gen_context(system_u:object_r:systemd_journal_log_t,s0)
+/var/run/log/journal(/.*)?	gen_context(system_u:object_r:systemd_journal_log_t,s0)
Index: refpolicy/config/file_contexts.subs_dist
===================================================================
--- refpolicy.orig/config/file_contexts.subs_dist
+++ refpolicy/config/file_contexts.subs_dist
@@ -20,3 +20,4 @@
 /usr/local/lib64 /usr/lib
 /usr/local/lib /usr/lib
 /var/run/lock /var/lock
+/lib/systemd /usr/lib/systemd
Index: refpolicy/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy.orig/policy/modules/roles/sysadm.te
+++ refpolicy/policy/modules/roles/sysadm.te
@@ -40,9 +40,8 @@ init_enable(sysadm_t)
 init_reload(sysadm_t)
 init_reboot_system(sysadm_t)
 init_shutdown_system(sysadm_t)
-init_start_generic_units(sysadm_t)
-init_stop_generic_units(sysadm_t)
-init_reload_generic_units(sysadm_t)
+init_manage_all_units(sysadm_t)
+initrc_manage_service(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
Index: refpolicy/policy/modules/system/lvm.fc
===================================================================
--- refpolicy.orig/policy/modules/system/lvm.fc
+++ refpolicy/policy/modules/system/lvm.fc
@@ -90,6 +90,7 @@ ifdef(`distro_gentoo',`
 # /usr
 #
 
+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
 /usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
 /usr/lib/systemd/system/lvm2-.*	-- gen_context(system_u:object_r:lvm_unit_t,s0)
Index: refpolicy/policy/modules/contrib/mta.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/mta.te
+++ refpolicy/policy/modules/contrib/mta.te
@@ -199,6 +199,7 @@ selinux_getattr_fs(system_mail_t)
 term_dontaudit_use_unallocated_ttys(system_mail_t)
 
 init_use_script_ptys(system_mail_t)
+init_rw_stream_sockets(system_mail_t)
 
 userdom_use_user_terminals(system_mail_t)
 
Index: refpolicy/policy/modules/kernel/terminal.te
===================================================================
--- refpolicy.orig/policy/modules/kernel/terminal.te
+++ refpolicy/policy/modules/kernel/terminal.te
@@ -19,6 +19,8 @@ dev_node(bsdpty_device_t)
 #
 type console_device_t;
 dev_node(console_device_t)
+# for /dev/pts/0
+allow console_device_t devpts_t:filesystem associate;
 
 #
 # devpts_t is the type of the devpts file system and
Index: refpolicy/policy/modules/services/xserver.te
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.te
+++ refpolicy/policy/modules/services/xserver.te
@@ -271,6 +271,10 @@ files_search_pids(xauth_t)
 fs_getattr_xattr_fs(xauth_t)
 fs_search_auto_mountpoints(xauth_t)
 
+allow xauth_t xdm_t:fd use;
+allow xauth_t xdm_t:fifo_file { getattr read };
+allow xauth_t xdm_t:unix_stream_socket { read write };
+
 # cjp: why?
 term_use_ptmx(xauth_t)
 
Index: refpolicy/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.if
+++ refpolicy/policy/modules/system/sysnetwork.if
@@ -413,7 +413,7 @@ interface(`sysnet_create_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 net_conf_t:file create_file_perms;
+	allow $1 net_conf_t:file { relabelfrom relabelto manage_file_perms };
 ')
 
 #######################################
Index: refpolicy/policy/modules/contrib/ntp.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/ntp.fc
+++ refpolicy/policy/modules/contrib/ntp.fc
@@ -16,10 +16,13 @@
 /usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
 
 /usr/sbin/ntpd		--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
 /usr/sbin/ntpdate	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 /usr/sbin/sntp		--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 
 /var/lib/ntp(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/systemd/clock	--	gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/sntp-kod(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/db/ntp-kod		--	gen_context(system_u:object_r:ntp_drift_t,s0)
 
Index: refpolicy/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/ntp.te
+++ refpolicy/policy/modules/contrib/ntp.te
@@ -109,6 +109,7 @@ corecmd_exec_shell(ntpd_t)
 dev_read_sysfs(ntpd_t)
 dev_read_urand(ntpd_t)
 dev_rw_realtime_clock(ntpd_t)
+clock_read_adjtime(ntpd_t)
 
 domain_use_interactive_fds(ntpd_t)
 domain_dontaudit_list_all_domains_state(ntpd_t)
@@ -133,6 +134,26 @@ miscfiles_read_localization(ntpd_t)
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_user_home_dirs(ntpd_t)
 
+ifdef(`init_systemd',`
+	dbus_system_bus_client(ntpd_t)
+	dbus_connect_system_bus(ntpd_t)
+	init_dbus_chat(ntpd_t)
+	init_status(ntpd_t)
+	sysadm_dbus_chat(ntpd_t)
+	allow ntpd_t self:capability { fowner setpcap };
+	init_reload(ntpd_t)
+
+	# for /var/lib/systemd/clock
+	init_list_var_lib_dirs(ntpd_t)
+
+	# for /run/systemd/netif/links
+	init_list_pid_dirs(ntpd_t)
+
+	optional_policy(`
+		unconfined_dbus_send(ntpd_t)
+	')
+')
+
 optional_policy(`
 	cron_system_entry(ntpd_t, ntpdate_exec_t)
 ')
Index: refpolicy/policy/modules/roles/sysadm.if
===================================================================
--- refpolicy.orig/policy/modules/roles/sysadm.if
+++ refpolicy/policy/modules/roles/sysadm.if
@@ -236,3 +236,22 @@ interface(`sysadm_rw_pipes',`
 
 	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
 ')
+
+########################################
+## <summary>
+##	talk to sysadm_t over dbus
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dbus_chat',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow sysadm_t $1:dbus send_msg;
+	allow $1 sysadm_t:dbus send_msg;
+')
Index: refpolicy/policy/modules/contrib/devicekit.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/devicekit.te
+++ refpolicy/policy/modules/contrib/devicekit.te
@@ -260,6 +260,7 @@ auth_use_nsswitch(devicekit_power_t)
 
 init_all_labeled_script_domtrans(devicekit_power_t)
 init_read_utmp(devicekit_power_t)
+init_search_pid_dirs(devicekit_power_t)
 
 miscfiles_read_localization(devicekit_power_t)
 
Index: refpolicy/policy/modules/system/application.if
===================================================================
--- refpolicy.orig/policy/modules/system/application.if
+++ refpolicy/policy/modules/system/application.if
@@ -63,6 +63,24 @@ interface(`application_exec',`
 
 ########################################
 ## <summary>
+## read application executables
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`application_read',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	allow $1 application_exec_type:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Execute all executable files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/kernel.if
+++ refpolicy/policy/modules/kernel/kernel.if
@@ -846,6 +846,42 @@ interface(`kernel_unmount_proc',`
 
 ########################################
 ## <summary>
+##	mount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	remount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_remount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem remount;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the proc filesystem.
 ## </summary>
 ## <param name="domain">
@@ -1987,6 +2023,66 @@ interface(`kernel_rw_kernel_sysctl',`
 
 ########################################
 ## <summary>
+##	mounton sysctl_kernel_t and sysctl_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_kernel_sysctl_file',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_t;
+	')
+
+	allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
+	allow $1 { sysctl_t sysctl_kernel_t }:file { getattr mounton };
+')
+
+########################################
+## <summary>
+##	mounton proc_kmsg_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_kmsg_file',`
+	gen_require(`
+		type proc_t, proc_kmsg_t;
+	')
+
+	allow $1 proc_t:dir list_dir_perms;
+	allow $1 proc_kmsg_t:file { getattr mounton };
+')
+
+########################################
+## <summary>
+##	mounton sysctl_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_sysctl_dir',`
+	gen_require(`
+		type proc_t, sysctl_t;
+	')
+
+	allow $1 proc_t:dir list_dir_perms;
+	allow $1 sysctl_t:dir { getattr mounton };
+')
+
+########################################
+## <summary>
 ##	Read filesystem sysctls.
 ## </summary>
 ## <param name="domain">
@@ -2179,6 +2275,25 @@ interface(`kernel_rw_all_sysctls',`
 ')
 
 ########################################
+## <summary>
+##	mounton proc_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:dir mounton;
+')
+
+########################################
 ## <summary>
 ##	Send a kill signal to unlabeled processes.
 ## </summary>
