[PATCH] another systemd misc patch

[Russell Coker <russell@coker.com.au>]

Here's the latest version of this patch with the previous issues addressed.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210908/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210908/policy/modules/system/systemd.if
@@ -102,6 +102,8 @@ template(`systemd_role_template',`
 	seutil_search_default_contexts($1_systemd_t)
 	seutil_read_file_contexts($1_systemd_t)
 
+	userdom_search_user_home_dirs($1_systemd_t)
+
 	# for machinectl shell
 	term_user_pty($1_systemd_t, user_devpts_t)
 	allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
@@ -169,6 +171,10 @@ template(`systemd_role_template',`
 	systemd_watch_passwd_runtime_dirs($3)
 
 	optional_policy(`
+		dirmngr_tmp_dir_search($1_systemd_t)
+	')
+
+	optional_policy(`
 		xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
 		xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
 		xdg_read_config_files($1_systemd_t)
@@ -791,6 +797,24 @@ interface(`systemd_write_logind_runtime_
 
 ######################################
 ## <summary>
+##     Watch systemd-logind runtime dirs
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_watch_logind_runtime_dirs',`
+	gen_require(`
+		type systemd_logind_runtime_t;
+	')
+
+	allow $1 systemd_logind_runtime_t:dir watch;
+')
+
+######################################
+## <summary>
 ##   Use inherited systemd
 ##   logind file descriptors.
 ## </summary>
@@ -851,6 +875,24 @@ interface(`systemd_write_inherited_login
 
 ######################################
 ## <summary>
+##      Watch logind sessions dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_watch_logind_sessions_dirs',`
+	gen_require(`
+		type systemd_sessions_runtime_t;
+	')
+
+	allow $1 systemd_sessions_runtime_t:dir watch;
+')
+
+######################################
+## <summary>
 ##      Write inherited logind inhibit pipes.
 ## </summary>
 ## <param name="domain">
@@ -1023,6 +1065,24 @@ interface(`systemd_connect_machined',`
 
 ########################################
 ## <summary>
+##	Allow watching /run/systemd/machines
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can watch the machines files
+##	</summary>
+## </param>
+#
+interface(`systemd_watch_machines_dirs',`
+	gen_require(`
+		type systemd_machined_runtime_t;
+	')
+
+	allow $1 systemd_machined_runtime_t:dir watch;
+')
+
+########################################
+## <summary>
 ##   Send and receive messages from
 ##   systemd hostnamed over dbus.
 ## </summary>
@@ -1911,3 +1971,45 @@ interface(`systemd_use_inherited_machine
 	allow $1 systemd_machined_t:fd use;
 	allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
 ')
+
+########################################
+## <summary>
+##  run systemd-nspawn in systemd_nspawn_t domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role  of the object to create.
+##      </summary>
+## </param>
+#
+interface(`systemd_run_nspawn', `
+	gen_require(`
+		type systemd_nspawn_t, systemd_nspawn_exec_t;
+	')
+
+	role $2 types systemd_nspawn_t;
+	domtrans_pattern($1, systemd_nspawn_exec_t, systemd_nspawn_t)
+')
+
+########################################
+## <summary>
+##  send datagrams to systemd_nspawn_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_dgram_nspawn', `
+	gen_require(`
+		type systemd_nspawn_t, systemd_nspawn_var_run_t;
+	')
+
+	dgram_send_pattern($1, systemd_nspawn_var_run_t, systemd_nspawn_var_run_t, systemd_nspawn_t)
+')
Index: refpolicy-2.20210908/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210908/policy/modules/system/systemd.te
@@ -142,6 +142,7 @@ type systemd_logind_t;
 type systemd_logind_exec_t;
 init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
 init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
+init_stream_connect(systemd_logind_t)
 
 type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
 files_runtime_file(systemd_logind_inhibit_runtime_t)
@@ -191,6 +192,9 @@ type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
 mcs_killall(systemd_nspawn_t)
 
+type systemd_nspawn_devpts_t;
+term_login_pty(systemd_nspawn_devpts_t)
+
 type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
 files_runtime_file(systemd_nspawn_runtime_t)
 
@@ -281,10 +285,13 @@ files_type(systemd_update_run_t)
 
 type systemd_conf_home_t;
 init_unit_file(systemd_conf_home_t)
-xdg_config_content(systemd_conf_home_t)
 
 type systemd_data_home_t;
-xdg_data_content(systemd_data_home_t)
+
+optional_policy(`
+	xdg_config_content(systemd_conf_home_t)
+	xdg_data_content(systemd_data_home_t)
+')
 
 type systemd_user_runtime_notify_t;
 userdom_user_runtime_content(systemd_user_runtime_notify_t)
@@ -327,6 +334,8 @@ allow systemd_backlight_t systemd_backli
 init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
 manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
 
+kernel_read_kernel_sysctls(systemd_backlight_t)
+
 systemd_log_parse_environment(systemd_backlight_t)
 
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
@@ -392,28 +401,37 @@ ifdef(`enable_mls',`
 #
 
 allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
+allow systemd_coredump_t self:unix_stream_socket connectto;
 allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
+dontaudit systemd_coredump_t self:capability net_admin;
 allow systemd_coredump_t self:process { getcap setcap setfscreate };
+allow systemd_coredump_t self:cap_userns sys_ptrace;
 
 manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
 allow systemd_coredump_t systemd_coredump_var_lib_t:file map;
 
 kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
+kernel_read_crypto_sysctls(systemd_coredump_t)
 kernel_read_kernel_sysctls(systemd_coredump_t)
 kernel_read_system_state(systemd_coredump_t)
 kernel_rw_pipes(systemd_coredump_t)
 kernel_use_fds(systemd_coredump_t)
 
 corecmd_exec_bin(systemd_coredump_t)
-corecmd_read_all_executables(systemd_coredump_t)
+corecmd_mmap_all_executables(systemd_coredump_t)
 
 dev_write_kmsg(systemd_coredump_t)
 
+domain_read_all_domains_state(systemd_coredump_t)
+
 files_getattr_all_mountpoints(systemd_coredump_t)
 files_read_etc_files(systemd_coredump_t)
 files_search_var_lib(systemd_coredump_t)
 
+fs_getattr_cgroup(systemd_coredump_t)
+fs_getattr_tmpfs(systemd_coredump_t)
 fs_getattr_xattr_fs(systemd_coredump_t)
+fs_search_cgroup_dirs(systemd_coredump_t)
 fs_search_tmpfs(systemd_coredump_t)
 
 selinux_getattr_fs(systemd_coredump_t)
@@ -427,6 +445,7 @@ logging_send_syslog_msg(systemd_coredump
 
 seutil_search_default_contexts(systemd_coredump_t)
 
+
 #######################################
 #
 # Systemd generator local policy
@@ -436,26 +455,44 @@ allow systemd_generator_t self:fifo_file
 allow systemd_generator_t self:capability dac_override;
 allow systemd_generator_t self:process setfscreate;
 
+allow systemd_generator_t self:tcp_socket create;
+allow systemd_generator_t self:udp_socket create;
+allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
+
 allow systemd_generator_t systemd_unit_t:file getattr;
 
+kernel_dontaudit_getattr_proc(systemd_generator_t)
+kernel_read_kernel_sysctls(systemd_generator_t)
+kernel_read_network_state(systemd_generator_t)
+kernel_read_system_state(systemd_generator_t)
+kernel_search_network_sysctl(systemd_generator_t)
+kernel_use_fds(systemd_generator_t)
+
+corecmd_exec_bin(systemd_generator_t)
 corecmd_exec_shell(systemd_generator_t)
-corecmd_getattr_bin_files(systemd_generator_t)
 
 dev_read_sysfs(systemd_generator_t)
+dev_read_urand(systemd_generator_t)
 dev_write_kmsg(systemd_generator_t)
 dev_write_sysfs_dirs(systemd_generator_t)
 
-files_read_etc_files(systemd_generator_t)
+application_exec(systemd_generator_t)
+domain_read_all_entry_files(systemd_generator_t)
+files_exec_etc_files(systemd_generator_t)
 files_search_runtime(systemd_generator_t)
 files_list_boot(systemd_generator_t)
 files_read_boot_files(systemd_generator_t)
 files_read_config_files(systemd_generator_t)
 files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
+files_getattr_usr_files(systemd_generator_t)
 
-fs_list_efivars(systemd_generator_t)
 fs_getattr_cgroup(systemd_generator_t)
+fs_getattr_tmpfs(systemd_generator_t)
 fs_getattr_xattr_fs(systemd_generator_t)
+fs_list_efivars(systemd_generator_t)
+fs_rw_tmpfs_files(systemd_generator_t)
+fs_search_nfs(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
 init_read_all_script_files(systemd_generator_t)
@@ -472,10 +509,10 @@ init_list_unit_dirs(systemd_generator_t)
 init_read_generic_units_symlinks(systemd_generator_t)
 init_read_script_files(systemd_generator_t)
 
-kernel_use_fds(systemd_generator_t)
-kernel_read_system_state(systemd_generator_t)
-kernel_read_kernel_sysctls(systemd_generator_t)
-kernel_dontaudit_getattr_proc(systemd_generator_t)
+miscfiles_read_localization(systemd_generator_t)
+
+selinux_getattr_fs(systemd_generator_t)
+seutil_search_default_contexts(systemd_generator_t)
 
 storage_raw_read_fixed_disk(systemd_generator_t)
 
@@ -487,6 +524,8 @@ ifdef(`distro_gentoo',`
 	corecmd_shell_entry_type(systemd_generator_t)
 ')
 
+udev_search_runtime(systemd_generator_t)
+
 optional_policy(`
 	fstools_exec(systemd_generator_t)
 ')
@@ -495,7 +534,21 @@ optional_policy(`
 	lvm_exec(systemd_generator_t)
 	lvm_map_config(systemd_generator_t)
 	lvm_read_config(systemd_generator_t)
-	miscfiles_read_localization(systemd_generator_t)
+')
+
+optional_policy(`
+	# for /lib/systemd/system-generators/openvpn-generator
+	openvpn_read_config(systemd_generator_t)
+')
+
+optional_policy(`
+	# it runs postconf
+	# maybe /lib/systemd/system-generators/postfix-instance-generator
+	postfix_read_config(systemd_generator_t)
+')
+
+optional_policy(`
+	tmpreaper_exec(systemd_generator_t)
 ')
 
 #######################################
@@ -531,6 +584,10 @@ optional_policy(`
 	networkmanager_dbus_chat(systemd_hostnamed_t)
 ')
 
+optional_policy(`
+	unconfined_dbus_send(systemd_hostnamed_t)
+')
+
 #########################################
 #
 # hw local policy
@@ -599,6 +656,7 @@ logging_send_syslog_msg(systemd_log_pars
 #
 
 allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:lockdown integrity;
 allow systemd_logind_t self:process { getcap setfscreate };
 allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -646,11 +704,13 @@ dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
+files_search_boot(systemd_logind_t)
 files_search_runtime(systemd_logind_t)
 
 fs_getattr_cgroup(systemd_logind_t)
 fs_getattr_tmpfs(systemd_logind_t)
 fs_getattr_tmpfs_dirs(systemd_logind_t)
+fs_getattr_xattr_fs(systemd_logind_t)
 fs_list_tmpfs(systemd_logind_t)
 fs_mount_tmpfs(systemd_logind_t)
 fs_read_cgroup_files(systemd_logind_t)
@@ -682,6 +742,7 @@ init_start_all_units(systemd_logind_t)
 init_stop_all_units(systemd_logind_t)
 init_start_system(systemd_logind_t)
 init_stop_system(systemd_logind_t)
+init_stream_connect(systemd_logind_t)
 
 # for /run/systemd/transient/*
 init_restart_units(systemd_logind_t)
@@ -748,6 +809,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dpkg_dbus_chat(systemd_logind_t)
+	dpkg_read_state(systemd_logind_t)
+')
+
+optional_policy(`
 	devicekit_dbus_chat_disk(systemd_logind_t)
 	devicekit_dbus_chat_power(systemd_logind_t)
 ')
@@ -790,6 +856,9 @@ allow systemd_machined_t systemd_machine
 manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
 allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
 
+allow systemd_machined_t systemd_userdb_runtime_t:dir manage_dir_perms;
+allow systemd_machined_t systemd_userdb_runtime_t:sock_file { create unlink };
+
 kernel_read_kernel_sysctls(systemd_machined_t)
 kernel_read_system_state(systemd_machined_t)
 
@@ -908,6 +977,10 @@ sysnet_read_config(systemd_networkd_t)
 systemd_log_parse_environment(systemd_networkd_t)
 
 optional_policy(`
+	bluetooth_dbus_chat(systemd_hostnamed_t)
+')
+
+optional_policy(`
 	dbus_system_bus_client(systemd_networkd_t)
 	dbus_connect_system_bus(systemd_networkd_t)
 	dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
@@ -948,8 +1021,8 @@ miscfiles_read_localization(systemd_noti
 # Nspawn local policy
 #
 
-allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
-allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:process { signal getsched setsched getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot audit_control };
 allow systemd_nspawn_t self:capability2 wake_alarm;
 allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
 allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
@@ -974,14 +1047,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
 # for /run/systemd/nspawn/incoming in chroot
 allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
 
+term_create_pty(systemd_nspawn_t, systemd_nspawn_devpts_t)
+allow systemd_nspawn_t systemd_nspawn_devpts_t:chr_file manage_chr_file_perms;
+
+kernel_getattr_core_if(systemd_nspawn_t)
+kernel_getattr_proc(systemd_nspawn_t)
+kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
+
 kernel_mount_proc(systemd_nspawn_t)
 kernel_mounton_sysctl_dirs(systemd_nspawn_t)
 kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
 kernel_mounton_message_if(systemd_nspawn_t)
 kernel_mounton_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_files(systemd_nspawn_t)
+kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
+
+kernel_read_irq_sysctls(systemd_nspawn_t)
+kernel_read_network_state(systemd_nspawn_t)
 kernel_read_kernel_sysctls(systemd_nspawn_t)
+kernel_read_sysctl(systemd_nspawn_t)
 kernel_read_system_state(systemd_nspawn_t)
 kernel_remount_proc(systemd_nspawn_t)
+kernel_request_load_module(systemd_nspawn_t)
+kernel_search_network_sysctl(systemd_nspawn_t)
 
 corecmd_exec_shell(systemd_nspawn_t)
 corecmd_search_bin(systemd_nspawn_t)
@@ -998,6 +1086,7 @@ dev_read_sysfs(systemd_nspawn_t)
 dev_read_rand(systemd_nspawn_t)
 dev_read_urand(systemd_nspawn_t)
 
+files_getattr_default_dirs(systemd_nspawn_t)
 files_getattr_tmp_dirs(systemd_nspawn_t)
 files_manage_etc_files(systemd_nspawn_t)
 files_manage_mnt_dirs(systemd_nspawn_t)
@@ -1009,11 +1098,17 @@ files_setattr_runtime_dirs(systemd_nspaw
 
 fs_getattr_cgroup(systemd_nspawn_t)
 fs_getattr_tmpfs(systemd_nspawn_t)
+fs_getattr_xattr_fs(systemd_nspawn_t)
+fs_manage_cgroup_dirs(systemd_nspawn_t)
+fs_manage_cgroup_files(systemd_nspawn_t)
+fs_manage_tmpfs_blk_files(systemd_nspawn_t)
 fs_manage_tmpfs_chr_files(systemd_nspawn_t)
+fs_mount_cgroup(systemd_nspawn_t)
 fs_mount_tmpfs(systemd_nspawn_t)
+fs_mounton_cgroup(systemd_nspawn_t)
+fs_read_nsfs_files(systemd_nspawn_t)
 fs_remount_tmpfs(systemd_nspawn_t)
 fs_remount_xattr_fs(systemd_nspawn_t)
-fs_read_cgroup_files(systemd_nspawn_t)
 
 term_getattr_generic_ptys(systemd_nspawn_t)
 term_getattr_pty_fs(systemd_nspawn_t)
@@ -1021,6 +1116,7 @@ term_mount_devpts(systemd_nspawn_t)
 term_search_ptys(systemd_nspawn_t)
 term_setattr_generic_ptys(systemd_nspawn_t)
 term_use_ptmx(systemd_nspawn_t)
+term_use_generic_ptys(systemd_nspawn_t)
 
 init_domtrans_script(systemd_nspawn_t)
 init_getrlimit(systemd_nspawn_t)
@@ -1031,8 +1127,12 @@ init_write_runtime_socket(systemd_nspawn
 init_spec_domtrans_script(systemd_nspawn_t)
 
 miscfiles_manage_localization(systemd_nspawn_t)
+mount_exec(systemd_nspawn_t)
+
 udev_read_runtime_files(systemd_nspawn_t)
 
+sysnet_exec_ifconfig(systemd_nspawn_t)
+
 # for writing inside chroot
 sysnet_manage_config(systemd_nspawn_t)
 
@@ -1055,11 +1155,13 @@ tunable_policy(`systemd_nspawn_labeled_n
 	allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
 	fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
 	allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
+	fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file)
 
 	fs_getattr_cgroup(systemd_nspawn_t)
 	fs_manage_cgroup_dirs(systemd_nspawn_t)
 	fs_manage_tmpfs_dirs(systemd_nspawn_t)
 	fs_manage_tmpfs_files(systemd_nspawn_t)
+	fs_manage_tmpfs_sockets(systemd_nspawn_t)
 	fs_manage_tmpfs_symlinks(systemd_nspawn_t)
 	fs_mount_cgroup(systemd_nspawn_t)
 	fs_mounton_cgroup(systemd_nspawn_t)
@@ -1077,8 +1179,11 @@ tunable_policy(`systemd_nspawn_labeled_n
 
 	init_domtrans(systemd_nspawn_t)
 
+	logging_manage_runtime_sockets(systemd_nspawn_t)
+	logging_relabelto_devlog_sock_files(systemd_nspawn_t)
 	logging_search_logs(systemd_nspawn_t)
 
+	seutil_exec_setfiles(systemd_nspawn_t)
 	seutil_search_default_contexts(systemd_nspawn_t)
 ')
 
@@ -1105,7 +1210,7 @@ allow systemd_passwd_agent_t self:capabi
 allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
 allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 
-allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch;
+allow systemd_passwd_agent_t systemd_passwd_runtime_t:{ dir file } watch;
 manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
 manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
 manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
@@ -1115,6 +1220,7 @@ init_runtime_filetrans(systemd_passwd_ag
 can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
 
 kernel_read_system_state(systemd_passwd_agent_t)
+kernel_search_fs_sysctls(systemd_passwd_agent_t)
 kernel_stream_connect(systemd_passwd_agent_t)
 
 dev_create_generic_dirs(systemd_passwd_agent_t)
@@ -1141,6 +1247,7 @@ init_create_runtime_dirs(systemd_passwd_
 init_read_runtime_pipes(systemd_passwd_agent_t)
 init_read_state(systemd_passwd_agent_t)
 init_read_utmp(systemd_passwd_agent_t)
+init_use_script_ptys(systemd_passwd_agent_t)
 init_stream_connect(systemd_passwd_agent_t)
 
 logging_send_syslog_msg(systemd_passwd_agent_t)
@@ -1420,6 +1527,7 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
 fs_getattr_xattr_fs(systemd_tmpfiles_t)
 fs_list_tmpfs(systemd_tmpfiles_t)
 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
+fs_search_auto_mountpoints(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_use_status_page(systemd_tmpfiles_t)
@@ -1491,6 +1599,11 @@ tunable_policy(`systemd_tmpfilesd_factor
 ')
 
 optional_policy(`
+	colord_read_lib_files(systemd_tmpfiles_t)
+	colord_relabel_lib(systemd_tmpfiles_t)
+')
+
+optional_policy(`
 	dbus_manage_lib_files(systemd_tmpfiles_t)
 	dbus_read_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
@@ -1611,13 +1724,15 @@ seutil_libselinux_linked(systemd_user_se
 # systemd-user-runtime-dir local policy
 #
 
-allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
+allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override mknod };
 allow systemd_user_runtime_dir_t self:process setfscreate;
 
 domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
 
 allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
 allow systemd_user_runtime_dir_t systemd_user_runtime_t:file manage_file_perms;
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
+allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
 
 files_read_etc_files(systemd_user_runtime_dir_t)
 
@@ -1650,8 +1765,13 @@ userdom_delete_all_user_runtime_chr_file
 userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t)
 userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
 
+userdom_unlink_user_tmp_devices(systemd_user_runtime_dir_t)
+
 userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
 userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
+userdom_list_user_tmp(systemd_user_runtime_dir_t)
 userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
 userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
 userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
@@ -1661,3 +1781,15 @@ userdom_relabelto_user_runtime_dirs(syst
 optional_policy(`
 	dbus_system_bus_client(systemd_user_runtime_dir_t)
 ')
+
+optional_policy(`
+	dirmngr_unlink_tmp_sock(systemd_user_runtime_dir_t)
+')
+
+optional_policy(`
+	gpg_agent_tmp_unlink_sock(systemd_user_runtime_dir_t)
+')
+
+optional_policy(`
+	userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
+')
Index: refpolicy-2.20210908/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20210908/policy/modules/admin/dpkg.if
@@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
 
 	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
 ')
+
+########################################
+## <summary>
+##	send dbus messages to dpkg_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_dbus_chat',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	read dpkg_t process state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_read_state',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:dir search;
+	allow $1 dpkg_t:file read_file_perms;
+')
Index: refpolicy-2.20210908/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210908/policy/modules/roles/sysadm.te
@@ -99,6 +99,10 @@ ifdef(`init_systemd',`
 	# LookupDynamicUserByUID on org.freedesktop.systemd1.
 	init_dbus_chat(sysadm_t)
 
+	systemd_run_nspawn(sysadm_t, sysadm_r)
+	systemd_run_passwd_agent(sysadm_t, sysadm_r)
+
+
 	# Allow sysadm to get the status of and set properties of other users,
 	# sessions, and seats on the system.
 	systemd_dbus_chat_logind(sysadm_t)
Index: refpolicy-2.20210908/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20210908/policy/modules/services/networkmanager.te
@@ -332,6 +332,9 @@ optional_policy(`
 optional_policy(`
 	systemd_read_logind_runtime_files(NetworkManager_t)
 	systemd_read_logind_sessions_files(NetworkManager_t)
+	systemd_watch_logind_runtime_dirs(NetworkManager_t)
+	systemd_watch_logind_sessions_dirs(NetworkManager_t)
+	systemd_watch_machines_dirs(NetworkManager_t)
 	systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
 ')
 
Index: refpolicy-2.20210908/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20210908/policy/modules/services/policykit.te
@@ -134,12 +134,15 @@ optional_policy(`
 optional_policy(`
 	# for /run/systemd/machines
 	systemd_read_machines(policykit_t)
+	systemd_watch_machines_dirs(policykit_t)
 
 	# for /run/systemd/seats/seat*
 	systemd_read_logind_sessions_files(policykit_t)
+	systemd_watch_logind_sessions_dirs(policykit_t)
 
 	# for /run/systemd/users/*
 	systemd_read_logind_runtime_files(policykit_t)
+	systemd_watch_logind_runtime_dirs(policykit_t)
 ')
 
 ########################################
Index: refpolicy-2.20210908/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210908/policy/modules/services/devicekit.te
@@ -195,6 +195,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_read_logind_sessions_files(devicekit_disk_t)
+	systemd_use_logind_fds(devicekit_disk_t)
+	systemd_write_inherited_logind_inhibit_pipes(devicekit_disk_t)
+')
+
+optional_policy(`
 	udev_domtrans_udevadm(devicekit_disk_t)
 	udev_read_runtime_files(devicekit_disk_t)
 ')
Index: refpolicy-2.20210908/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20210908/policy/modules/services/ssh.te
@@ -270,6 +270,7 @@ ifdef(`init_systemd',`
 	auth_use_pam_systemd(sshd_t)
 	init_dbus_chat(sshd_t)
 	init_rw_stream_sockets(sshd_t)
+	systemd_dgram_nspawn(sshd_t)
 	systemd_write_inherited_logind_sessions_pipes(sshd_t)
 ')
 
Index: refpolicy-2.20210908/policy/modules/apps/gpg.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/apps/gpg.if
+++ refpolicy-2.20210908/policy/modules/apps/gpg.if
@@ -274,6 +274,24 @@ interface(`gpg_agent_tmp_filetrans',`
 
 ########################################
 ## <summary>
+##	unlink gpg_agent_tmp_t sock_file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_agent_tmp_unlink_sock',`
+	gen_require(`
+		type gpg_agent_tmp_t;
+	')
+
+	allow $1 gpg_agent_tmp_t:sock_file unlink;
+')
+
+########################################
+## <summary>
 ##	filetrans in gpg_runtime_t dirs
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210908/policy/modules/services/dirmngr.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/dirmngr.if
+++ refpolicy-2.20210908/policy/modules/services/dirmngr.if
@@ -34,6 +34,24 @@ interface(`dirmngr_role',`
 	allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 ')
 
+############################################################
+## <summary>
+##	unlink dirmngr_tmp_t sock_file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dirmngr_unlink_tmp_sock',`
+	gen_require(`
+		type dirmngr_tmp_t;
+	')
+
+	allow $1 dirmngr_tmp_t:sock_file unlink;
+')
+
 ########################################
 ## <summary>
 ##	Execute dirmngr in the dirmngr domain.
@@ -95,6 +113,24 @@ interface(`dirmngr_stream_connect',`
 ')
 
 ########################################
+## <summary>
+##	Search dirmngr_tmp_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirmngr_tmp_dir_search',`
+	gen_require(`
+		type dirmngr_tmp_t;
+	')
+
+	allow $1 dirmngr_tmp_t:dir search_dir_perms;
+')
+
+########################################
 ## <summary>
 ##	All of the rules required to
 ##	administrate an dirmngr environment.
Index: refpolicy-2.20210908/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/system/logging.te
+++ refpolicy-2.20210908/policy/modules/system/logging.te
@@ -555,6 +555,7 @@ ifdef(`init_systemd',`
 	logging_send_syslog_msg(syslogd_t)
 
 	systemd_manage_journal_files(syslogd_t)
+	systemd_search_user_runtime(syslogd_t)
 
 	udev_read_runtime_files(syslogd_t)
 
Index: refpolicy-2.20210908/policy/modules/services/colord.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/colord.if
+++ refpolicy-2.20210908/policy/modules/services/colord.if
@@ -58,3 +58,22 @@ interface(`colord_read_lib_files',`
 	files_search_var_lib($1)
 	read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
 ')
+
+######################################
+## <summary>
+##	relabel colord lib files and dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`colord_relabel_lib',`
+	gen_require(`
+		type colord_var_lib_t;
+	')
+
+	allow $1 colord_var_lib_t:dir { list_dir_perms relabelfrom relabelto };
+	allow $1 colord_var_lib_t:file { relabelfrom relabelto };
+')
Index: refpolicy-2.20210908/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210908/policy/modules/system/userdomain.if
@@ -4539,6 +4539,25 @@ interface(`userdom_dontaudit_write_user_
 
 ########################################
 ## <summary>
+##      Delete user_tmp_t device nodes (probably should not have been
+##     created in the first place)
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow deleting
+##      </summary>
+## </param>
+#
+interface(`userdom_unlink_user_tmp_devices',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:{ chr_file blk_file } unlink;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to use user ttys.
 ## </summary>
 ## <param name="domain">