Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Wed, 3 Feb 2021 15:10:02 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] little misc patches
Message-ID: <YBoiGu2yVwv39Qnh@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk

More little misc patches.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210203/policy/modules/admin/acct.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/acct.te
+++ refpolicy-2.20210203/policy/modules/admin/acct.te
@@ -57,6 +57,7 @@ init_use_fds(acct_t)
 init_use_script_ptys(acct_t)
 init_exec_script_files(acct_t)
 
+logging_search_logs(acct_t)
 logging_send_syslog_msg(acct_t)
 
 miscfiles_read_localization(acct_t)
Index: refpolicy-2.20210203/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20210203/policy/modules/admin/bootloader.te
@@ -44,6 +44,7 @@ dev_node(bootloader_tmp_t)
 allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
+allow bootloader_t self:netlink_selinux_socket connected_socket_perms;
 
 allow bootloader_t bootloader_etc_t:file read_file_perms;
 # uncomment the following lines if you use "lilo -p"
@@ -61,6 +62,7 @@ allow bootloader_t bootloader_tmp_t:dir
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
 kernel_getattr_core_if(bootloader_t)
+kernel_read_crypto_sysctls(bootloader_t)
 kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
 kernel_read_software_raid_state(bootloader_t)
@@ -152,8 +154,12 @@ miscfiles_read_localization(bootloader_t
 
 mount_rw_runtime_files(bootloader_t)
 
+selinux_get_enforce_mode(bootloader_t)
 selinux_getattr_fs(bootloader_t)
+selinux_search_fs(bootloader_t)
+selinux_use_status_page(bootloader_t)
 seutil_read_bin_policy(bootloader_t)
+seutil_read_config(bootloader_t)
 seutil_read_file_contexts(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
 seutil_dontaudit_search_config(bootloader_t)
Index: refpolicy-2.20210203/policy/modules/admin/brctl.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/brctl.te
+++ refpolicy-2.20210203/policy/modules/admin/brctl.te
@@ -17,7 +17,7 @@ role brctl_roles types brctl_t;
 # Local policy
 #
 
-allow brctl_t self:capability net_admin;
+allow brctl_t self:capability { net_admin sys_module };
 allow brctl_t self:fifo_file rw_fifo_file_perms;
 allow brctl_t self:unix_stream_socket create_stream_socket_perms;
 allow brctl_t self:unix_dgram_socket create_socket_perms;
Index: refpolicy-2.20210203/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20210203/policy/modules/admin/logrotate.te
@@ -116,6 +116,8 @@ init_dbus_chat(logrotate_t)
 init_stream_connect(logrotate_t)
 init_manage_all_units(logrotate_t)
 
+libs_exec_lib_files(logrotate_t)
+
 logging_manage_all_logs(logrotate_t)
 logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
Index: refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/cdrecord.fc
+++ refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
@@ -1,3 +1,4 @@
 /usr/bin/cdrecord	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/cdrskin	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
 /usr/bin/growisofs	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
 /usr/bin/wodim	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
Index: refpolicy-2.20210203/policy/modules/apps/games.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/games.te
+++ refpolicy-2.20210203/policy/modules/apps/games.te
@@ -92,7 +92,9 @@ optional_policy(`
 allow games_t self:fifo_file rw_fifo_file_perms;
 allow games_t self:sem create_sem_perms;
 allow games_t self:tcp_socket { accept listen };
+allow games_t self:process getsched;
 
+manage_dirs_pattern(games_t, games_data_t, games_data_t)
 manage_files_pattern(games_t, games_data_t, games_data_t)
 manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
 
@@ -101,6 +103,8 @@ term_create_pty(games_t, games_devpts_t)
 
 manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
 manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+allow games_t games_tmp_t:file map;
+
 files_tmp_filetrans(games_t, games_tmp_t, { file dir })
 
 manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
@@ -128,6 +132,8 @@ corenet_tcp_bind_generic_port(games_t)
 corenet_sendrecv_generic_client_packets(games_t)
 corenet_tcp_connect_generic_port(games_t)
 
+corenet_udp_bind_generic_node(games_t)
+
 dev_read_sound(games_t)
 dev_read_input(games_t)
 dev_read_mouse(games_t)
@@ -136,13 +142,16 @@ dev_rw_dri(games_t)
 dev_write_sound(games_t)
 
 files_list_var(games_t)
+files_search_mnt(games_t)
 files_search_var_lib(games_t)
 files_dontaudit_search_var(games_t)
+files_map_usr_files(games_t)
 files_read_etc_files(games_t)
 files_read_usr_files(games_t)
 files_read_var_files(games_t)
 
 fs_dontaudit_getattr_xattr_fs(games_t)
+fs_search_nfs(games_t)
 
 init_dontaudit_rw_utmp(games_t)
 
@@ -158,6 +167,7 @@ userdom_manage_user_tmp_dirs(games_t)
 userdom_manage_user_tmp_files(games_t)
 userdom_manage_user_tmp_symlinks(games_t)
 userdom_manage_user_tmp_sockets(games_t)
+userdom_use_user_ptys(games_t)
 userdom_dontaudit_read_user_home_content_files(games_t)
 
 tunable_policy(`allow_execmem',`
@@ -166,6 +176,7 @@ tunable_policy(`allow_execmem',`
 
 optional_policy(`
 	alsa_read_config(games_t)
+	alsa_read_home_files(games_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210203/policy/modules/apps/gpg.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/gpg.te
+++ refpolicy-2.20210203/policy/modules/apps/gpg.te
@@ -137,6 +137,7 @@ logging_send_syslog_msg(gpg_t)
 miscfiles_read_localization(gpg_t)
 
 userdom_use_user_terminals(gpg_t)
+userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
 
 userdom_manage_user_tmp_dirs(gpg_t)
 userdom_manage_user_tmp_files(gpg_t)
Index: refpolicy-2.20210203/policy/modules/kernel/devices.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/devices.fc
+++ refpolicy-2.20210203/policy/modules/kernel/devices.fc
@@ -137,6 +137,7 @@ ifdef(`distro_suse', `
 /dev/vhci			-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vhost-scsi		-c	gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vhost-vsock	-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210203/policy/modules/roles/sysadm.te
@@ -41,6 +41,8 @@ allow sysadm_t self:netlink_tcpdiag_sock
 allow sysadm_t self:capability audit_write;
 allow sysadm_t self:system status;
 
+kernel_request_load_module(sysadm_t)
+
 corecmd_exec_shell(sysadm_t)
 
 corenet_ib_access_unlabeled_pkeys(sysadm_t)
@@ -61,6 +63,7 @@ ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
 init_admin(sysadm_t)
+init_rw_stream_sockets(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te
@@ -29,6 +29,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ssh_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
 	vlock_run(user_t, user_r)
 ')
 
@@ -162,10 +166,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		ssh_role_template(user, user_r, user_t)
-	')
-
-	optional_policy(`
 		su_role_template(user, user_r, user_t)
 	')
 
Index: refpolicy-2.20210203/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20210203/policy/modules/system/authlogin.te
@@ -389,6 +389,8 @@ domain_use_interactive_fds(utempter_t)
 
 logging_search_logs(utempter_t)
 
+term_use_ptmx(utempter_t)
+
 userdom_use_user_terminals(utempter_t)
 # Allow utemper to write to /tmp/.xses-*
 userdom_write_user_tmp_files(utempter_t)
@@ -406,6 +408,7 @@ optional_policy(`
 optional_policy(`
 	xserver_use_xdm_fds(utempter_t)
 	xserver_rw_xdm_pipes(utempter_t)
+	xserver_write_inherited_xsession_log(utempter_t)
 ')
 
 #######################################
Index: refpolicy-2.20210203/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.if
+++ refpolicy-2.20210203/policy/modules/system/init.if
@@ -3498,6 +3498,24 @@ interface(`init_reload_all_units',`
 	allow $1 { init_script_file_type systemdunit }:service reload;
 ')
 
+#######################################
+## <summary>
+##	getattr all systemd unit files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_all_units',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	allow $1 systemdunit:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Manage systemd unit dirs and the files in them
Index: refpolicy-2.20210203/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.te
+++ refpolicy-2.20210203/policy/modules/system/init.te
@@ -244,7 +244,6 @@ ifdef(`init_systemd',`
 	allow init_t self:udp_socket create_socket_perms;
 	allow init_t self:netlink_route_socket create_netlink_socket_perms;
 	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
-	allow init_t self:capability2 audit_read;
 	allow init_t self:key { search setattr write };
 	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
 
@@ -262,7 +261,7 @@ ifdef(`init_systemd',`
 
 	# setexec and setkeycreate for systemd --user
 	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
-	allow init_t self:capability2 { audit_read block_suspend };
+	allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:unix_dgram_socket lock;
 
@@ -428,6 +427,7 @@ ifdef(`init_systemd',`
 	miscfiles_watch_localization(init_t)
 
 	mount_watch_runtime_dirs(init_t)
+	mount_watch_runtime_files_reads(init_t)
 
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)
Index: refpolicy-2.20210203/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/logging.te
+++ refpolicy-2.20210203/policy/modules/system/logging.te
@@ -510,6 +510,7 @@ seutil_read_config(syslogd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
+userdom_search_user_runtime_root(syslogd_t)
 
 ifdef(`init_systemd',`
 	# for systemd-journal
@@ -549,6 +550,8 @@ ifdef(`init_systemd',`
 	systemd_manage_journal_files(syslogd_t)
 
 	udev_read_runtime_files(syslogd_t)
+	userdom_list_user_tmp(syslogd_t)
+	userdom_read_user_tmp_symlinks(syslogd_t)
 ')
 
 ifdef(`distro_gentoo',`
Index: refpolicy-2.20210203/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20210203/policy/modules/system/lvm.te
@@ -105,10 +105,13 @@ files_read_etc_files(clvmd_t)
 files_list_usr(clvmd_t)
 
 fs_getattr_all_fs(clvmd_t)
+fs_getattr_pstore_dirs(lvm_t)
 fs_search_auto_mountpoints(clvmd_t)
+fs_search_cgroup_dirs(lvm_t)
 fs_dontaudit_list_tmpfs(clvmd_t)
 fs_dontaudit_read_removable_files(clvmd_t)
 fs_rw_anon_inodefs_files(clvmd_t)
+fs_search_bpf(lvm_t)
 
 storage_dontaudit_getattr_removable_dev(clvmd_t)
 storage_manage_fixed_disk(clvmd_t)
@@ -167,7 +170,6 @@ optional_policy(`
 allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
 dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
-# LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
 allow lvm_t self:file rw_file_perms;
 allow lvm_t self:fifo_file manage_fifo_file_perms;
@@ -298,6 +300,8 @@ selinux_compute_user_contexts(lvm_t)
 
 storage_relabel_fixed_disk(lvm_t)
 storage_dontaudit_read_removable_device(lvm_t)
+storage_getattr_removable_dev(lvm_t)
+
 # LVM creates block devices in /dev/mapper or /dev/<vg>
 # depending on its version
 # LVM(2) needs to create directories (/dev/mapper, /dev/<vg>)
Index: refpolicy-2.20210203/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20210203/policy/modules/system/modutils.te
@@ -34,6 +34,7 @@ ifdef(`init_systemd',`
 #
 
 allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
+allow kmod_t self:lockdown confidentiality;
 allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 # for the radeon/amdgpu modules
 dontaudit kmod_t self:capability sys_admin;
Index: refpolicy-2.20210203/policy/modules/system/mount.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/mount.te
+++ refpolicy-2.20210203/policy/modules/system/mount.te
@@ -98,12 +98,14 @@ files_list_all_mountpoints(mount_t)
 files_dontaudit_write_all_mountpoints(mount_t)
 files_dontaudit_setattr_all_mountpoints(mount_t)
 
+fs_getattr_binfmt_misc_fs(mount_t)
 fs_getattr_xattr_fs(mount_t)
 fs_getattr_tmpfs(mount_t)
 fs_getattr_rpc_pipefs(mount_t)
 fs_getattr_cifs(mount_t)
 fs_getattr_nfs(mount_t)
 fs_mount_all_fs(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
 fs_relabelfrom_all_fs(mount_t)
Index: refpolicy-2.20210203/policy/modules/system/raid.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/raid.te
+++ refpolicy-2.20210203/policy/modules/system/raid.te
@@ -60,6 +60,7 @@ domain_use_interactive_fds(mdadm_t)
 files_read_etc_files(mdadm_t)
 files_read_etc_runtime_files(mdadm_t)
 files_dontaudit_getattr_all_files(mdadm_t)
+files_search_tmp(mdadm_t)
 
 fs_getattr_all_fs(mdadm_t)
 fs_list_auto_mountpoints(mdadm_t)
Index: refpolicy-2.20210203/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te
@@ -368,14 +368,19 @@ fs_list_inotifyfs(restorecond_t)
 fs_relabelfrom_noxattr_fs(restorecond_t)
 fs_getattr_pstorefs(restorecond_t)
 
+logging_watch_generic_logs_dir(restorecond_t)
+
 selinux_validate_context(restorecond_t)
 selinux_compute_access_vector(restorecond_t)
 selinux_compute_create_context(restorecond_t)
 selinux_compute_relabel_context(restorecond_t)
 selinux_compute_user_contexts(restorecond_t)
+seutil_read_file_contexts(restorecond_t)
 
 files_relabel_non_auth_files(restorecond_t )
 files_dontaudit_read_all_symlinks(restorecond_t)
+files_watch_etc_dirs(restorecond_t)
+files_watch_runtime_dirs(restorecond_t)
 auth_use_nsswitch(restorecond_t)
 
 logging_send_syslog_msg(restorecond_t)
@@ -416,6 +421,8 @@ allow run_init_t self:netlink_audit_sock
 # the failed access to the current directory
 dontaudit run_init_t self:capability { dac_override dac_read_search };
 
+kernel_getattr_proc(run_init_t)
+
 corecmd_exec_bin(run_init_t)
 corecmd_exec_shell(run_init_t)
 
@@ -585,6 +592,7 @@ allow setfiles_t { policy_src_t policy_c
 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
 allow setfiles_t file_context_t:file map;
 
+kernel_read_kernel_sysctls(setfiles_t)
 kernel_read_system_state(setfiles_t)
 kernel_relabelfrom_unlabeled_dirs(setfiles_t)
 kernel_relabelfrom_unlabeled_files(setfiles_t)
Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
@@ -61,7 +61,7 @@ allow dhcpc_t self:capability { dac_over
 dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { setrlimit getsched getcap setcap setfscreate ptrace signal_perms };
 
 allow dhcpc_t self:fifo_file rw_fifo_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
Index: refpolicy-2.20210203/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/udev.te
+++ refpolicy-2.20210203/policy/modules/system/udev.te
@@ -43,6 +43,7 @@ ifdef(`enable_mcs',`
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
 dontaudit udev_t self:capability sys_tty_config;
 allow udev_t self:capability2 { wake_alarm block_suspend };
+allow udev_t self:lockdown confidentiality;
 allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
 allow udev_t self:fd use;
 allow udev_t self:fifo_file rw_fifo_file_perms;
@@ -74,6 +75,7 @@ manage_files_pattern(udev_t, udev_rules_
 manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
 
 manage_dirs_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+allow udev_t udev_runtime_t:dir watch;
 manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
@@ -120,6 +122,7 @@ domain_dontaudit_ptrace_all_domains(udev
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)
+files_read_var_lib_symlinks(udev_t)
 files_mmap_read_kernel_modules(udev_t)
 files_exec_etc_files(udev_t)
 files_getattr_generic_locks(udev_t)
@@ -129,6 +132,7 @@ fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
 fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
+fs_search_tmpfs(udev_t)
 fs_search_tracefs(udev_t)
 
 mcs_ptrace_all(udev_t)
@@ -153,6 +157,10 @@ auth_read_pam_console_data(udev_t)
 auth_domtrans_pam_console(udev_t)
 auth_use_nsswitch(udev_t)
 
+# for /run/console-setup
+fs_manage_tmpfs_dirs(udev_t)
+fs_manage_tmpfs_files(udev_t)
+
 init_read_utmp(udev_t)
 init_domtrans_script(udev_t)
 # systemd-udevd searches /run/systemd
@@ -260,9 +268,6 @@ ifdef(`init_systemd',`
 	optional_policy(`
 		init_dbus_chat(udev_t)
 	')
-',`
-	fs_manage_tmpfs_dirs(udev_t)
-	fs_manage_tmpfs_files(udev_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210203/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20210203/policy/modules/system/unconfined.te
@@ -39,6 +39,7 @@ logging_send_syslog_msg(unconfined_t)
 logging_run_auditctl(unconfined_t, unconfined_r)
 
 mount_run_unconfined(unconfined_t, unconfined_r)
+mount_watch_runtime_files_reads(unconfined_t)
 
 seutil_run_setfiles(unconfined_t, unconfined_r)
 seutil_run_semanage(unconfined_t, unconfined_r)