diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 2bf15947a..7014a7cb2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3250,6 +3250,24 @@ interface(`files_exec_etc_files',`
exec_files_pattern($1, etc_t, etc_t)
')
+########################################
+##
+## Watch /etc files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_watch_etc_files', `
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:file watch;
+')
+
########################################
##
## Get etc_t service status.
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 4a77c2cc1..836a472f1 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -104,6 +104,7 @@
/usr/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/multipath -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 1cf6e1753..b0d1c02b7 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -51,7 +51,7 @@ files_type(lvm_var_lib_t)
# net_admin for multipath
allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
dontaudit lvm_t self:capability sys_tty_config;
-allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
+allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate setrlimit };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
allow lvm_t self:file rw_file_perms;
@@ -115,6 +115,7 @@ kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
# Read system variables in /proc/sys
kernel_read_kernel_sysctls(lvm_t)
+kernel_read_fs_sysctls(lvm_t)
# for when /usr is not mounted:
kernel_dontaudit_search_unlabeled(lvm_t)
# it has no reason to need this
@@ -123,6 +124,8 @@ kernel_use_fds(lvm_t)
# for systemd-cryptsetup
kernel_read_crypto_sysctls(lvm_t)
kernel_search_debugfs(lvm_t)
+# multipath
+kernel_read_vm_overcommit_sysctl(lvm_t)
corecmd_exec_bin(lvm_t)
corecmd_exec_shell(lvm_t)
@@ -159,6 +162,7 @@ domain_read_all_domains_state(lvm_t)
files_read_usr_files(lvm_t)
files_read_etc_files(lvm_t)
+files_watch_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
fs_getattr_xattr_fs(lvm_t)
@@ -210,6 +214,10 @@ seutil_read_file_contexts(lvm_t)
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
+# multipath
+sysnet_read_config(lvm_t)
+sysnet_write_config(lvm_t)
+
userdom_use_inherited_user_terminals(lvm_t)
ifdef(`init_systemd',`
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 5ce90339a..df6ef2789 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -51,6 +51,8 @@ allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:netlink_generic_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
+# rdma_rename
+allow udev_t self:netlink_rdma_socket create_socket_perms;
ifdef(`init_systemd',`
# systemd-vconsole-setup will be called by udev during virtual terminal initialization
@@ -96,7 +98,8 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
kernel_search_key(udev_t)
-
+# kpartx:
+kernel_get_sysvipc_info(udev_t)
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
kernel_read_crypto_sysctls(udev_t)