diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d313d70c8..f87be1877 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -251,6 +251,7 @@ ifdef(`init_systemd',`
allow init_t self:capability2 audit_read;
allow init_t self:key { search setattr write };
allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
+ dontaudit init_t self:process { dyntransition setcurrent };
allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton };
@@ -430,6 +431,7 @@ ifdef(`init_systemd',`
fs_relabel_tmpfs_blk_files(init_t)
fs_relabel_tmpfs_chr_files(init_t)
fs_relabel_tmpfs_fifo_files(init_t)
+ fs_read_efivarfs_files(init_t)
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)
@@ -508,6 +510,9 @@ ifdef(`init_systemd',`
# for systemd to read udev status
udev_read_runtime_files(init_t)
+ udev_relabel_rules_dirs(init_t)
+ udev_relabel_rules_files(init_t)
+
userdom_relabel_user_runtime_root_dirs(init_t)
tunable_policy(`init_mounton_non_security',`
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 538f28514..f02b73edd 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -202,6 +202,46 @@ interface(`udev_manage_rules_files',`
udev_search_runtime($1)
')
+########################################
+##
+## Relabel udev rules directories
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_relabel_rules_dirs',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ relabel_dirs_pattern($1, udev_rules_t, udev_rules_t)
+
+ files_search_etc($1)
+')
+
+########################################
+##
+## Relabel udev rules files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_relabel_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ relabel_files_pattern($1, udev_rules_t, udev_rules_t)
+
+ files_search_etc($1)
+')
+
########################################
##
## Do not audit search of udev database directories. (Deprecated)