diff --git a/.travis.yml b/.travis.yml
index cded22a26..c0cf1a886 100755
--- a/.travis.yml
+++ b/.travis.yml
@@ -5,24 +5,24 @@ python:
  - "2.7"
 
 env:
-  - TYPE=standard DISTRO=redhat MONOLITHIC=y
-  - TYPE=standard DISTRO=redhat MONOLITHIC=n
-  - TYPE=standard DISTRO=debian MONOLITHIC=y
-  - TYPE=standard DISTRO=debian MONOLITHIC=n
-  - TYPE=standard DISTRO=gentoo MONOLITHIC=y
-  - TYPE=standard DISTRO=gentoo MONOLITHIC=n
-  - TYPE=mcs DISTRO=redhat MONOLITHIC=y
-  - TYPE=mcs DISTRO=redhat MONOLITHIC=n
-  - TYPE=mcs DISTRO=debian MONOLITHIC=y
-  - TYPE=mcs DISTRO=debian MONOLITHIC=n
-  - TYPE=mcs DISTRO=gentoo MONOLITHIC=y
-  - TYPE=mcs DISTRO=gentoo MONOLITHIC=n
-  - TYPE=mls DISTRO=redhat MONOLITHIC=y
-  - TYPE=mls DISTRO=redhat MONOLITHIC=n
-  - TYPE=mls DISTRO=debian MONOLITHIC=y
-  - TYPE=mls DISTRO=debian MONOLITHIC=n
-  - TYPE=mls DISTRO=gentoo MONOLITHIC=y
-  - TYPE=mls DISTRO=gentoo MONOLITHIC=n
+  - TYPE=standard DISTRO=redhat MONOLITHIC=y SYSTEMD=y
+  - TYPE=standard DISTRO=redhat MONOLITHIC=n SYSTEMD=y
+  - TYPE=standard DISTRO=debian MONOLITHIC=y SYSTEMD=y
+  - TYPE=standard DISTRO=debian MONOLITHIC=n SYSTEMD=y
+  - TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=n
+  - TYPE=standard DISTRO=gentoo MONOLITHIC=n SYSTEMD=n
+  - TYPE=mcs DISTRO=redhat MONOLITHIC=y SYSTEMD=y
+  - TYPE=mcs DISTRO=redhat MONOLITHIC=n SYSTEMD=y
+  - TYPE=mcs DISTRO=debian MONOLITHIC=y SYSTEMD=y
+  - TYPE=mcs DISTRO=debian MONOLITHIC=n SYSTEMD=y
+  - TYPE=mcs DISTRO=gentoo MONOLITHIC=y SYSTEMD=n
+  - TYPE=mcs DISTRO=gentoo MONOLITHIC=n SYSTEMD=n
+  - TYPE=mls DISTRO=redhat MONOLITHIC=y SYSTEMD=y
+  - TYPE=mls DISTRO=redhat MONOLITHIC=n SYSTEMD=y
+  - TYPE=mls DISTRO=debian MONOLITHIC=y SYSTEMD=y
+  - TYPE=mls DISTRO=debian MONOLITHIC=n SYSTEMD=y
+  - TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=n
+  - TYPE=mls DISTRO=gentoo MONOLITHIC=n SYSTEMD=n
 
 before_install:
   - lsb_release -a
@@ -50,7 +50,7 @@ before_install:
   - sudo make CFLAGS="-O2 -pipe -fPIC -Wall" -C selinux-src install
 
   # Drop build.conf settings to listen to env vars
-  - sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO)/d' build.conf
+  - sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf
 
 script:
   - echo $TYPE $DISTRO $MONOLITHIC
diff --git a/Makefile b/Makefile
index 78332245a..f651e400b 100644
--- a/Makefile
+++ b/Makefile
@@ -190,6 +190,10 @@ ifeq "$(DISTRO)" "ubuntu"
 	M4PARAM += -D distro_debian
 endif
 
+ifeq "$(SYSTEMD)" "y"
+	M4PARAM += -D init_systemd
+endif
+
 ifneq ($(OUTPUT_POLICY),)
 	CHECKPOLICY += -c $(OUTPUT_POLICY)
 endif
@@ -522,6 +526,7 @@ ifneq "$(DISTRO)" ""
 endif
 	$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
 	$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
+	$(verbose) echo "SYSTEMD ?= $(SYSTEMD)" >> $(headerdir)/build.conf
 	$(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
 	$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
 	$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
diff --git a/build.conf b/build.conf
index 0fffc2a4d..087d952a4 100644
--- a/build.conf
+++ b/build.conf
@@ -44,6 +44,10 @@ UNK_PERMS = deny
 # not work in conditional policy.
 DIRECT_INITRC = n
 
+# Systemd
+# Setting this will configure systemd as the init system.
+SYSTEMD = n
+
 # Build monolithic policy.  Putting y here
 # will build a monolithic policy.
 MONOLITHIC = n
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 056cdd7ce..3fe2bb96d 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -393,6 +393,17 @@ class system
 	syslog_mod
 	syslog_console
 	module_request
+
+	# these are overloaded userspace
+	# permissions from systemd
+	halt
+	reboot
+	status
+	start
+	stop
+	enable
+	disable
+	reload
 }
 
 #
@@ -910,3 +921,13 @@ inherits database
 	implement
 	execute
 }
+
+class service
+{
+	start
+	stop
+	status
+	reload
+	enable
+	disable
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 8bc5d4ed4..8b6f1ed3f 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -145,4 +145,6 @@ class db_view			# userspace
 class db_sequence		# userspace
 class db_language		# userspace
 
+class service			# userspace
+
 # FLASK
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index fd4fe8563..77d6a1802 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -235,6 +235,8 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vte/gnome-pty-helper	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 3b904d751..859e218db 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',`
 		type device_t;
 	')
 
-	relabelfrom_dirs_pattern($1, device_t, device_node)
-	relabelfrom_files_pattern($1, device_t, device_node)
+	relabelfrom_dirs_pattern($1, device_t, { device_t device_node })
+	relabelfrom_files_pattern($1, device_t, { device_t device_node })
 	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
-	relabelfrom_fifo_files_pattern($1, device_t, device_node)
-	relabelfrom_sock_files_pattern($1, device_t, device_node)
+	relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node })
+	relabelfrom_sock_files_pattern($1, device_t, { device_t device_node })
 	relabel_blk_files_pattern($1, device_t, { device_t device_node })
 	relabel_chr_files_pattern($1, device_t, { device_t device_node })
 ')
@@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',`
 		type device_t;
 	')
 
-	allow $1 device_t:chr_file relabelfrom;
+	allow $1 device_t:chr_file relabelfrom_chr_file_perms;
 ')
 
 ########################################
@@ -1941,6 +1941,30 @@ interface(`dev_filetrans_dri',`
 	filetrans_pattern($1, device_t, dri_device_t, chr_file, $2)
 ')
 
+########################################
+## <summary>
+##	Automatic type transition to the type
+##	for event device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_input_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the event devices.
@@ -2015,6 +2039,24 @@ interface(`dev_rw_input_dev',`
 	rw_chr_files_pattern($1, device_t, event_device_t)
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_input_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, event_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the framebuffer device node.
@@ -4086,6 +4128,26 @@ interface(`dev_rw_sysfs',`
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
 
+########################################
+## <summary>
+##	Relabel from/to all sysfs types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_all_sysfs',`
+	gen_require(`
+		attribute sysfs_types;
+	')
+
+	allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms };
+	allow $1 sysfs_types:file relabel_file_perms;
+	allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the TPM device.
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e5bcfcd75..9274a8236 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -9,6 +9,7 @@ attribute device_node;
 attribute memory_raw_read;
 attribute memory_raw_write;
 attribute devices_unconfined_type;
+attribute sysfs_types;
 
 #
 # device_t is the type of /dev.
@@ -62,7 +63,7 @@ dev_node(cpu_device_t)
 #
 # /sys/devices/system/cpu/online device
 #
-type cpu_online_t;
+type cpu_online_t, sysfs_types;
 files_type(cpu_online_t)
 dev_associate_sysfs(cpu_online_t)
 
@@ -229,7 +230,7 @@ dev_node(sound_device_t)
 #
 # sysfs_t is the type for the /sys pseudofs
 #
-type sysfs_t;
+type sysfs_t, sysfs_types;
 files_mountpoint(sysfs_t)
 fs_xattr_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 3861c8efe..e6de5fa72 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',`
 	dontaudit domain self:udp_socket listen;
 ')
 
+ifdef(`init_systemd',`
+	optional_policy(`
+		shutdown_sigchld(domain)
+	')
+')
+
 tunable_policy(`global_ssp',`
 	# enable reading of urandom for all domains:
 	# this should be enabled when all programs
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 692db4593..1cedea2e3 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -561,6 +561,24 @@ interface(`files_manage_non_security_dirs',`
 	allow $1 non_security_file_type:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Relabel from/to non-security directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all files.
@@ -618,6 +636,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
 	dontaudit $1 non_security_file_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	manage_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+##	Relabel from/to all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Read all files.
@@ -1944,6 +2000,24 @@ interface(`files_unmount_rootfs',`
 	allow $1 root_t:filesystem unmount;
 ')
 
+########################################
+## <summary>
+##	Mount on the root directory (/)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_root',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Get attributes of the /boot directory.
@@ -2816,6 +2890,24 @@ interface(`files_exec_etc_files',`
 	exec_files_pattern($1, etc_t, etc_t)
 ')
 
+########################################
+## <summary>
+##	Get etc_t service status.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_get_etc_unit_status',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service status;
+')
+
 #######################################
 ## <summary>
 ##	Relabel from and to generic files in /etc.
@@ -4394,6 +4486,24 @@ interface(`files_rw_generic_tmp_sockets',`
 	rw_sock_files_pattern($1, tmp_t, tmp_t)
 ')
 
+########################################
+## <summary>
+##	Mount filesystems in the tmp directory (/tmp)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of all tmp directories.
@@ -5674,6 +5784,25 @@ interface(`files_list_locks',`
 	list_dirs_pattern($1, var_t, var_lock_t)
 ')
 
+########################################
+## <summary>
+##	Add entries in the /var/lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_add_entry_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	add_entry_dirs_pattern($1, var_t, var_lock_t)
+')
+
 ########################################
 ## <summary>
 ##	Add and remove entries in the /var/lock
@@ -5867,6 +5996,29 @@ interface(`files_manage_all_locks',`
 	manage_lnk_files_pattern($1, lockfile, lockfile)
 ')
 
+########################################
+## <summary>
+##	Relabel from/to all lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+	relabel_dirs_pattern($1, lockfile, lockfile)
+	relabel_files_pattern($1, lockfile, lockfile)
+	relabel_lnk_files_pattern($1, lockfile, lockfile)
+')
+
 ########################################
 ## <summary>
 ##	Create an object in the locks directory, with a private
@@ -6296,6 +6448,44 @@ interface(`files_manage_all_pids',`
 	manage_lnk_files_pattern($1, pidfile, pidfile)
 ')
 
+########################################
+## <summary>
+##	Relabel to/from all var_run (pid) directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain alloed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+##	Relabel to/from all var_run (pid) files and directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain alloed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_dirs_pattern($1, pidfile, pidfile)
+	relabel_files_pattern($1, pidfile, pidfile)
+	relabel_lnk_files_pattern($1, pidfile, pidfile)
+')
+
 ########################################
 ## <summary>
 ##	Mount filesystems on all polyinstantiation
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 74d7b7321..99ad71f92 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -765,6 +765,24 @@ interface(`fs_manage_cgroup_dirs',`
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
 ########################################
 ## <summary>
 ##	Read cgroup files.
@@ -782,6 +800,7 @@ interface(`fs_read_cgroup_files',`
 	')
 
 	read_files_pattern($1, cgroup_t, cgroup_t)
+	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
 	dev_search_sysfs($1)
 ')
 
@@ -3339,6 +3358,25 @@ interface(`fs_rw_nfsd_fs',`
 	rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
 ')
 
+########################################
+## <summary>
+##	Getattr on pstore dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_pstore_dirs',`
+	gen_require(`
+		type pstore_t;
+	')
+
+	getattr_files_pattern($1, pstore_t, pstore_t)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Allow the type to associate to ramfs filesystems.
@@ -4093,6 +4131,23 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
 	dontaudit $1 tmpfs_t:dir write;
 ')
 
+########################################
+## <summary>
+##     Relabel directory on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+	relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Create an object in a tmpfs filesystem, with a private
@@ -4221,6 +4276,24 @@ interface(`fs_rw_tmpfs_files',`
 	rw_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
+########################################
+## <summary>
+##     Relabel files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	relabel_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read tmpfs link files.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 4c33c31c6..f1130d1a5 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -6,6 +6,27 @@
 ##	This module has initial SIDs.
 ## </required>
 
+########################################
+## <summary>
+##	Allows the kernel to start userland processes
+##	by dynamic transitions to the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type entered by the kernel.
+##	</summary>
+## </param>
+#
+interface(`kernel_dyntrans_to',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	domain_dyntrans_type(kernel_t)
+	allow kernel_t self:process setcurrent;
+	allow kernel_t $1:process dyntransition;
+')
+
 ########################################
 ## <summary>
 ##	Allows to start userland processes
@@ -252,6 +273,25 @@ interface(`kernel_rw_pipes',`
 	allow $1 kernel_t:fifo_file { read write };
 ')
 
+########################################
+## <summary>
+##	Read/write to kernel using a unix
+##	domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_stream_sockets',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:unix_stream_socket rw_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to kernel using a unix
@@ -273,7 +313,25 @@ interface(`kernel_stream_connect',`
 
 ########################################
 ## <summary>
-##	Read and write kernel unix datagram sockets.
+##	Getattr on kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_dgram_sockets',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:unix_dgram_socket getattr;
+')
+
+########################################
+## <summary>
+##	Read and write kernel unix datagram sockets. (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index ccd3f7b0a..1e3361c2f 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -299,6 +299,23 @@ ifdef(`distro_redhat',`
 	fs_rw_tmpfs_chr_files(kernel_t)
 ')
 
+ifdef(`init_systemd',`
+	optional_policy(`
+		dev_manage_input_dev(kernel_t)
+		dev_filetrans_input_dev(kernel_t)
+	')
+
+	optional_policy(`
+		selinux_compute_create_context(kernel_t)
+	')
+
+	optional_policy(`
+		storage_dev_filetrans_fixed_disk(kernel_t)
+		storage_setattr_fixed_disk_dev(kernel_t)
+		storage_create_fixed_disk_dev(kernel_t)
+	')
+')
+
 optional_policy(`
 	# loop devices
 	fstools_use_fds(kernel_t)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index cbb729b66..2e6a37607 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -517,6 +517,25 @@ interface(`term_dontaudit_manage_pty_dirs',`
 	dontaudit $1 devpts_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Relabel from and to pty directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabel_pty_dirs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir relabel_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4b24ac3ee..54e30d841 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -34,6 +34,15 @@ ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
+init_get_system_status(sysadm_t)
+init_disable(sysadm_t)
+init_enable(sysadm_t)
+init_reload(sysadm_t)
+init_reboot_system(sysadm_t)
+init_shutdown_system(sysadm_t)
+init_start_generic_units(sysadm_t)
+init_stop_generic_units(sysadm_t)
+init_reload_generic_units(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 60395e73b..fcf0df776 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -569,7 +569,7 @@ interface(`postgresql_admin',`
 		type postgresql_t, postgresql_var_run_t;
 		type postgresql_tmp_t, postgresql_db_t;
 		type postgresql_etc_t, postgresql_log_t;
-		type postgresql_initrc_exec_t;
+		type postgresql_initrc_exec_t, postgresql_unit_t;
 	')
 
 	typeattribute $1 sepgsql_admin_type;
@@ -577,7 +577,7 @@ interface(`postgresql_admin',`
 	allow $1 postgresql_t:process { ptrace signal_perms };
 	ps_process_pattern($1, postgresql_t)
 
-	init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
+	init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t)
 
 	admin_pattern($1, postgresql_var_run_t)
 
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index b4ba0f1d8..6844c354d 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)
 type postgresql_tmp_t;
 files_tmp_file(postgresql_tmp_t)
 
+type postgresql_unit_t;
+init_unit_file(postgresql_unit_t)
+
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
 init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 32216176a..1ccd13018 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -266,6 +266,11 @@ ifdef(`distro_debian',`
 	allow sshd_t self:process { getcap setcap };
 ')
 
+ifdef(`init_systemd',`
+	systemd_dbus_chat_logind(sshd_t)
+	init_rw_stream_sockets(sshd_t)
+')
+
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index f05d7bf79..faf74af4d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -766,6 +766,25 @@ interface(`auth_rw_faillog',`
 	allow $1 faillog_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Manage the login failure logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_faillog',`
+	gen_require(`
+		type faillog_t;
+	')
+
+	allow $1 faillog_t:file manage_file_perms;
+	logging_rw_generic_log_dirs($1)
+')
+
 #######################################
 ## <summary>
 ##	Read the last logins log.
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index d5b55f082..573d062eb 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -45,6 +45,10 @@ ifdef(`distro_gentoo', `
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /usr/lib/systemd/systemd --	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/system(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 94d97619e..b68dfc1ce 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -42,6 +42,26 @@ interface(`init_script_file',`
 	domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
 ')
 
+########################################
+## <summary>
+##   Make the specified type usable for
+##   systemd unit files.
+## </summary>
+## <param name="type">
+##   <summary>
+##   Type to be used for systemd unit files.
+##   </summary>
+## </param>
+#
+interface(`init_unit_file',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	files_type($1)
+	typeattribute $1 systemdunit;
+')
+
 ########################################
 ## <summary>
 ##	Create a domain used for init scripts.
@@ -108,6 +128,10 @@ interface(`init_domain',`
 	role system_r types $1;
 
 	domtrans_pattern(init_t, $2, $1)
+
+	ifdef(`init_systemd',`
+		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+	')
 ')
 
 ########################################
@@ -212,6 +236,12 @@ interface(`init_daemon_domain',`
 		userdom_dontaudit_use_user_terminals($1)
 	')
 
+	ifdef(`init_systemd',`
+		init_domain($1, $2)
+		# this may be because of late labelling
+		kernel_dgram_send($1)
+	')
+
 	optional_policy(`
 		nscd_use($1)
 	')
@@ -264,15 +294,68 @@ interface(`init_ranged_daemon_domain',`
 		type initrc_t;
 	')
 
-	init_daemon_domain($1, $2)
+	ifdef(`init_systemd',`
+		init_ranged_domain($1, $2, $3)
+	',`
+		init_daemon_domain($1, $2)
 
-	ifdef(`enable_mcs',`
-		range_transition initrc_t $2:process $3;
+		ifdef(`enable_mcs',`
+			range_transition initrc_t $2:process $3;
+		')
+
+		ifdef(`enable_mls',`
+			range_transition initrc_t $2:process $3;
+			mls_rangetrans_target($1)
+		')
 	')
+')
 
-	ifdef(`enable_mls',`
-		range_transition initrc_t $2:process $3;
-		mls_rangetrans_target($1)
+#########################################
+## <summary>
+##	Abstract socket service activation (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain to be started by systemd socket activation.
+##	</summary>
+## </param>
+#
+interface(`init_abstract_socket_activation',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type init_t;
+		')
+
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+	')
+')
+
+#########################################
+## <summary>
+##	Named socket service activation (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain to be started by systemd socket activation.
+##	</summary>
+## </param>
+## <param name="sock_file">
+##	<summary>
+##	The domain socket file type.
+##	</summary>
+## </param>
+#
+interface(`init_named_socket_activation',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type init_t;
+		')
+
+		allow init_t $1:unix_dgram_socket create_socket_perms;
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+		allow init_t $2:dir manage_dir_perms;
+		allow init_t $2:fifo_file manage_fifo_file_perms;
+		allow init_t $2:sock_file manage_sock_file_perms;
 	')
 ')
 
@@ -324,6 +407,10 @@ interface(`init_system_domain',`
 	role system_r types $1;
 
 	domtrans_pattern(initrc_t, $2, $1)
+
+	ifdef(`init_systemd',`
+		init_domain($1, $2)
+	')
 ')
 
 ########################################
@@ -374,15 +461,19 @@ interface(`init_ranged_system_domain',`
 		type initrc_t;
 	')
 
-	init_system_domain($1, $2)
+	ifdef(`init_systemd',`
+		init_ranged_domain($1, $2, $3)
+	',`
+		init_system_domain($1, $2)
 
-	ifdef(`enable_mcs',`
-		range_transition initrc_t $2:process $3;
-	')
+		ifdef(`enable_mcs',`
+			range_transition initrc_t $2:process $3;
+		')
 
-	ifdef(`enable_mls',`
-		range_transition initrc_t $2:process $3;
-		mls_rangetrans_target($1)
+		ifdef(`enable_mls',`
+			range_transition initrc_t $2:process $3;
+			mls_rangetrans_target($1)
+		')
 	')
 ')
 
@@ -579,10 +670,11 @@ interface(`init_sigchld',`
 #
 interface(`init_stream_connect',`
 	gen_require(`
-		type init_t;
+		type init_t, init_var_run_t;
 	')
 
-	allow $1 init_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+	files_search_pids($1)
 ')
 
 ########################################
@@ -662,6 +754,45 @@ interface(`init_dontaudit_use_fds',`
 	dontaudit $1 init_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Send messages to init unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_dgram_send',`
+	gen_require(`
+		type init_t, init_var_run_t;
+	')
+
+	dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write to
+##	init with unix domain stream sockets.
+##	</summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##	Send UDP network traffic to init.  (Deprecated)
@@ -676,6 +807,276 @@ interface(`init_udp_send',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
+########################################
+## <summary>
+##	Get all service status (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_system_status',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+##	Enable all systemd services (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_enable',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system enable;
+')
+
+########################################
+## <summary>
+##	Disable all services (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_disable',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system disable;
+')
+
+########################################
+## <summary>
+##	Reload all services (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reload',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system reload;
+')
+
+########################################
+## <summary>
+##	Reboot the system (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reboot_system',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system reboot;
+')
+
+########################################
+## <summary>
+##	Shutdown (halt) the system (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_shutdown_system',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system halt;
+')
+
+########################################
+## <summary>
+## 	Allow specified domain to get init status
+## </summary>
+## <param name="domain">
+## <summary>
+## 	Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_status',`
+	gen_require(`
+		type init_t;
+		class service status;
+	')
+
+	allow $1 init_t:service status;
+')
+
+########################################
+## <summary>
+## 	Allow specified domain to get init start
+## </summary>
+## <param name="domain">
+## <summary>
+## 	Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_start',`
+	gen_require(`
+		type init_t;
+		class service start;
+	')
+
+	allow $1 init_t:service start;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	systemd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+	gen_require(`
+		type initrc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 init_t:dbus send_msg;
+	allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Manage files in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_manage_var_lib_files',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Create files in /var/lib/systemd
+##	with an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="type">
+##	<summary>
+##	The type of object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_var_lib_filetrans',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create files in an init PID directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_pid_filetrans',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	files_search_pids($1)
+	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of initctl.
@@ -986,6 +1387,11 @@ interface(`init_all_labeled_script_domtrans',`
 ##	Labeled init script file.
 ##	</summary>
 ## </param>
+## <param name="unit" optional="true">
+##	<summary>
+##	Systemd unit file type.
+##	</summary>
+## </param>
 #
 interface(`init_startstop_service',`
 	gen_require(`
@@ -1003,6 +1409,18 @@ interface(`init_startstop_service',`
 			role_transition $2 $4 system_r;
 			allow $2 system_r;
 		')
+
+		ifdef(`init_systemd',`
+			# This ifelse condition is temporary, until
+			# all callers are updated to provide unit files.
+			ifelse(`$5',`',`',`
+				gen_require(`
+					class service { start stop };
+				')
+
+				allow $1 $5:service { start stop };
+			')
+		')
 	')
 ')
 
@@ -1909,3 +2327,180 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
+
+######################################
+## <summary>
+##	Search systemd unit dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_search_units',`
+	gen_require(`
+		type init_var_run_t, systemd_unit_t;
+	')
+
+	search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+
+	# Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
+	files_search_etc($1)
+	files_search_usr($1)
+	libs_search_lib($1)
+
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##	Get status of generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_generic_units_status',`
+	gen_require(`
+		type systemd_unit_t;
+		class service status;
+	')
+
+	allow $1 systemd_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	Start generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_start_generic_units',`
+	gen_require(`
+		type systemd_unit_t;
+		class service start;
+	')
+
+	allow $1 systemd_unit_t:service start;
+')
+
+########################################
+## <summary>
+##	Stop generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+## 	Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_generic_units',`
+	gen_require(`
+		type systemd_unit_t;
+		class service stop;
+	')
+
+	allow $1 systemd_unit_t:service stop;
+')
+
+#######################################
+## <summary>
+##	Reload generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reload_generic_units',`
+	gen_require(`
+		type systemd_unit_t;
+		class service reload;
+	')
+
+	allow $1 systemd_unit_t:service reload;
+')
+
+########################################
+## <summary>
+##	Get status of all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_all_units_status',`
+	gen_require(`
+		attribute systemdunit;
+		class service status;
+	')
+
+	allow $1 systemdunit:service status;
+')
+
+########################################
+## <summary>
+##	Start all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_start_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service start;
+	')
+
+	allow $1 systemdunit:service start;
+')
+
+########################################
+## <summary>
+##	Stop all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+## 	Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service stop;
+	')
+
+	allow $1 systemdunit:service stop;
+')
+
+#######################################
+## <summary>
+##	Reload all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reload_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service reload;
+	')
+
+	allow $1 systemdunit:service reload;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 94370a350..3435daf50 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -19,6 +19,7 @@ gen_tunable(init_upstart, false)
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
+attribute systemdunit;
 
 # Mark process types as daemons
 attribute daemon;
@@ -64,6 +65,7 @@ type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
 type initrc_exec_t, init_script_file_type;
 domain_type(initrc_t)
 domain_entry_file(initrc_t, initrc_exec_t)
+init_named_socket_activation(initrc_t, init_var_run_t)
 role system_r types initrc_t;
 # should be part of the true block
 # of the below init_upstart tunable
@@ -74,6 +76,9 @@ type initrc_devpts_t;
 term_pty(initrc_devpts_t)
 files_type(initrc_devpts_t)
 
+type initrc_lock_t;
+files_lock_file(initrc_lock_t)
+
 type initrc_state_t;
 files_type(initrc_state_t)
 
@@ -86,6 +91,9 @@ logging_log_file(initrc_var_log_t)
 type initrc_var_run_t;
 files_pid_file(initrc_var_run_t)
 
+type systemd_unit_t;
+init_unit_file(systemd_unit_t)
+
 ifdef(`distro_gentoo',`
 	type rc_exec_t;
 	domain_entry_file(initrc_t, rc_exec_t)
@@ -182,6 +190,117 @@ seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
+ifdef(`init_systemd',`
+	# handle instances where an old labeled init script is encountered.
+	typeattribute init_t init_run_all_scripts_domain;
+
+	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
+	allow init_t self:capability2 block_suspend;
+	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+	allow init_t self:netlink_route_socket create_netlink_socket_perms;
+	allow init_t self:netlink_selinux_socket create_socket_perms;
+
+	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
+	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+	manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
+	manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
+
+	manage_files_pattern(init_t, systemd_unit_t, systemdunit)
+
+	manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
+	manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
+	allow init_t systemd_unit_t:dir relabel_dir_perms;
+
+	kernel_dyntrans_to(init_t)
+	kernel_read_network_state(init_t)
+	kernel_read_kernel_sysctls(init_t)
+	kernel_read_vm_sysctls(init_t)
+	kernel_dgram_send(init_t)
+	kernel_stream_connect(init_t)
+	kernel_getattr_proc(init_t)
+	kernel_read_fs_sysctls(init_t)
+
+	dev_rw_autofs(init_t)
+	dev_create_generic_dirs(init_t)
+	dev_manage_input_dev(init_t)
+	dev_relabel_all_dev_nodes(init_t)
+	dev_relabel_all_sysfs(init_t)
+	dev_read_urand(init_t)
+	dev_write_kmsg(init_t)
+
+	domain_read_all_domains_state(init_t)
+
+	files_read_all_pids(init_t)
+	files_list_usr(init_t)
+	files_list_var(init_t)
+	files_list_var_lib(init_t)
+	files_relabel_all_lock_dirs(init_t)
+	files_mounton_root(init_t)
+	files_search_pids(init_t)
+	files_relabel_all_pids(init_t)
+	files_read_all_locks(init_t)
+	files_search_kernel_modules(init_t)
+	# for privatetmp functions
+	files_manage_generic_tmp_dirs(init_t)
+	files_mounton_tmp(init_t)
+
+	fs_manage_cgroup_dirs(init_t)
+	fs_relabel_cgroup_dirs(init_t)
+	fs_rw_cgroup_files(init_t)
+	fs_list_auto_mountpoints(init_t)
+	fs_mount_autofs(init_t)
+	fs_manage_hugetlbfs_dirs(init_t)
+	fs_getattr_tmpfs(init_t)
+	fs_read_tmpfs_files(init_t)
+	fs_read_cgroup_files(init_t)
+	fs_dontaudit_getattr_xattr_fs(init_t)
+	# for privatetmp functions
+	fs_relabel_tmpfs_dirs(init_t)
+	fs_relabel_tmpfs_files(init_t)
+	# mount-setup
+	fs_unmount_autofs(init_t)
+	fs_getattr_pstore_dirs(init_t)
+
+	# systemd_socket_activated policy
+	mls_socket_write_all_levels(init_t)
+
+	selinux_compute_create_context(init_t)
+	selinux_compute_access_vector(init_t)
+
+	term_relabel_pty_dirs(init_t)
+
+	clock_read_adjtime(init_t)
+
+	logging_manage_pid_sockets(init_t)
+	logging_send_audit_msgs(init_t)
+	logging_relabelto_devlog_sock_files(init_t)
+
+	seutil_read_file_contexts(init_t)
+
+	systemd_relabelto_kmod_files(init_t)
+	systemd_dbus_chat_logind(init_t)
+
+	# udevd is a "systemd kobject uevent socket activated daemon"
+	udev_create_kobject_uevent_sockets(init_t)
+
+	optional_policy(`
+		dbus_system_bus_client(init_t)
+		dbus_connect_system_bus(init_t)
+	')
+
+	optional_policy(`
+		modutils_domtrans_insmod(init_t)
+	')
+',`
+	tunable_policy(`init_upstart',`
+		corecmd_shell_domtrans(init_t, initrc_t)
+	',`
+		# Run the shell in the sysadm role for single-user mode.
+		# causes problems with upstart
+		sysadm_shell_domtrans(init_t)
+	')
+')
+
 ifdef(`distro_debian',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
 
@@ -201,14 +320,6 @@ ifdef(`distro_redhat',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
 ')
 
-tunable_policy(`init_upstart',`
-	corecmd_shell_domtrans(init_t, initrc_t)
-',`
-	# Run the shell in the sysadm role for single-user mode.
-	# causes problems with upstart
-	sysadm_shell_domtrans(init_t)
-')
-
 optional_policy(`
 	auth_rw_login_records(init_t)
 ')
@@ -609,6 +720,60 @@ ifdef(`distro_suse',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
+	files_lock_filetrans(initrc_t, initrc_lock_t, file)
+
+	manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
+
+	manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+	manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+	manage_lnk_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+	files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
+
+	create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+
+	manage_files_pattern(initrc_t, systemdunit, systemdunit)
+	manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+
+	kernel_dgram_send(initrc_t)
+
+	# run systemd misc initializations
+	# in the initrc_t domain, as would be
+	# done in traditional sysvinit/upstart.
+	corecmd_bin_entry_type(initrc_t)
+	corecmd_shell_entry_type(initrc_t)
+	corecmd_bin_domtrans(init_t, initrc_t)
+	corecmd_shell_domtrans(init_t, initrc_t)
+
+	files_read_boot_files(initrc_t)
+	# Allow initrc_t to check /etc/fstab "service." It appears that
+	# systemd is conflating files and services.
+	files_get_etc_unit_status(initrc_t)
+	files_setattr_pid_dirs(initrc_t)
+
+	selinux_set_enforce_mode(initrc_t)
+
+	init_stream_connect(initrc_t)
+	init_manage_var_lib_files(initrc_t)
+	init_rw_stream_sockets(initrc_t)
+	init_get_all_units_status(initrc_t)
+	init_stop_all_units(initrc_t)
+
+	# Create /etc/audit.rules.prev after firstboot remediation
+	logging_manage_audit_config(initrc_t)
+
+	# lvm2-activation-generator checks file labels
+	seutil_read_file_contexts(initrc_t)
+
+	systemd_start_power_units(initrc_t)
+
+	optional_policy(`
+		# create /var/lock/lvm/
+		lvm_create_lock_dirs(initrc_t)
+	')
+')
+
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 3d64054b1..eec93e653 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -393,12 +393,13 @@ interface(`ipsec_admin',`
 		type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
 		type ipsec_var_run_t, ipsec_mgmt_lock_t;
 		type ipsec_mgmt_var_run_t, racoon_tmp_t;
+		type ipsec_unit_t;
 	')
 
 	allow $1 ipsec_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ipsec_t)
 
-	init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
+	init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t)
 
 	ipsec_exec_mgmt($1)
 	ipsec_stream_connect($1)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index b4e98a827..c1f3d0110 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -38,6 +38,9 @@ corenet_spd_type(ipsec_spd_t)
 type ipsec_tmp_t;
 files_tmp_file(ipsec_tmp_t)
 
+type ipsec_unit_t;
+init_unit_file(ipsec_unit_t)
+
 # type for runtime files, including pluto.ctl
 type ipsec_var_run_t;
 files_pid_file(ipsec_var_run_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 73a1c4e1e..b3eda3e59 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -14,6 +14,11 @@
 /sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
+/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ebtables.*	 -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*iptables.*	-- gen_context(system_u:object_r:iptables_unit_t,s0)
+
 /usr/sbin/conntrack		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 26ce647f1..5d2b4065a 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -185,13 +185,13 @@ interface(`iptables_manage_config',`
 interface(`iptables_admin',`
 	gen_require(`
 		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
-		type iptables_tmp_t, iptables_var_run_t;
+		type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
 	')
 
 	allow $1 iptables_t:process { ptrace signal_perms };
 	ps_process_pattern($1, iptables_t)
 
-	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
 
 	files_list_etc($1)
 	admin_pattern($1, iptables_conf_t)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 884063390..aa999fb07 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -22,6 +22,9 @@ files_config_file(iptables_conf_t)
 type iptables_tmp_t;
 files_tmp_file(iptables_tmp_t)
 
+type iptables_unit_t;
+init_unit_file(iptables_unit_t)
+
 type iptables_var_run_t;
 files_pid_file(iptables_var_run_t)
 
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
index 0e3c2a977..4305a862f 100644
--- a/policy/modules/system/locallogin.if
+++ b/policy/modules/system/locallogin.if
@@ -22,6 +22,27 @@ interface(`locallogin_domtrans',`
 	')
 ')
 
+########################################
+## <summary>
+##	Allow calling domain to read locallogin state.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed permission.
+##	</summary>
+## </param>
+#
+interface(`locallogin_read_state',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	kernel_search_proc($1)
+	allow $1 local_login_t:file read_file_perms;
+	allow $1 local_login_t:lnk_file read_lnk_file_perms;
+	allow $1 local_login_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow processes to inherit local login file descriptors.
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 03c26f08d..d97e02d89 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -135,6 +135,14 @@ userdom_use_unpriv_users_fds(local_login_t)
 userdom_sigchld_all_users(local_login_t)
 userdom_create_all_users_keys(local_login_t)
 
+ifdef(`init_systemd',`
+	auth_manage_faillog(local_login_t)
+
+	systemd_dbus_chat_logind(local_login_t)
+	systemd_use_logind_fds(local_login_t)
+	systemd_manage_logind_pid_pipes(local_login_t)
+')
+
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(local_login_t)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 1cbc7d701..a061af2fa 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,8 @@
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
 
 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -72,6 +74,7 @@ ifdef(`distro_redhat',`
 /var/run/syslog-ng\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/systemd/journal(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/systemd/journal/socket	 -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 /var/run/systemd/journal/syslog	 -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 /var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 7fd0c41c2..b227032b7 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -551,6 +551,25 @@ interface(`logging_send_syslog_msg',`
 	term_dontaudit_read_console($1)
 ')
 
+########################################
+## <summary>
+##	Allow domain to relabelto devlog sock_files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabelto_devlog_sock_files',`
+	gen_require(`
+		type devlog_t;
+	')
+
+	allow $1 devlog_t:sock_file relabelto_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read the auditd configuration files.
@@ -610,6 +629,25 @@ interface(`logging_read_syslog_config',`
 	allow $1 syslog_conf_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete syslog PID sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_manage_pid_sockets',`
+	gen_require(`
+		type syslogd_var_run_t;
+	')
+
+	manage_sock_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+	files_search_pids($1)
+')
+
 ########################################
 ## <summary>
 ##	Allows the domain to open a file in the
@@ -986,7 +1024,7 @@ interface(`logging_admin_audit',`
 	gen_require(`
 		type auditd_t, auditd_etc_t, auditd_log_t;
 		type auditd_var_run_t;
-		type auditd_initrc_exec_t;
+		type auditd_initrc_exec_t, auditd_unit_t;
 	')
 
 	allow $1 auditd_t:process { ptrace signal_perms };
@@ -1003,7 +1041,7 @@ interface(`logging_admin_audit',`
 
 	logging_run_auditctl($1, $2)
 
-	init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)
+	init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
 ')
 
 ########################################
@@ -1029,7 +1067,7 @@ interface(`logging_admin_syslog',`
 		type syslogd_tmp_t, syslogd_var_lib_t;
 		type syslogd_var_run_t, klogd_var_run_t;
 		type klogd_tmp_t, var_log_t;
-		type syslogd_initrc_exec_t;
+		type syslogd_initrc_exec_t, syslogd_unit_t;
 	')
 
 	allow $1 syslogd_t:process { ptrace signal_perms };
@@ -1058,7 +1096,7 @@ interface(`logging_admin_syslog',`
 
 	logging_manage_all_logs($1)
 
-	init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)
+	init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
 ')
 
 ########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index df72e3f0d..40180d269 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -30,6 +30,9 @@ init_daemon_domain(auditd_t, auditd_exec_t)
 type auditd_initrc_exec_t;
 init_script_file(auditd_initrc_exec_t)
 
+type auditd_unit_t;
+init_unit_file(auditd_unit_t);
+
 type auditd_var_run_t;
 files_pid_file(auditd_var_run_t)
 
@@ -64,6 +67,7 @@ files_config_file(syslog_conf_t)
 type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t, syslogd_exec_t)
+init_named_socket_activation(syslogd_t, syslogd_var_run_t)
 
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)
@@ -71,6 +75,9 @@ init_script_file(syslogd_initrc_exec_t)
 type syslogd_tmp_t;
 files_tmp_file(syslogd_tmp_t)
 
+type syslogd_unit_t;
+init_unit_file(syslogd_unit_t)
+
 type syslogd_var_lib_t;
 files_type(syslogd_var_lib_t)
 
@@ -120,6 +127,10 @@ locallogin_dontaudit_use_fds(auditctl_t)
 logging_set_audit_parameters(auditctl_t)
 logging_send_syslog_msg(auditctl_t)
 
+ifdef(`init_systemd',`
+	init_rw_stream_sockets(auditctl_t)
+')
+
 ########################################
 #
 # Auditd local policy
@@ -248,6 +259,10 @@ miscfiles_read_localization(audisp_t)
 
 sysnet_dns_name_resolve(audisp_t)
 
+ifdef(`init_systemd',`
+	kernel_dgram_send(audisp_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(audisp_t)
 ')
@@ -480,6 +495,20 @@ miscfiles_read_localization(syslogd_t)
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
+ifdef(`init_systemd',`
+	allow syslogd_t self:capability { chown setuid setgid };
+
+	kernel_use_fds(syslogd_t)
+	kernel_getattr_dgram_sockets(syslogd_t)
+	kernel_rw_unix_dgram_sockets(syslogd_t)
+	kernel_rw_stream_sockets(syslogd_t)
+
+	init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+	init_dgram_send(syslogd_t)
+
+	udev_read_pid_files(syslogd_t)
+')
+
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 6b917403e..38bf76bd6 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -89,6 +89,12 @@ ifdef(`distro_gentoo',`
 #
 # /usr
 #
+
+/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-.*	-- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+
 /usr/sbin/clvmd		--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 /usr/sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 86b223c00..5774034f0 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -105,6 +105,26 @@ interface(`lvm_manage_config',`
 	manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
 ')
 
+########################################
+## <summary>
+##	Create lvm_lock_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_create_lock_dirs',`
+	gen_require(`
+		type lvm_lock_t;
+	')
+
+	create_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
+	files_add_entry_lock_dirs($1)
+')
+
 ######################################
 ## <summary>
 ##	Execute a domain transition to run clvmd.
@@ -142,7 +162,7 @@ interface(`lvm_domtrans_clvmd',`
 #
 interface(`lvm_admin',`
 	gen_require(`
-		type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;
+		type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t, lvm_unit_t;
 		type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
 		type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;
 	')
@@ -150,7 +170,7 @@ interface(`lvm_admin',`
 	allow $1 clvmd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, clvmd_t)
 
-	init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)
+	init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)
 
 	files_search_etc($1)
 	admin_pattern($1, lvm_etc_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 6cde5a939..60d00fe2c 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -18,6 +18,7 @@ files_pid_file(clvmd_var_run_t)
 type lvm_t;
 type lvm_exec_t;
 init_system_domain(lvm_t, lvm_exec_t)
+init_named_socket_activation(lvm_t, lvm_var_run_t)
 # needs privowner because it assigns the identity system_u to device nodes
 # but runs as the identity of the sysadmin
 domain_obj_id_change_exemption(lvm_t)
@@ -32,6 +33,9 @@ files_lock_file(lvm_lock_t)
 type lvm_metadata_t;
 files_type(lvm_metadata_t)
 
+type lvm_unit_t;
+init_unit_file(lvm_unit_t)
+
 type lvm_var_lib_t;
 files_type(lvm_var_lib_t)
 
@@ -304,6 +308,12 @@ seutil_sigchld_newrole(lvm_t)
 
 userdom_use_user_terminals(lvm_t)
 
+ifdef(`init_systemd',`
+	init_rw_stream_sockets(lvm_t)
+
+	fs_manage_hugetlbfs_dirs(lvm_t)
+')
+
 ifdef(`distro_redhat',`
 	# this is from the initrd:
 	kernel_rw_unlabeled_dirs(lvm_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 59ecb2bfd..1271ed781 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -179,6 +179,14 @@ userdom_dontaudit_search_user_home_dirs(insmod_t)
 
 kernel_domtrans_to(insmod_t, insmod_exec_t)
 
+ifdef(`init_systemd',`
+	kernel_search_key(insmod_t)
+
+	init_rw_stream_sockets(insmod_t)
+
+	systemd_write_kmod_files(insmod_t)
+')
+
 optional_policy(`
 	alsa_domtrans(insmod_t)
 ')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index b477b25ec..04c7614c8 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -67,7 +67,7 @@ role newrole_roles types newrole_t;
 # the security server policy configuration.
 #
 type policy_config_t;
-files_type(policy_config_t)
+files_security_file(policy_config_t)
 
 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
 #neverallow ~can_write_binary_policy policy_config_t:file { write append };
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index 2a8ecaadc..9478dd9b4 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -60,13 +60,13 @@ interface(`setrans_translate_context',`
 interface(`setrans_admin',`
 	gen_require(`
 		type setrans_t, setrans_initrc_exec_t;
-		type setrans_var_run_t;
+		type setrans_var_run_t, setrans_unit_t;
 	')
 
 	allow $1 setrans_t:process { ptrace signal_perms };
 	ps_process_pattern($1, setrans_t)
 
-	init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
+	init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t)
 
 	files_search_pids($1)
 	admin_pattern($1, setrans_var_run_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 2df8b53f2..e4d4500b1 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -16,6 +16,9 @@ init_daemon_domain(setrans_t, setrans_exec_t)
 type setrans_initrc_exec_t;
 init_script_file(setrans_initrc_exec_t)
 
+type setrans_unit_t;
+init_unit_file(setrans_unit_t)
+
 type setrans_var_run_t;
 files_pid_file(setrans_var_run_t)
 mls_trusted_object(setrans_var_run_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 995aa1e39..c82573dd7 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -160,6 +160,14 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	init_rw_stream_sockets(dhcpc_t)
+	init_read_state(dhcpc_t)
+	init_stream_connect(dhcpc_t)
+	init_get_all_units_status(dhcpc_t)
+	init_search_units(dhcpc_t)
+')
+
 optional_policy(`
 	consoletype_run(dhcpc_t, dhcpc_roles)
 ')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
index 000000000..864979d85
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,39 @@
+/bin/systemd-analyze		--	gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
+/bin/systemd-cgtop			--	gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
+/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/bin/systemd-detect-virt	--	gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
+/bin/systemd-nspawn			--	gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
+/bin/systemd-run			--	gen_context(system_u:object_r:systemd_run_exec_t,s0)
+/bin/systemd-stdio-bridge	--	gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
+/bin/systemd-tmpfiles		--	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/bin/systemd-tty-ask-password-agent		--			gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
+/usr/lib/systemd/systemd-activate	--	gen_context(system_u:object_r:systemd_activate_exec_t,s0)
+/usr/lib/systemd/systemd-backlight	--	gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
+/usr/lib/systemd/systemd-binfmt		--	gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
+/usr/lib/systemd/systemd-cgroups-agent	--	gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
+/usr/lib/systemd/systemd-coredump	--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/usr/lib/systemd/systemd-hostnamed	--	gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
+/usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
+/usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*halt.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*hibernate.* --	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*power.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*reboot.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*shutdown.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*sleep.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*suspend.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+
+/var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+
+/var/run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/var/run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+
+/var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/tmpfiles\.d/kmod.conf	gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 000000000..8bca3a35b
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,195 @@
+## <summary>Systemd components (not PID 1)</summary>
+
+######################################
+## <summary>
+##   Read systemd_login PID files.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_read_logind_pids',`
+	gen_require(`
+		type systemd_logind_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+##   Manage systemd_login PID pipes.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_manage_logind_pid_pipes',`
+	gen_require(`
+		type systemd_logind_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+##   Use inherited systemd
+##   logind file descriptors.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_use_logind_fds',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+')
+
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd logind over dbus.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_logind',`
+	gen_require(`
+		type systemd_logind_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_logind_t:dbus send_msg;
+	allow systemd_logind_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##   Allow process to write to systemd_kmod_conf_t.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_write_kmod_files',`
+	gen_require(`
+		type systemd_kmod_conf_t;
+	')
+
+	write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
+')
+
+########################################
+## <summary>
+##   Allow process to relabel to systemd_kmod_conf_t.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_relabelto_kmod_files',`
+	gen_require(`
+		type systemd_kmod_conf_t;
+	')
+
+	allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
+')
+
+########################################
+## <summary>
+##   Read systemd homedir content
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_read_home_content',`
+	gen_require(`
+		type systemd_home_t;
+	')
+
+	optional_policy(`
+		gnome_search_gconf_data_dir($1)
+	')
+	read_files_pattern($1, systemd_home_t, systemd_home_t)
+	read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
+')
+
+########################################
+## <summary>
+##   Get the system status information from systemd_login
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_status_logind',`
+	gen_require(`
+		type systemd_logind_t;
+		class service status;
+	')
+
+	allow $1 systemd_logind_t:service status;
+')
+
+########################################
+## <summary>
+##   Send systemd_login a null signal.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_signull_logind',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow specified domain to start power units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_start_power_units',`
+	gen_require(`
+		type power_unit_t;
+		class service start;
+	')
+
+	allow $1 power_unit_t:service start;
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 000000000..597d4aa19
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,264 @@
+policy_module(systemd, 1.0.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Enable support for systemd-tmpfiles to manage all non-security files.
+## </p>
+## </desc>
+gen_tunable(systemd_tmpfiles_manage_all, false)
+
+type systemd_activate_t;
+type systemd_activate_exec_t;
+init_system_domain(systemd_activate_t, systemd_activate_exec_t)
+
+type systemd_analyze_t;
+type systemd_analyze_exec_t;
+init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
+
+type systemd_backlight_t;
+type systemd_backlight_exec_t;
+init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
+
+type systemd_binfmt_t;
+type systemd_binfmt_exec_t;
+init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
+
+type systemd_cgroups_t;
+type systemd_cgroups_exec_t;
+domain_type(systemd_cgroups_t)
+domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
+role system_r types systemd_cgroups_t;
+
+type systemd_cgroups_var_run_t;
+files_pid_file(systemd_cgroups_var_run_t)
+init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
+
+type systemd_cgtop_t;
+type systemd_cgtop_exec_t;
+init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
+
+type systemd_coredump_t;
+type systemd_coredump_exec_t;
+init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
+
+type systemd_detect_virt_t;
+type systemd_detect_virt_exec_t;
+init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
+
+type systemd_hostnamed_t;
+type systemd_hostnamed_exec_t;
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
+
+type systemd_locale_t;
+type systemd_locale_exec_t;
+init_system_domain(systemd_locale_t, systemd_locale_exec_t)
+
+type systemd_logind_t;
+type systemd_logind_exec_t;
+init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
+init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t)
+
+type systemd_logind_var_lib_t;
+files_type(systemd_logind_var_lib_t)
+
+type systemd_logind_var_run_t;
+files_pid_file(systemd_logind_var_run_t)
+init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
+
+type systemd_machined_t;
+type systemd_machined_exec_t;
+init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
+
+type systemd_nspawn_t;
+type systemd_nspawn_exec_t;
+init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+
+type systemd_run_t;
+type systemd_run_exec_t;
+init_daemon_domain(systemd_run_t, systemd_run_exec_t)
+
+type systemd_stdio_bridge_t;
+type systemd_stdio_bridge_exec_t;
+init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
+
+type systemd_passwd_agent_t;
+type systemd_passwd_agent_exec_t;
+init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
+type systemd_sessions_t;
+type systemd_sessions_exec_t;
+init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
+
+type systemd_sessions_var_run_t;
+files_pid_file(systemd_sessions_var_run_t)
+init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
+
+type systemd_tmpfiles_t;
+type systemd_tmpfiles_exec_t;
+type systemd_kmod_conf_t;
+files_config_file(systemd_kmod_conf_t)
+init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
+#
+# Unit file types
+#
+
+type power_unit_t;
+init_unit_file(power_unit_t)
+
+######################################
+#
+# Cgroups local policy
+#
+
+kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+
+init_stream_connect(systemd_cgroups_t)
+
+logging_send_syslog_msg(systemd_cgroups_t)
+
+kernel_dgram_send(systemd_cgroups_t)
+
+#######################################
+#
+# locale local policy
+#
+
+files_read_etc_files(systemd_locale_t)
+
+logging_send_syslog_msg(systemd_locale_t)
+
+seutil_read_file_contexts(systemd_locale_t)
+
+optional_policy(`
+	dbus_connect_system_bus(systemd_locale_t)
+	dbus_system_bus_client(systemd_locale_t)
+')
+
+#######################################
+#
+# Hostnamed policy
+#
+
+files_read_etc_files(systemd_hostnamed_t)
+
+logging_send_syslog_msg(systemd_hostnamed_t)
+
+seutil_read_file_contexts(systemd_hostnamed_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_hostnamed_t)
+	dbus_connect_system_bus(systemd_hostnamed_t)
+')
+
+#########################################
+#
+# Logind local policy
+#
+
+allow systemd_logind_t self:capability { fowner sys_tty_config chown dac_override };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
+
+allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
+
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
+manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
+files_search_pids(systemd_logind_t)
+
+auth_manage_faillog(systemd_logind_t)
+
+dev_rw_sysfs(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
+dev_getattr_dri_dev(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_getattr_sound_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
+
+files_read_etc_files(systemd_logind_t)
+
+fs_getattr_tmpfs(systemd_logind_t)
+
+storage_getattr_removable_dev(systemd_logind_t)
+storage_setattr_removable_dev(systemd_logind_t)
+storage_getattr_scsi_generic_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
+term_use_unallocated_ttys(systemd_logind_t)
+
+init_get_all_units_status(systemd_logind_t)
+init_start_all_units(systemd_logind_t)
+init_stop_all_units(systemd_logind_t)
+init_service_status(systemd_logind_t)
+init_service_start(systemd_logind_t)
+# This is for reading /proc/1/cgroup
+init_read_state(systemd_logind_t)
+
+locallogin_read_state(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
+
+systemd_start_power_units(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
+udev_read_pid_files(systemd_logind_t)
+
+userdom_use_user_ttys(systemd_logind_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_logind_t)
+	dbus_connect_system_bus(systemd_logind_t)
+')
+
+#########################################
+#
+# Sessions local policy
+#
+
+allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
+files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
+
+logging_send_syslog_msg(systemd_sessions_t)
+
+#########################################
+#
+# Tmpfiles local policy
+#
+
+allow systemd_tmpfiles_t self:capability  { fowner chown fsetid dac_override mknod };
+allow systemd_tmpfiles_t self:process { setfscreate getcap };
+
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+
+files_read_etc_files(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+
+auth_manage_var_auth(systemd_tmpfiles_t)
+auth_manage_login_records(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
+
+logging_send_syslog_msg(systemd_tmpfiles_t)
+
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
+tunable_policy(`systemd_tmpfiles_manage_all',`
+	# systemd-tmpfiles can be configured to manage anything.
+	# have a last-resort option for users to do this.
+	files_manage_non_security_dirs(systemd_tmpfiles_t)
+	files_manage_non_security_files(systemd_tmpfiles_t)
+	files_relabel_non_security_dirs(systemd_tmpfiles_t)
+	files_relabel_non_security_files(systemd_tmpfiles_t)
+')
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 9a1650d37..211a5962a 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -92,6 +92,25 @@ interface(`udev_read_state',`
 	allow $1 udev_t:lnk_file read_lnk_file_perms;
 ')
 
+
+########################################
+## <summary>
+##	Allow domain to create uevent sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_create_kobject_uevent_sockets',`
+	gen_require(`
+		type udev_t;
+	')
+
+	allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to inherit a
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index cbc851e3d..966926dd8 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -13,6 +13,7 @@ domain_obj_id_change_exemption(udev_t)
 domain_entry_file(udev_t, udev_helper_exec_t)
 domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
+init_named_socket_activation(udev_t, udev_var_run_t)
 
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
@@ -218,6 +219,18 @@ ifdef(`distro_redhat',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	kernel_load_module(udev_t)
+
+	files_search_kernel_modules(udev_t)
+
+	fs_read_cgroup_files(udev_t)
+
+	init_dgram_send(udev_t)
+
+	systemd_read_logind_pids(udev_t)
+')
+
 optional_policy(`
 	alsa_domtrans(udev_t)
 	alsa_read_lib(udev_t)
diff --git a/support/Makefile.devel b/support/Makefile.devel
index ae5293296..d1cbef94d 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -58,6 +58,10 @@ ifneq ($(DISTRO),)
 	M4PARAM += -D distro_$(DISTRO)
 endif
 
+ifeq "$(SYSTEMD)" "y"
+	M4PARAM += -D init_systemd
+endif
+
 ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
 endif