Merge branch 'systemd-update-done' of git://github.com/fishilico/selinux-refpolicy

policy/modules/system/systemd.fc

@@ -1,3 +1,5 @@
+/etc/\.updated				--	gen_context(system_u:object_r:systemd_update_run_t,s0)
+
 /etc/udev/hwdb\.bin			--	gen_context(system_u:object_r:systemd_hwdb_t,s0)
 
 /run/log/journal(/.*)?				gen_context(system_u:object_r:systemd_journal_t,s0)
@@ -46,6 +48,8 @@
 /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
 /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
 
+/var/\.updated				--	gen_context(system_u:object_r:systemd_update_run_t,s0)
+
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)

policy/modules/system/systemd.te

@@ -1126,12 +1126,13 @@ optional_policy(`
 # Update Done local policy
 #
 
-allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
+allow systemd_update_done_t self:process setfscreate;
 
-dev_write_kmsg(systemd_update_done_t)
+allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
 
 files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
 files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
 
-kernel_read_system_state(systemd_update_done_t)
+seutil_read_file_contexts(systemd_update_done_t)
 
+systemd_log_parse_environment(systemd_update_done_t)