diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 648abb480..e0a7e4bc7 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -5076,6 +5076,25 @@ interface(`fs_relabel_tmpfs_blk_file',`
fs_relabel_tmpfs_blk_files($1)
')
+########################################
+##
+## Relabel named pipes on tmpfs filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_relabel_tmpfs_fifo_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir list_dir_perms;
+ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
########################################
##
## Read and write, create and delete generic
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1003c3d33..4734a9510 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -252,9 +252,10 @@ ifdef(`init_systemd',`
allow init_t init_path_unit_loc_type:{ dir file } { getattr watch };
- # for /run/systemd/inaccessible/{chr,blk}
- allow init_t init_runtime_t:blk_file create_blk_file_perms;
- allow init_t init_runtime_t:chr_file create_chr_file_perms;
+ # for /run/systemd/inaccessible/{chr,blk,fifo}
+ allow init_t init_runtime_t:blk_file { create_blk_file_perms relabelto };
+ allow init_t init_runtime_t:chr_file { create_chr_file_perms relabelto };
+ allow init_t init_runtime_t:fifo_file { create_fifo_file_perms relabelto };
allow init_t systemprocess:process { dyntransition siginh };
allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
@@ -411,6 +412,9 @@ ifdef(`init_systemd',`
fs_remount_all_fs(init_t)
fs_relabelfrom_tmpfs_symlinks(init_t)
fs_unmount_all_fs(init_t)
+ fs_relabel_tmpfs_blk_files(init_t)
+ fs_relabel_tmpfs_chr_files(init_t)
+ fs_relabel_tmpfs_fifo_files(init_t)
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)
@@ -485,6 +489,8 @@ ifdef(`init_systemd',`
# for systemd to read udev status
udev_read_runtime_files(init_t)
+ userdom_relabel_user_runtime_root_dirs(init_t)
+
tunable_policy(`init_mounton_non_security',`
files_mounton_non_security(init_t)
')