diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index c36b18719..7215d8916 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -1,5 +1,96 @@
## Run shells with substitute user and group
+template(`su_restricted_domain_template', `
+ gen_require(`
+ type su_exec_t;
+ ')
+
+ type $1_su_t;
+ domain_entry_file($1_su_t,su_exec_t)
+ domain_type($1_su_t)
+ domain_role_change_exempt($1_su_t)
+ domain_subj_id_change_exempt($1_su_t)
+ domain_obj_id_change_exempt($1_su_t)
+ domain_wide_inherit_fd($1_su_t)
+ role $3 types $1_su_t;
+
+ allow $2 $1_su_t:process signal;
+
+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ dontaudit $1_su_t self:capability sys_tty_config;
+ allow $1_su_t self:process { setexec setsched setrlimit };
+ allow $1_su_t self:fifo_file rw_file_perms;
+ allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+
+ # Transition from the user domain to this domain.
+ domain_auto_trans($2, su_exec_t, $1_su_t)
+ allow $2 $1_su_t:fd use;
+ allow $1_su_t $2:fd use;
+ allow $1_su_t $2:fifo_file rw_file_perms;
+ allow $1_su_t $2:process sigchld;
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_su_t,$2)
+ allow $2 $1_su_t:fd use;
+ allow $1_su_t $2:fd use;
+ allow $1_su_t $2:fifo_file rw_file_perms;
+ allow $1_su_t $2:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctl($1_su_t)
+
+ # for SSP
+ dev_read_urand($1_su_t)
+
+ selinux_get_fs_mount($1_su_t)
+ selinux_validate_context($1_su_t)
+ selinux_compute_access_vector($1_su_t)
+ selinux_compute_create_context($1_su_t)
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
+
+ auth_domtrans_chk_passwd($1_su_t)
+ auth_dontaudit_read_shadow($1_su_t)
+ auth_use_nsswitch($1_su_t)
+
+ domain_wide_inherit_fd($1_su_t)
+
+ files_read_etc_files($1_su_t)
+
+ # Write to utmp.
+ init_rw_script_pid($1_su_t)
+
+ libs_use_ld_so($1_su_t)
+ libs_use_shared_libs($1_su_t)
+
+ logging_send_syslog_msg($1_su_t)
+
+ miscfiles_read_localization($1_su_t)
+
+ seutil_read_config($1_su_t)
+ seutil_read_default_contexts($1_su_t)
+
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+
+ optional_policy(`crond.te',`
+ cron_read_pipe($1_su_t)
+ ')
+
+ optional_policy(`kerberos.te',`
+ kerberos_use($1_su_t)
+ ')
+
+ optional_policy(`nscd.te',`
+ nscd_use_socket($1_su_t)
+ ')
+
+ ifdef(`TODO',`
+ # Caused by su - init scripts
+ dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+ ') dnl end TODO
+')
+
#######################################
##
## The per user domain template for the su module.
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 70c9cd6d5..db791728c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -605,6 +605,11 @@ optional_policy(`ssh.te',`
ssh_dontaudit_read_server_keys(initrc_t)
')
+# allow init scripts to su
+optional_policy(`su.te',`
+ su_restricted_domain_template(initrc,initrc_t,system_r)
+')
+
optional_policy(`sysnetwork.te',`
ifdef(`distro_redhat',`
sysnet_rw_dhcp_config(initrc_t)
@@ -631,14 +636,6 @@ allow initrc_t ramfs_t:fifo_file write;
# during boot up initrc needs to do the following
allow initrc_t default_t:dir write;
-#
-# These rules are here to allow init scripts to su
-#
-optional_policy(`su.te', `
-su_restricted_domain(initrc,system)
-role system_r types initrc_su_t;
-')
-
ifdef(`distro_redhat', `
# readahead asks for these
allow initrc_t var_lib_nfs_t:file r_file_perms;