diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 4eb6b9081..c14bb13b5 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -104,6 +104,39 @@ interface(`storage_raw_read_fixed_disk',`
 	typeattribute $1 fixed_disk_raw_read;
 ')
 
+########################################
+## <summary>
+##	Allow the caller to directly read from a fixed disk
+##	if a tunable is set.
+##	This is extremely dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tunable">
+##	<summary>
+##	Tunable to depend on
+##	</summary>
+## </param>
+#
+interface(`storage_raw_read_fixed_disk_cond',`
+	gen_require(`
+		attribute fixed_disk_raw_read;
+		type fixed_disk_device_t;
+	')
+
+	typeattribute $1 fixed_disk_raw_read;
+	tunable_policy($2, `
+		dev_list_all_dev_nodes($1)
+		allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+		allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts made by the caller to read
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 17860b087..655623807 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -20,6 +20,15 @@ gen_tunable(systemd_tmpfiles_manage_all, false)
 ## </desc>
 gen_tunable(systemd_nspawn_labeled_namespace, false)
 
+## <desc>
+## <p>
+## Allow systemd-logind to interact with the bootloader (read which one is
+## installed on fixed disks, enumerate entries for dbus property
+## BootLoaderEntries, etc.)
+## </p>
+## </desc>
+gen_tunable(systemd_logind_get_bootloader, false)
+
 attribute systemd_log_parse_env_type;
 attribute systemd_tmpfiles_conf_type;
 attribute systemd_user_session_type;
@@ -558,6 +567,15 @@ ifdef(`distro_redhat',`
 	userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
 ')
 
+tunable_policy(`systemd_logind_get_bootloader',`
+	fs_getattr_dos_fs(systemd_logind_t)
+	fs_list_dos(systemd_logind_t)
+	fs_read_dos_files(systemd_logind_t)
+')
+# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
+# This reads the first sectors of fixed disk devices.
+storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader)
+
 optional_policy(`
 	dbus_connect_system_bus(systemd_logind_t)
 	dbus_system_bus_client(systemd_logind_t)