diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 63cf195e6..ef807ba59 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -34,7 +34,7 @@ ifdef(`distro_gentoo',`
/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
-/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
+/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_transient_unit_t,s0)
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index fda2faca5..3c7e9d8db 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3473,6 +3473,83 @@ interface(`init_reload_generic_units',`
allow $1 systemd_unit_t:service reload;
')
+########################################
+##
+## Get status of transient systemd units.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_get_transient_units_status',`
+ gen_require(`
+ type systemd_transient_unit_t;
+ class service status;
+ ')
+
+ allow $1 systemd_transient_unit_t:service status;
+')
+
+########################################
+##
+## Start transient systemd units.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_start_transient_units',`
+ gen_require(`
+ type systemd_transient_unit_t;
+ class service start;
+ ')
+
+ allow $1 systemd_transient_unit_t:service start;
+')
+
+########################################
+##
+## Stop transient systemd units.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_stop_transient_units',`
+ gen_require(`
+ type systemd_transient_unit_t;
+ class service stop;
+ ')
+
+ allow $1 systemd_transient_unit_t:service stop;
+')
+
+#######################################
+##
+## Reload transient systemd units.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_reload_transient_units',`
+ gen_require(`
+ type systemd_transient_unit_t;
+ class service reload;
+ ')
+
+ allow $1 systemd_transient_unit_t:service reload;
+')
+
+
########################################
##
## Get status of all systemd units.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 01a0eb786..acdaf1a46 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -121,6 +121,9 @@ logging_log_file(initrc_var_log_t)
type systemd_unit_t;
init_unit_file(systemd_unit_t)
+type systemd_transient_unit_t;
+init_unit_file(systemd_transient_unit_t)
+
ifdef(`distro_gentoo',`
type rc_exec_t;
domain_entry_file(initrc_t, rc_exec_t)
@@ -311,11 +314,11 @@ ifdef(`init_systemd',`
allow init_t init_var_lib_t:file manage_file_perms;
allow init_t init_var_lib_t:lnk_file manage_lnk_file_perms;
- manage_files_pattern(init_t, systemd_unit_t, systemdunit)
+ manage_files_pattern(init_t, systemd_transient_unit_t, systemdunit)
- manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
- manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
- allow init_t systemd_unit_t:dir relabel_dir_perms;
+ manage_dirs_pattern(init_t, systemd_transient_unit_t, systemd_transient_unit_t)
+ manage_lnk_files_pattern(init_t, systemd_transient_unit_t, systemd_transient_unit_t)
+ allow init_t systemd_transient_unit_t:dir relabel_dir_perms;
kernel_dyntrans_to(init_t)
kernel_read_network_state(init_t)
@@ -1055,8 +1058,8 @@ ifdef(`init_systemd',`
manage_lnk_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t)
files_runtime_filetrans(initrc_t, initrc_runtime_t, dir_file_class_set)
- create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
- allow initrc_t systemd_unit_t:service reload;
+ create_dirs_pattern(initrc_t, systemd_transient_unit_t, systemd_transient_unit_t)
+ allow initrc_t systemd_transient_unit_t:service reload;
manage_files_pattern(initrc_t, systemdunit, systemdunit)
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)