From 2166acf355faf72a8cc3f5b1557d424b4a434b63 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 13 Mar 2021 21:31:27 -0500
Subject: [PATCH] init, mount: allow systemd to watch utab

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 7394f77dd..d313d70c8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -446,7 +446,11 @@ ifdef(`init_systemd',`
 
 	miscfiles_watch_localization(init_t)
 
+	# systemd watches utab in order to mount the
+	# local filesystem at boot
 	mount_watch_runtime_dirs(init_t)
+	mount_watch_runtime_files(init_t)
+	mount_watch_reads_runtime_files(init_t)
 
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)