bootloader, init: various fixes for systemd-boot

These rules were found to be needed for systemd-boot-update.service to
run properly on a systemd system with a dracut initrd and with
systemd-boot as the bootloader.

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/admin/bootloader.te

@@ -217,6 +217,13 @@ ifdef(`distro_redhat',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	# these rules are required by systemd-boot-update
+	fs_getattr_cgroup(bootloader_t)
+	init_read_state(bootloader_t)
+	init_rw_inherited_stream_socket(bootloader_t)
+')
+
 optional_policy(`
 	fstools_exec(bootloader_t)
 ')

policy/modules/system/init.te

@@ -542,6 +542,11 @@ ifdef(`init_systemd',`
 		files_mounton_non_security(init_t)
 	')
 
+	optional_policy(`
+		# to run systemd-boot-update
+		bootloader_domtrans(init_t)
+	')
+
 	optional_policy(`
 		clock_read_adjtime(init_t)
 	')