init, udev: various fixes for systemd

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/system/init.te

@@ -251,6 +251,7 @@ ifdef(`init_systemd',`
 	allow init_t self:capability2 audit_read;
 	allow init_t self:key { search setattr write };
 	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
+	dontaudit init_t self:process { dyntransition setcurrent };
 
 	allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton };
 
@@ -430,6 +431,7 @@ ifdef(`init_systemd',`
 	fs_relabel_tmpfs_blk_files(init_t)
 	fs_relabel_tmpfs_chr_files(init_t)
 	fs_relabel_tmpfs_fifo_files(init_t)
+	fs_read_efivarfs_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
@@ -508,6 +510,9 @@ ifdef(`init_systemd',`
 	# for systemd to read udev status
 	udev_read_runtime_files(init_t)
 
+	udev_relabel_rules_dirs(init_t)
+	udev_relabel_rules_files(init_t)
+
 	userdom_relabel_user_runtime_root_dirs(init_t)
 
 	tunable_policy(`init_mounton_non_security',`

policy/modules/system/udev.if

@@ -202,6 +202,46 @@ interface(`udev_manage_rules_files',`
 	udev_search_runtime($1)
 ')
 
+########################################
+## <summary>
+##	Relabel udev rules directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_relabel_rules_dirs',`
+	gen_require(`
+		type udev_rules_t;
+	')
+
+	relabel_dirs_pattern($1, udev_rules_t, udev_rules_t)
+
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Relabel udev rules files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_relabel_rules_files',`
+	gen_require(`
+		type udev_rules_t;
+	')
+
+	relabel_files_pattern($1, udev_rules_t, udev_rules_t)
+
+	files_search_etc($1)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit search of udev database directories.  (Deprecated)