From 007e87226b33ef5999c6046b95cd2e178e58f76d Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Fri, 4 Oct 2024 11:48:49 +0300
Subject: [PATCH] Adapt to build for scarthgap

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/admin/quota.te        |  3 +
 policy/modules/apps/loadkeys.te      |  3 +
 policy/modules/services/container.te |  2 +
 policy/modules/services/dbus.te      |  7 +++
 policy/modules/services/dnsmasq.te   |  2 +
 policy/modules/services/ntp.if       | 18 ++++++
 policy/modules/services/ntp.te       |  2 +
 policy/modules/services/rpc.te       |  9 ++-
 policy/modules/services/rpcbind.te   |  3 +
 policy/modules/services/ssh.te       |  5 ++
 policy/modules/system/aos.if         | 20 +++++++
 policy/modules/system/init.te        |  9 +++
 policy/modules/system/logging.if     | 18 ++++++
 policy/modules/system/logging.te     |  5 ++
 policy/modules/system/lvm.te         |  3 +
 policy/modules/system/modutils.te    |  2 +
 policy/modules/system/mount.te       |  5 ++
 policy/modules/system/selinuxutil.te |  2 +
 policy/modules/system/sysnetwork.te  |  2 +
 policy/modules/system/systemd.if     | 90 ++++++++++++++++++++++++++++
 policy/modules/system/systemd.te     | 32 ++++++++++
 policy/modules/system/udev.te        |  7 ++-
 22 files changed, 247 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
index b5b152fb16..310a8410d2 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -89,6 +89,9 @@ logging_send_syslog_msg(quota_t)
 userdom_use_user_terminals(quota_t)
 userdom_dontaudit_use_unpriv_user_fds(quota_t)
 
+init_rw_script_stream_sockets(quota_t)
+kernel_use_fds(quota_t)
+
 optional_policy(`
 	mta_queue_filetrans(quota_t, quota_db_t, file)
 	mta_spool_filetrans(quota_t, quota_db_t, file)
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index b9558dccc4..aa8f72d819 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -48,6 +48,9 @@ miscfiles_read_localization(loadkeys_t)
 userdom_use_user_terminals(loadkeys_t)
 userdom_list_user_home_content(loadkeys_t)
 
+init_rw_script_stream_sockets(loadkeys_t)
+kernel_use_fds(loadkeys_t)
+
 optional_policy(`
 	consolesetup_read_conf(loadkeys_t)
 ')
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index f599670407..f4cf3edbdc 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -753,6 +753,8 @@ kernel_search_vm_sysctl(container_engine_t)
 
 term_remount_devpts(container_engine_t)
 
+init_rw_script_stream_sockets(container_engine_t)
+
 ifdef(`init_systemd',`
 	# needed by runc, which is also invoked by other engines
 	init_run_bpf(container_engine_domain)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 99f7b61cbf..88fd3550aa 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -190,6 +190,9 @@ write_logging_runtime_dirs(system_dbusd_t)
 
 files_map_etc_files(system_dbusd_t)
 
+init_rw_script_stream_sockets(system_dbusd_t)
+kernel_use_fds(system_dbusd_t)
+
 ifdef(`init_systemd', `
 	# gdm3 causes system_dbusd_t to want this access
 	dev_rw_dri(system_dbusd_t)
@@ -229,6 +232,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	unconfined_use_fds(system_dbusd_t)
+')
+
 optional_policy(`
 	tunable_policy(`dbus_broker_system_bus',`
 		networkmanager_startstop(system_dbusd_t)
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index c88c370bc2..4a0c3552f3 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -110,6 +110,8 @@ files_manage_quota_aos(dnsmasq_t)
 
 dev_rw_tee_chr_files(dnsmasq_t)
 
+kernel_use_fds(dnsmasq_t)
+
 optional_policy(`
 	cobbler_read_lib_files(dnsmasq_t)
 ')
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index dc813d136c..266451511d 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -317,3 +317,21 @@ interface(`ntp_admin',`
 		allow ntpd_t $1:dbus send_msg;
 	')
 ')
+
+########################################
+## <summary>
+##     Allow a domain to perform nnp_transition to ntpd_t.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`allow_nnp_transition_to_ntpd', `
+    gen_require(`
+        type ntpd_t;
+    ')
+
+    allow $1 ntpd_t:process2 nnp_transition;
+')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 8a85342940..1041414a2d 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -138,6 +138,8 @@ miscfiles_read_localization(ntpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_user_home_dirs(ntpd_t)
+init_rw_script_stream_sockets(ntpd_t)
+kernel_use_fds(ntpd_t)
 
 ifdef(`init_systemd',`
 	allow ntpd_t self:process setfscreate;
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index e5d6ecb135..63f2ce9295 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -282,6 +282,10 @@ userdom_signal_all_users(rpcd_t)
 
 write_logging_runtime_dirs(rpcd_t)
 
+init_rw_script_stream_sockets(rpcd_t)
+
+kernel_use_fds(rpcd_t)
+
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcd_t)
 ')
@@ -314,7 +318,7 @@ optional_policy(`
 # NFSD local policy
 #
 
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource sys_rawio };
 
 allow nfsd_t exports_t:file read_file_perms;
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -363,6 +367,9 @@ fs_manage_tmpfs_dirs(nfsd_t)
 
 fs_list_hugetlbfs(nfsd_t)
 
+init_rw_script_stream_sockets(nfsd_t)
+kernel_use_fds(nfsd_t)
+
 tunable_policy(`allow_nfsd_anon_write',`
 	miscfiles_manage_public_files(nfsd_t)
 ')
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index 105295a91c..19bce56942 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -73,6 +73,9 @@ logging_send_syslog_msg(rpcbind_t)
 
 miscfiles_read_localization(rpcbind_t)
 
+init_rw_script_stream_sockets(rpcbind_t)
+kernel_use_fds(rpcbind_t)
+
 # nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
 # because the are running in different level. So add rules to allow this.
 mls_socket_read_all_levels(rpcbind_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 92598de63f..da087a563b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -265,6 +265,9 @@ files_map_etc_files(sshd_t)
 init_manage_dir_utmp(sshd_t)
 logging_rw_generic_logs(sshd_t)
 
+init_rw_script_stream_sockets(sshd_t)
+kernel_use_fds(sshd_t)
+
 ifdef(`distro_debian',`
 	allow sshd_t self:process { getcap setcap };
 	auth_use_pam_motd_dynamic(sshd_t)
@@ -382,6 +385,8 @@ files_manage_var_dirs(ssh_keygen_t)
 files_manage_var_files(ssh_keygen_t)
 files_map_etc_files(ssh_keygen_t)
 
+init_rw_script_stream_sockets(ssh_keygen_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
 ')
diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
index 84bcbc3d20..2852cd0391 100644
--- a/policy/modules/system/aos.if
+++ b/policy/modules/system/aos.if
@@ -167,6 +167,26 @@ interface(`files_manage_quota_aos',`
 	allow $1 aos_var_run_t:filesystem { quotaget quotamod remount getattr };
 ')
 
+# allow $1 aos_var_run_t:file { getattr };
+
+########################################
+## <summary>
+##	Manage update rootfs files in /var/aos directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_update_rootfs_aos',`
+	gen_require(`
+		type aos_var_run_t;
+	')
+
+	allow $1 aos_var_run_t:file { getattr };
+')
+
 ########################################
 ## <summary>
 ##	Manage overlay files in /var/aos directory.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 34b8c92ee3..6bfcf57500 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -926,12 +926,21 @@ miscfiles_manage_generic_cert_files(initrc_t)
 
 seutil_read_config(initrc_t)
 
+allow_nnp_transition_to_systemd_logind(initrc_t)
+allow_nnp_transition_to_systemd_networkd(initrc_t)
+allow_nnp_transition_to_syslogd(initrc_t)
+allow_nnp_transition_to_systemd_userdbd(initrc_t)
+allow_nnp_transition_to_ntpd(initrc_t)
+allow_nnp_transition_to_systemd_resolved(initrc_t)
+allow_nnp_transition_to_systemd_hostnamed(initrc_t)
+
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.
 userdom_use_inherited_user_terminals(initrc_t)
 
+
 ifdef(`distro_debian',`
 	kernel_getattr_core_if(initrc_t)
 
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 0615f8f307..69cdc8799b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -524,6 +524,24 @@ interface(`logging_audit_socket_activation', `
 	allow $1 syslogd_t:netlink_audit_socket create_socket_perms;
 ')
 
+########################################
+## <summary>
+##     Allow a domain to perform nnp_transition to syslogd_t.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`allow_nnp_transition_to_syslogd', `
+    gen_require(`
+        type syslogd_t;
+    ')
+
+    allow $1 syslogd_t:process2 nnp_transition;
+')
+
 ########################################
 ## <summary>
 ##	Relabel to and from syslog temporary file type.
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 933f9ff6f9..be0a3c93f7 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -372,7 +372,10 @@ miscfiles_read_localization(klogd_t)
 
 mls_file_read_all_levels(klogd_t)
 
+init_rw_script_stream_sockets(klogd_t)
+
 userdom_dontaudit_search_user_home_dirs(klogd_t)
+kernel_use_fds(klogd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -541,6 +544,8 @@ seutil_read_config(syslogd_t)
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
+init_rw_script_stream_sockets(syslogd_t)
+
 ifdef(`init_systemd',`
 	# for systemd-journal
 	allow syslogd_t self:capability audit_control;
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 0bbf33b6c4..b2104fe37b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -229,6 +229,9 @@ fs_manage_bpf_dirs(lvm_t)
 init_search_keys(lvm_t)
 miscfiles_manage_generic_cert_files(lvm_t)
 
+init_rw_script_stream_sockets(lvm_t)
+write_logging_runtime_dirs(lvm_t)
+
 ifdef(`init_systemd',`
 	init_rw_stream_sockets(lvm_t)
 
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 4b0a47df25..ba8c7b8163 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -118,6 +118,8 @@ userdom_use_user_terminals(kmod_t)
 
 userdom_dontaudit_search_user_home_dirs(kmod_t)
 
+init_rw_script_stream_sockets(kmod_t)
+
 ifdef(`init_systemd',`
 	# for /run/tmpfiles.d/kmod.conf
 	allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index db2902ccb2..40839956d5 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -161,6 +161,11 @@ files_allow_manage_var_files(mount_t)
 files_allow_manage_var_chr_files(mount_t)
 files_allow_manage_etc_files(mount_t)
 
+init_rw_script_stream_sockets(mount_t)
+fs_list_nfsd_fs(mount_t)
+fs_getattr_tracefs_dirs(mount_t)
+kernel_use_fds(mount_t)
+
 ifdef(`distro_redhat',`
 	optional_policy(`
 		auth_read_pam_console_data(mount_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 9f48d5fabc..38241586db 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -671,6 +671,8 @@ userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory
 userdom_read_user_home_content_files(setfiles_t)
 
+init_rw_script_stream_sockets(setfiles_t)
+
 ifdef(`distro_debian',`
 	# udev tmpfs is populated with static device nodes
 	# and then relabeled afterwards; thus
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 5c09babb54..2c2c962615 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -374,6 +374,8 @@ dev_rw_xen(ifconfig_t)
 
 var_run_file_operations(ifconfig_t)
 
+init_rw_script_stream_sockets(ifconfig_t)
+
 # For "ip netns identify $$"
 userdom_read_all_users_state(ifconfig_t)
 userdom_use_user_terminals(ifconfig_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index d25aaea78e..07414b359d 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1355,6 +1355,24 @@ interface(`systemd_signull_logind',`
 	allow $1 systemd_logind_t:process signull;
 ')
 
+########################################
+## <summary>
+##     Allow a domain to perform nnp_transition to systemd_logind_t.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`allow_nnp_transition_to_systemd_logind', `
+    gen_require(`
+        type systemd_logind_t;
+    ')
+
+    allow $1 systemd_logind_t:process2 nnp_transition;
+')
+
 ########################################
 ## <summary>
 ##  List the contents of systemd userdb runtime directories.
@@ -1467,6 +1485,42 @@ interface(`systemd_stream_connect_userdb', `
 	init_unix_stream_socket_connectto($1)
 ')
 
+########################################
+## <summary>
+##     Allow a domain to perform nnp_transition to systemd_userdbd_t.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`allow_nnp_transition_to_systemd_userdbd', `
+    gen_require(`
+        type systemd_userdbd_t;
+    ')
+
+    allow $1 systemd_userdbd_t:process2 nnp_transition;
+')
+
+########################################
+## <summary>
+##     Allow a domain to perform nnp_transition to systemd_resolved_t.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`allow_nnp_transition_to_systemd_resolved', `
+    gen_require(`
+        type systemd_resolved_t;
+    ')
+
+    allow $1 systemd_resolved_t:process2 nnp_transition;
+')
+
 ########################################
 ## <summary>
 ##	Allow reading /run/systemd/machines
@@ -1564,6 +1618,24 @@ interface(`systemd_dbus_chat_hostnamed',`
 	allow systemd_hostnamed_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##     Allow a domain to perform nnp_transition to systemd_hostnamed_t.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`allow_nnp_transition_to_systemd_hostnamed', `
+    gen_require(`
+        type systemd_hostnamed_t;
+    ')
+
+    allow $1 systemd_hostnamed_t:process2 nnp_transition;
+')
+
 ########################################
 ## <summary>
 ##      allow systemd_passwd_agent to inherit fds
@@ -2050,6 +2122,24 @@ interface(`systemd_read_networkd_runtime',`
 	read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 ')
 
+########################################
+## <summary>
+##     Allow a domain to perform nnp_transition to systemd_networkd_t.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`allow_nnp_transition_to_systemd_networkd', `
+    gen_require(`
+        type systemd_networkd_t;
+    ')
+
+    allow $1 systemd_networkd_t:process2 nnp_transition;
+')
+
 ########################################
 ## <summary>
 ##     Allow systemd_logind_t to read process state for cgroup file
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 06076d554b..99da3fa62b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -549,6 +549,8 @@ udev_read_runtime_files(systemd_generator_t)
 mls_file_read_to_clearance(systemd_generator_t)
 mls_file_write_to_clearance(systemd_generator_t)
 
+files_manage_update_rootfs_aos(systemd_generator_t)
+
 ifdef(`distro_gentoo',`
 	corecmd_shell_entry_type(systemd_generator_t)
 ')
@@ -736,6 +738,8 @@ sysnet_manage_config(systemd_hostnamed_t)
 
 systemd_log_parse_environment(systemd_hostnamed_t)
 
+init_rw_script_stream_sockets(systemd_hostnamed_t)
+
 # Allow reading /run/udev/data/+dmi:id
 udev_read_runtime_files(systemd_hostnamed_t)
 
@@ -960,6 +964,9 @@ mls_file_write_to_clearance(systemd_logind_t)
 
 files_map_etc_files(systemd_logind_t)
 
+init_rw_script_stream_sockets(systemd_logind_t)
+kernel_use_fds(systemd_logind_t)
+
 # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
 # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
 # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
@@ -980,6 +987,10 @@ tunable_policy(`systemd_logind_get_bootloader',`
 # This reads the first sectors of fixed disk devices.
 storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader)
 
+optional_policy(`
+	unconfined_use_fds(systemd_logind_t)
+')
+
 optional_policy(`
 	dbus_connect_system_bus(systemd_logind_t)
 	dbus_system_bus_client(systemd_logind_t)
@@ -1121,6 +1132,7 @@ allow systemd_networkd_t self:rawip_socket create_socket_perms;
 allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow systemd_networkd_t self:udp_socket create_socket_perms;
 allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
+allow systemd_networkd_t self:netlink_netfilter_socket create_socket_perms;
 
 manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
@@ -1177,6 +1189,9 @@ systemd_log_parse_environment(systemd_networkd_t)
 
 files_map_etc_files(systemd_networkd_t)
 
+init_rw_script_stream_sockets(systemd_networkd_t)
+kernel_use_fds(systemd_networkd_t)
+
 tunable_policy(`systemd_networkd_dhcp_server',`
 	corenet_sendrecv_dhcpd_server_packets(systemd_networkd_t)
 	corenet_udp_bind_dhcpd_port(systemd_networkd_t)
@@ -1565,6 +1580,9 @@ systemd_log_parse_environment(systemd_resolved_t)
 systemd_read_networkd_runtime(systemd_resolved_t)
 
 files_map_etc_files(systemd_resolved_t)
+init_rw_script_stream_sockets(systemd_resolved_t)
+init_manage_dir_utmp(systemd_resolved_t)
+kernel_use_fds(systemd_resolved_t)
 
 optional_policy(`
 	dbus_connect_system_bus(systemd_resolved_t)
@@ -1631,6 +1649,8 @@ fs_getattr_tmpfs(systemd_sessions_t)
 fs_search_cgroup_dirs(systemd_sessions_t)
 fs_getattr_cgroup(systemd_sessions_t)
 
+init_rw_script_stream_sockets(systemd_sessions_t)
+
 ########################################
 #
 # sysctl local policy
@@ -1658,8 +1678,12 @@ fs_search_ramfs(systemd_sysctl_t)
 
 systemd_log_parse_environment(systemd_sysctl_t)
 
+init_rw_script_stream_sockets(systemd_sysctl_t)
+kernel_use_fds(systemd_sysctl_t)
+
 fs_getattr_cgroup(systemd_sessions_t)
 fs_search_cgroup_dirs(systemd_sessions_t)
+kernel_use_fds(systemd_sessions_t)
 
 #########################################
 #
@@ -1825,6 +1849,9 @@ mls_file_upgrade(systemd_tmpfiles_t)
 userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
 userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
 
+init_rw_script_stream_sockets(systemd_tmpfiles_t)
+kernel_use_fds(systemd_tmpfiles_t)
+
 tunable_policy(`systemd_tmpfiles_manage_all',`
 	# systemd-tmpfiles can be configured to manage anything.
 	# have a last-resort option for users to do this.
@@ -2005,6 +2032,9 @@ systemd_log_parse_environment(systemd_userdbd_t)
 
 files_manage_var_files(systemd_userdbd_t)
 
+init_rw_script_stream_sockets(systemd_userdbd_t)
+kernel_use_fds(systemd_userdbd_t)
+
 #########################################
 #
 # systemd-user-runtime-dir local policy
@@ -2059,6 +2089,8 @@ userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
 userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
 userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
 
+init_rw_script_stream_sockets(systemd_user_runtime_dir_t)
+
 optional_policy(`
 	dbus_system_bus_client(systemd_user_runtime_dir_t)
 ')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 37cd2d400d..e7418f2ff1 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -40,7 +40,7 @@ optional_policy(`
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
 allow udev_t self:capability2 { wake_alarm block_suspend };
-allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
+allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit setrlimit };
 allow udev_t self:fd use;
 allow udev_t self:fifo_file rw_fifo_file_perms;
 allow udev_t self:sock_file read_sock_file_perms;
@@ -211,6 +211,11 @@ files_read_var_files(udev_t)
 userdom_dontaudit_getattr_user_home_dirs(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)
 
+init_rw_script_stream_sockets(udev_t)
+kernel_rw_fs_sysctls(udev_t)
+
+files_manage_update_rootfs_aos(udev_t)
+
 ifdef(`distro_debian',`
 	# for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933
 	files_read_default_files(udev_t)