Index: refpolicy-2.20240202/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20240202/policy/modules/system/systemd.if
@@ -94,6 +94,8 @@ template(`systemd_role_template',`
 	allow $1_systemd_t $3:file read_file_perms;
 	allow $1_systemd_t $3:lnk_file read_lnk_file_perms;
 
+	allow $1_systemd_t $3:unix_stream_socket { connectto getattr accept getopt read };
+
 	dev_getattr_sound_dev($1_systemd_t)
 	dev_read_urand($1_systemd_t)
 	storage_getattr_removable_dev($1_systemd_t)
@@ -121,12 +123,20 @@ template(`systemd_role_template',`
 	# container engines will move container processes to different slices
 	init_dbus_chat($1_systemd_t)
 
+	# for services run by init such as /run/systemd/oom/io.system.ManagedOOM
+	init_unix_stream_socket_connectto($1_systemd_t)
+
 	# the user@.service unit is restarted when containers are created
 	systemd_get_user_manager_units_status($1_systemd_t)
 	systemd_start_user_manager_units($1_systemd_t)
 	systemd_stop_user_manager_units($1_systemd_t)
 	systemd_reload_user_manager_units($1_systemd_t)
 
+	# for wireplumber
+	systemd_read_logind_runtime_files($3)
+	systemd_watch_logind_runtime_dirs($3)
+
+	miscfiles_read_fonts($1_systemd_t)
 	miscfiles_watch_localization($1_systemd_t)
 
 	mount_read_runtime_files($1_systemd_t)
@@ -136,6 +146,10 @@ template(`systemd_role_template',`
 	seutil_search_default_contexts($1_systemd_t)
 	seutil_read_file_contexts($1_systemd_t)
 
+	userdom_search_user_home_dirs($1_systemd_t)
+	userdom_list_user_home_content($1_systemd_t)
+	userdom_write_user_tmp_sockets($1_systemd_t)
+
 	systemd_manage_conf_home_content($1_systemd_t)
 	systemd_manage_data_home_content($1_systemd_t)
 
@@ -229,6 +243,10 @@ template(`systemd_role_template',`
 	systemd_watch_passwd_runtime_dirs($3)
 
 	optional_policy(`
+		dirmngr_tmp_dir_search($1_systemd_t)
+	')
+
+	optional_policy(`
 		gpg_stream_connect_agent($1_systemd_t)
 	')
 
@@ -248,6 +266,10 @@ template(`systemd_role_template',`
 		xdg_read_config_files($1_systemd_t)
 		xdg_read_data_files($1_systemd_t)
 	')
+
+	optional_policy(`
+		xserver_use_user_fonts($1_systemd_t)
+	')
 ')
 
 ######################################
@@ -440,6 +462,35 @@ template(`systemd_user_app_status',`
 	allow $2 $1_systemd_t:process sigchld;
 ')
 
+######################################
+## <summary>
+##   Allow systemd user to create a sock_file for a domain
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the systemd user domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain to have socket created
+##	</summary>
+## </param>
+## <param name="type">
+##	<summary>
+##	type of sock_file to create
+##	</summary>
+## </param>
+#
+template(`systemd_user_app_socket_create',`
+	gen_require(`
+		type $1_systemd_t;
+	')
+
+	allow $1_systemd_t $2:unix_stream_socket { getattr write listen create bind setopt };
+	allow $1_systemd_t $3:sock_file { getattr write create };
+')
+
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid) of
@@ -2554,6 +2605,27 @@ interface(`systemd_dbus_chat_resolved',`
 	allow systemd_resolved_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd localed over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_dbus_chat_locale',`
+	gen_require(`
+		type systemd_locale_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_locale_t:dbus send_msg;
+	allow systemd_locale_t $1:dbus send_msg;
+')
+
 #######################################
 ## <summary>
 ##  Allow domain to read resolv.conf file generated by systemd_resolved
@@ -2576,6 +2648,25 @@ interface(`systemd_read_resolved_runtime
 	read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 ')
 
+#######################################
+## <summary>
+##  Allow domain to read directory containing resolv.conf
+## </summary>
+## <param name="domain">
+##	<summary>
+##	domain allowed access
+##	</summary>
+## </param>
+#
+interface(`systemd_list_resolved_runtime_dir',`
+	gen_require(`
+		type systemd_resolved_runtime_t;
+	')
+
+	init_search_runtime($1)
+	allow $1 systemd_resolved_runtime_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute the systemctl program.
@@ -2745,3 +2836,45 @@ interface(`systemd_use_inherited_machine
 	allow $1 systemd_machined_t:fd use;
 	allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
 ')
+
+########################################
+## <summary>
+##  run systemd-nspawn in systemd_nspawn_t domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role  of the object to create.
+##      </summary>
+## </param>
+#
+interface(`systemd_run_nspawn', `
+	gen_require(`
+		type systemd_nspawn_t, systemd_nspawn_exec_t;
+	')
+
+	role $2 types systemd_nspawn_t;
+	domtrans_pattern($1, systemd_nspawn_exec_t, systemd_nspawn_t)
+')
+
+########################################
+## <summary>
+##  send datagrams to systemd_nspawn_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_dgram_nspawn', `
+	gen_require(`
+		type systemd_nspawn_t, systemd_nspawn_var_run_t;
+	')
+
+	dgram_send_pattern($1, systemd_nspawn_var_run_t, systemd_nspawn_var_run_t, systemd_nspawn_t)
+')
Index: refpolicy-2.20240202/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20240202/policy/modules/system/systemd.te
@@ -160,6 +160,7 @@ type systemd_logind_t;
 type systemd_logind_exec_t;
 init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
 init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
+init_stream_connect(systemd_logind_t)
 
 type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
 files_runtime_file(systemd_logind_inhibit_runtime_t)
@@ -208,6 +209,9 @@ type systemd_nspawn_t;
 type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
 
+type systemd_nspawn_devpts_t;
+term_login_pty(systemd_nspawn_devpts_t)
+
 type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
 files_runtime_file(systemd_nspawn_runtime_t)
 
@@ -301,10 +305,13 @@ init_unit_file(systemd_user_manager_unit
 
 type systemd_conf_home_t;
 init_unit_file(systemd_conf_home_t)
-xdg_config_content(systemd_conf_home_t)
 
 type systemd_data_home_t;
-xdg_data_content(systemd_data_home_t)
+
+optional_policy(`
+	xdg_config_content(systemd_conf_home_t)
+	xdg_data_content(systemd_data_home_t)
+')
 
 type systemd_user_runtime_notify_t;
 userdom_user_runtime_content(systemd_user_runtime_notify_t)
@@ -361,9 +368,13 @@ allow systemd_backlight_t systemd_backli
 init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
 manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
 
+kernel_getattr_proc(systemd_backlight_t)
+kernel_read_kernel_sysctls(systemd_backlight_t)
+
 systemd_log_parse_environment(systemd_backlight_t)
 
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
+dev_getattr_sysfs(systemd_backlight_t)
 dev_rw_sysfs(systemd_backlight_t)
 
 kernel_read_kernel_sysctls(systemd_backlight_t)
@@ -379,20 +390,34 @@ files_search_var_lib(systemd_backlight_t
 fs_getattr_all_fs(systemd_backlight_t)
 fs_search_cgroup_dirs(systemd_backlight_t)
 
+fs_getattr_cgroup(systemd_backlight_t)
+fs_search_cgroup_dirs(systemd_backlight_t)
+
+selinux_getattr_fs(systemd_backlight_t)
+seutil_search_default_contexts(systemd_backlight_t)
+
 #######################################
 #
 # Binfmt local policy
 #
 
+kernel_getattr_proc(systemd_binfmt_t)
 kernel_read_kernel_sysctls(systemd_binfmt_t)
 
 systemd_log_parse_environment(systemd_binfmt_t)
 
+corecmd_search_bin(systemd_binfmt_t)
+corecmd_check_exec_bin_files(systemd_binfmt_t)
+corecmd_read_bin_files(systemd_binfmt_t)
+
 # Allow to read /etc/binfmt.d/ files
 files_read_etc_files(systemd_binfmt_t)
 
+fs_getattr_binfmt_misc_fs(systemd_binfmt_t)
+fs_getattr_cgroup(systemd_binfmt_t)
 fs_register_binary_executable_type(systemd_binfmt_t)
-
+fs_rw_binfmt_misc_dirs(systemd_binfmt_t)
+fs_search_cgroup_dirs(systemd_binfmt_t)
 
 ######################################
 #
@@ -429,7 +454,7 @@ ifdef(`enable_mls',`
 #
 
 allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
-allow systemd_coredump_t self:cap_userns { sys_admin sys_ptrace };
+allow systemd_coredump_t self:cap_userns { dac_override dac_read_search sys_ptrace sys_admin };
 allow systemd_coredump_t self:process { getcap setcap setfscreate };
 allow systemd_coredump_t self:user_namespace create;
 allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
@@ -440,13 +465,15 @@ dontaudit systemd_coredump_t self:capabi
 mmap_manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
 
 kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
+kernel_getattr_proc(systemd_coredump_t)
+kernel_read_crypto_sysctls(systemd_coredump_t)
 kernel_read_kernel_sysctls(systemd_coredump_t)
 kernel_read_system_state(systemd_coredump_t)
 kernel_rw_pipes(systemd_coredump_t)
 kernel_use_fds(systemd_coredump_t)
 
 corecmd_exec_bin(systemd_coredump_t)
-corecmd_read_all_executables(systemd_coredump_t)
+corecmd_mmap_all_executables(systemd_coredump_t)
 
 dev_write_kmsg(systemd_coredump_t)
 
@@ -457,6 +484,8 @@ files_read_etc_files(systemd_coredump_t)
 files_search_var_lib(systemd_coredump_t)
 files_mounton_root(systemd_coredump_t)
 
+fs_getattr_cgroup(systemd_coredump_t)
+fs_getattr_tmpfs(systemd_coredump_t)
 fs_getattr_xattr_fs(systemd_coredump_t)
 fs_getattr_nsfs_files(systemd_coredump_t)
 fs_search_cgroup_dirs(systemd_coredump_t)
@@ -474,6 +503,7 @@ logging_send_syslog_msg(systemd_coredump
 
 seutil_search_default_contexts(systemd_coredump_t)
 
+
 #######################################
 #
 # Systemd generator local policy
@@ -483,8 +513,29 @@ allow systemd_generator_t self:fifo_file
 allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
 allow systemd_generator_t self:process { getcap getsched setfscreate signal };
 
+allow systemd_generator_t self:tcp_socket create;
+allow systemd_generator_t self:udp_socket { create setopt };
+allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
+
 allow systemd_generator_t systemd_unit_t:file getattr;
 
+allow systemd_generator_t systemd_transient_unit_t:dir list_dir_perms;
+
+allow systemd_generator_t systemd_user_runtime_unit_t:dir manage_dir_perms;
+allow systemd_generator_t systemd_user_runtime_unit_t:file manage_file_perms;
+allow systemd_generator_t systemd_user_runtime_unit_t:lnk_file create;
+
+kernel_dontaudit_getattr_proc(systemd_generator_t)
+kernel_read_crypto_sysctls(systemd_generator_t)
+kernel_read_kernel_sysctls(systemd_generator_t)
+kernel_read_network_state(systemd_generator_t)
+kernel_read_system_state(systemd_generator_t)
+kernel_search_network_sysctl(systemd_generator_t)
+kernel_use_fds(systemd_generator_t)
+
+# Where an unlabeled mountpoint is encounted:
+kernel_dontaudit_search_unlabeled(systemd_generator_t)
+
 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
 
@@ -495,6 +546,9 @@ dev_read_urand(systemd_generator_t)
 dev_create_sysfs_files(systemd_generator_t)
 dev_write_sysfs(systemd_generator_t)
 
+application_exec(systemd_generator_t)
+domain_read_all_entry_files(systemd_generator_t)
+files_exec_etc_files(systemd_generator_t)
 files_read_etc_files(systemd_generator_t)
 files_read_etc_runtime_files(systemd_generator_t)
 files_search_runtime(systemd_generator_t)
@@ -503,11 +557,13 @@ files_read_boot_files(systemd_generator_
 files_read_config_files(systemd_generator_t)
 files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
+files_getattr_usr_files(systemd_generator_t)
 files_dontaudit_getattr_all_dirs(systemd_generator_t)
 files_dontaudit_read_etc_runtime_files(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
 fs_getattr_all_fs(systemd_generator_t)
+fs_rw_tmpfs_files(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
 init_read_all_script_files(systemd_generator_t)
@@ -525,12 +581,10 @@ init_read_generic_units_files(systemd_ge
 init_read_generic_units_symlinks(systemd_generator_t)
 init_read_script_files(systemd_generator_t)
 
-kernel_use_fds(systemd_generator_t)
-kernel_read_system_state(systemd_generator_t)
-kernel_read_kernel_sysctls(systemd_generator_t)
-kernel_dontaudit_getattr_proc(systemd_generator_t)
-# Where an unlabeled mountpoint is encounted:
-kernel_dontaudit_search_unlabeled(systemd_generator_t)
+miscfiles_read_localization(systemd_generator_t)
+
+selinux_getattr_fs(systemd_generator_t)
+seutil_search_default_contexts(systemd_generator_t)
 
 modutils_domtrans(systemd_generator_t)
 
@@ -540,6 +594,8 @@ storage_raw_read_removable_device(system
 
 # needed to resolve hostnames for NFS mounts
 sysnet_dns_name_resolve(systemd_generator_t)
+# for postconf
+sysnet_read_config(systemd_generator_t)
 
 systemd_log_parse_environment(systemd_generator_t)
 
@@ -565,6 +621,8 @@ optional_policy(`
 	container_search_config(systemd_generator_t)
 ')
 
+udev_search_runtime(systemd_generator_t)
+
 optional_policy(`
 	fstools_exec(systemd_generator_t)
 ')
@@ -573,11 +631,24 @@ optional_policy(`
 	lvm_exec(systemd_generator_t)
 	lvm_map_config(systemd_generator_t)
 	lvm_read_config(systemd_generator_t)
-	miscfiles_read_localization(systemd_generator_t)
 ')
 
 optional_policy(`
-	fs_search_nfsd_fs(systemd_generator_t)
+	# for /lib/systemd/system-generators/openvpn-generator
+	openvpn_read_config(systemd_generator_t)
+')
+
+optional_policy(`
+	# it runs postconf
+	# maybe /lib/systemd/system-generators/postfix-instance-generator
+	postfix_read_config(systemd_generator_t)
+')
+
+optional_policy(`
+	tmpreaper_exec(systemd_generator_t)
+')
+
+optional_policy(`
 	fs_rw_nfsd_fs(systemd_generator_t)
 	rpc_read_exports(systemd_generator_t)
 ')
@@ -721,6 +792,7 @@ kernel_dontaudit_getattr_proc(systemd_ho
 dev_read_sysfs(systemd_hostnamed_t)
 
 files_read_etc_files(systemd_hostnamed_t)
+files_read_etc_runtime_files(systemd_hostnamed_t)
 
 fs_getattr_all_fs(systemd_hostnamed_t)
 
@@ -728,7 +800,10 @@ init_delete_runtime_files(systemd_hostna
 init_read_runtime_files(systemd_hostnamed_t)
 init_write_runtime_files(systemd_hostnamed_t)
 
+miscfiles_read_localization(systemd_hostnamed_t)
+
 selinux_use_status_page(systemd_hostnamed_t)
+seutil_read_config(systemd_hostnamed_t)
 
 seutil_read_config(systemd_hostnamed_t)
 seutil_read_file_contexts(systemd_hostnamed_t)
@@ -742,6 +817,10 @@ systemd_log_parse_environment(systemd_ho
 udev_read_runtime_files(systemd_hostnamed_t)
 
 optional_policy(`
+	bluetooth_dbus_chat(systemd_hostnamed_t)
+')
+
+optional_policy(`
 	dbus_connect_system_bus(systemd_hostnamed_t)
 	dbus_system_bus_client(systemd_hostnamed_t)
 	init_dbus_chat(systemd_hostnamed_t)
@@ -751,6 +830,10 @@ optional_policy(`
 	networkmanager_dbus_chat(systemd_hostnamed_t)
 ')
 
+optional_policy(`
+	unconfined_dbus_send(systemd_hostnamed_t)
+')
+
 #########################################
 #
 # hw local policy
@@ -812,21 +895,40 @@ miscfiles_read_localization(systemd_jour
 # locale local policy
 #
 
+kernel_getattr_proc(systemd_locale_t)
 kernel_read_kernel_sysctls(systemd_locale_t)
 
 files_read_etc_files(systemd_locale_t)
+fs_getattr_cgroup(systemd_locale_t)
+fs_search_cgroup_dirs(systemd_locale_t)
+
+# for /run/systemd/notify
+init_write_runtime_socket(systemd_locale_t)
 
 selinux_use_status_page(systemd_locale_t)
 
 seutil_read_file_contexts(systemd_locale_t)
 
 systemd_log_parse_environment(systemd_locale_t)
+systemd_write_notify_socket(systemd_locale_t)
+
+optional_policy(`
+	consolesetup_read_conf(systemd_locale_t)
+')
 
 optional_policy(`
 	dbus_connect_system_bus(systemd_locale_t)
 	dbus_system_bus_client(systemd_locale_t)
 ')
 
+optional_policy(`
+	unconfined_dbus_send(systemd_locale_t)
+')
+
+optional_policy(`
+	xserver_dbus_chat_xdm(systemd_locale_t)
+')
+
 ######################################
 #
 # systemd log parse environment
@@ -914,7 +1016,9 @@ files_rw_runtime_dirs(systemd_logind_t)
 fs_getattr_cgroup(systemd_logind_t)
 fs_getattr_tmpfs(systemd_logind_t)
 fs_getattr_tmpfs_dirs(systemd_logind_t)
+fs_getattr_xattr_fs(systemd_logind_t)
 fs_list_tmpfs(systemd_logind_t)
+fs_manage_tmpfs_dirs(systemd_logind_t)
 fs_mount_tmpfs(systemd_logind_t)
 fs_read_cgroup_files(systemd_logind_t)
 fs_read_efivarfs_files(systemd_logind_t)
@@ -947,12 +1051,15 @@ init_start_all_units(systemd_logind_t)
 init_stop_all_units(systemd_logind_t)
 init_start_system(systemd_logind_t)
 init_stop_system(systemd_logind_t)
+init_stream_connect(systemd_logind_t)
 init_watch_utmp(systemd_logind_t)
 
 miscfiles_read_localization(systemd_logind_t)
 
 locallogin_read_state(systemd_logind_t)
 
+miscfiles_read_localization(systemd_logind_t)
+
 seutil_libselinux_linked(systemd_logind_t)
 seutil_read_default_contexts(systemd_logind_t)
 seutil_read_file_contexts(systemd_logind_t)
@@ -962,6 +1069,8 @@ systemd_start_power_units(systemd_logind
 
 udev_list_runtime(systemd_logind_t)
 udev_read_runtime_files(systemd_logind_t)
+# for links such as /run/udev/static_node-tags/uaccess/snd\x2ftimer
+udev_read_runtime_links(systemd_logind_t)
 
 userdom_delete_all_user_runtime_dirs(systemd_logind_t)
 userdom_delete_all_user_runtime_files(systemd_logind_t)
@@ -973,6 +1082,8 @@ userdom_delete_user_tmp_files(systemd_lo
 userdom_delete_user_tmp_symlinks(systemd_logind_t)
 userdom_delete_user_tmp_named_pipes(systemd_logind_t)
 userdom_delete_user_tmp_named_sockets(systemd_logind_t)
+userdom_delete_user_tmpfs_files(systemd_logind_t)
+
 # user_tmp_t is for the dbus-1 directory
 userdom_list_user_tmp(systemd_logind_t)
 userdom_manage_user_runtime_dirs(systemd_logind_t)
@@ -985,6 +1096,7 @@ userdom_relabelfrom_user_runtime_dirs(sy
 userdom_relabelto_user_runtime_dirs(systemd_logind_t)
 userdom_setattr_user_ttys(systemd_logind_t)
 userdom_use_user_ttys(systemd_logind_t)
+userdom_use_user_ptys(systemd_logind_t)
 
 # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
 # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
@@ -1001,6 +1113,8 @@ tunable_policy(`systemd_logind_get_bootl
 	fs_read_dos_files(systemd_logind_t)
 
 	files_search_boot(systemd_logind_t)
+', `
+	files_dontaudit_search_boot(systemd_logind_t)
 ')
 # systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
 # This reads the first sectors of fixed disk devices.
@@ -1012,6 +1126,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dpkg_dbus_chat(systemd_logind_t)
+	dpkg_read_state(systemd_logind_t)
+')
+
+optional_policy(`
 	devicekit_dbus_chat_disk(systemd_logind_t)
 	devicekit_dbus_chat_power(systemd_logind_t)
 ')
@@ -1057,6 +1176,11 @@ allow systemd_machined_t systemd_machine
 
 manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
 
+allow systemd_machined_t systemd_userdb_runtime_t:dir manage_dir_perms;
+allow systemd_machined_t systemd_userdb_runtime_t:sock_file { create unlink };
+
+allow systemd_machined_t systemd_transient_unit_t:service { start status };
+
 kernel_getattr_proc(systemd_machined_t)
 kernel_read_kernel_sysctls(systemd_machined_t)
 kernel_read_system_state(systemd_machined_t)
@@ -1065,6 +1189,7 @@ dev_getattr_fs(systemd_machined_t)
 dev_setattr_urand_dev(systemd_machined_t)
 
 files_read_etc_files(systemd_machined_t)
+files_read_etc_runtime_files(systemd_machined_t)
 
 fs_getattr_cgroup(systemd_machined_t)
 fs_getattr_tmpfs(systemd_machined_t)
@@ -1106,7 +1231,10 @@ optional_policy(`
 	')
 ')
 
-########################################
+optional_policy(`
+	policykit_dbus_chat(systemd_machined_t)
+')
+
 #
 # modules-load local policy
 #
@@ -1118,6 +1246,7 @@ kernel_load_module(systemd_modules_load_
 kernel_read_kernel_sysctls(systemd_modules_load_t)
 kernel_request_load_module(systemd_modules_load_t)
 kernel_dontaudit_getattr_proc(systemd_modules_load_t)
+kernel_search_debugfs(systemd_modules_load_t)
 
 dev_read_sysfs(systemd_modules_load_t)
 
@@ -1127,6 +1256,8 @@ files_read_etc_files(systemd_modules_loa
 fs_getattr_all_fs(systemd_modules_load_t)
 fs_search_all(systemd_modules_load_t)
 
+fs_getattr_cgroup(systemd_modules_load_t)
+
 modutils_read_module_config(systemd_modules_load_t)
 modutils_read_module_deps(systemd_modules_load_t)
 
@@ -1245,8 +1376,8 @@ miscfiles_read_localization(systemd_noti
 # Nspawn local policy
 #
 
-allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
-allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:process { signal getsched setsched setpgid getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:capability { chown dac_override dac_read_search fowner fsetid kill sys_resource mknod net_admin setgid setuid setpcap sys_admin sys_chroot audit_control };
 allow systemd_nspawn_t self:capability2 wake_alarm;
 allow systemd_nspawn_t self:user_namespace create;
 allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
@@ -1254,13 +1385,15 @@ allow systemd_nspawn_t self:unix_stream_
 allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms;
 allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms;
 allow systemd_nspawn_t self:udp_socket create_socket_perms;
-
+allow systemd_nspawn_t self:tcp_socket create_stream_socket_perms;
+allow systemd_nspawn_t self:fifo_file rw_file_perms;
 allow systemd_nspawn_t systemd_journal_t:dir search;
 
 allow systemd_nspawn_t systemd_nspawn_runtime_t:dir manage_dir_perms;
 allow systemd_nspawn_t systemd_nspawn_runtime_t:file manage_file_perms;
 init_runtime_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, dir)
 
+files_read_etc_runtime_files(systemd_nspawn_t)
 files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
 allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
 allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
@@ -1270,14 +1403,31 @@ allow systemd_nspawn_t systemd_nspawn_tm
 # for /run/systemd/nspawn/incoming in chroot
 allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
 
+term_create_pty(systemd_nspawn_t, systemd_nspawn_devpts_t)
+allow systemd_nspawn_t systemd_nspawn_devpts_t:chr_file manage_chr_file_perms;
+
+kernel_getattr_core_if(systemd_nspawn_t)
+kernel_getattr_proc(systemd_nspawn_t)
+kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
+
 kernel_mount_proc(systemd_nspawn_t)
 kernel_mounton_sysctl_dirs(systemd_nspawn_t)
 kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
 kernel_mounton_message_if(systemd_nspawn_t)
 kernel_mounton_proc_dirs(systemd_nspawn_t)
+kernel_mounton_sysctl_files(systemd_nspawn_t)
+kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
+
+kernel_read_fs_sysctls(systemd_nspawn_t)
+kernel_read_irq_sysctls(systemd_nspawn_t)
+kernel_read_network_state(systemd_nspawn_t)
 kernel_read_kernel_sysctls(systemd_nspawn_t)
+kernel_read_sysctl(systemd_nspawn_t)
 kernel_read_system_state(systemd_nspawn_t)
+kernel_read_vm_sysctls(systemd_nspawn_t)
 kernel_remount_proc(systemd_nspawn_t)
+kernel_request_load_module(systemd_nspawn_t)
+kernel_search_network_sysctl(systemd_nspawn_t)
 
 corecmd_exec_shell(systemd_nspawn_t)
 corecmd_search_bin(systemd_nspawn_t)
@@ -1294,6 +1444,7 @@ dev_read_sysfs(systemd_nspawn_t)
 dev_read_rand(systemd_nspawn_t)
 dev_read_urand(systemd_nspawn_t)
 
+files_getattr_default_dirs(systemd_nspawn_t)
 files_getattr_tmp_dirs(systemd_nspawn_t)
 files_manage_etc_files(systemd_nspawn_t)
 files_manage_mnt_dirs(systemd_nspawn_t)
@@ -1305,11 +1456,17 @@ files_setattr_runtime_dirs(systemd_nspaw
 
 fs_getattr_cgroup(systemd_nspawn_t)
 fs_getattr_tmpfs(systemd_nspawn_t)
+fs_getattr_xattr_fs(systemd_nspawn_t)
+fs_manage_cgroup_dirs(systemd_nspawn_t)
+fs_manage_cgroup_files(systemd_nspawn_t)
+fs_manage_tmpfs_blk_files(systemd_nspawn_t)
 fs_manage_tmpfs_chr_files(systemd_nspawn_t)
+fs_mount_cgroup(systemd_nspawn_t)
 fs_mount_tmpfs(systemd_nspawn_t)
+fs_mounton_cgroup(systemd_nspawn_t)
+fs_read_nsfs_files(systemd_nspawn_t)
 fs_remount_tmpfs(systemd_nspawn_t)
 fs_remount_xattr_fs(systemd_nspawn_t)
-fs_read_cgroup_files(systemd_nspawn_t)
 fs_watch_memory_pressure(systemd_nspawn_t)
 
 term_getattr_generic_ptys(systemd_nspawn_t)
@@ -1318,6 +1475,7 @@ term_mount_devpts(systemd_nspawn_t)
 term_search_ptys(systemd_nspawn_t)
 term_setattr_generic_ptys(systemd_nspawn_t)
 term_use_ptmx(systemd_nspawn_t)
+term_use_generic_ptys(systemd_nspawn_t)
 
 init_domtrans_script(systemd_nspawn_t)
 init_getrlimit(systemd_nspawn_t)
@@ -1327,9 +1485,14 @@ init_search_run(systemd_nspawn_t)
 init_write_runtime_socket(systemd_nspawn_t)
 init_spec_domtrans_script(systemd_nspawn_t)
 
+miscfiles_read_localization(systemd_nspawn_t)
 miscfiles_manage_localization(systemd_nspawn_t)
+mount_exec(systemd_nspawn_t)
+
 udev_read_runtime_files(systemd_nspawn_t)
 
+sysnet_exec_ifconfig(systemd_nspawn_t)
+
 # for writing inside chroot
 sysnet_manage_config(systemd_nspawn_t)
 
@@ -1377,8 +1540,11 @@ tunable_policy(`systemd_nspawn_labeled_n
 
 	init_domtrans(systemd_nspawn_t)
 
+	logging_manage_runtime_sockets(systemd_nspawn_t)
+	logging_relabelto_devlog_sock_files(systemd_nspawn_t)
 	logging_search_logs(systemd_nspawn_t)
 
+	seutil_exec_setfiles(systemd_nspawn_t)
 	seutil_search_default_contexts(systemd_nspawn_t)
 ')
 
@@ -1401,7 +1567,7 @@ allow systemd_passwd_agent_t self:capabi
 allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
 allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 
-allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch;
+allow systemd_passwd_agent_t systemd_passwd_runtime_t:{ dir file } watch;
 manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
 manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
 manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
@@ -1410,7 +1576,13 @@ init_runtime_filetrans(systemd_passwd_ag
 
 can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
 
+kernel_getattr_proc(systemd_passwd_agent_t)
+
+# for /proc/sys/kernel/cap_last_cap
+kernel_read_kernel_sysctls(systemd_passwd_agent_t)
+
 kernel_read_system_state(systemd_passwd_agent_t)
+kernel_search_fs_sysctls(systemd_passwd_agent_t)
 kernel_stream_connect(systemd_passwd_agent_t)
 
 dev_create_generic_dirs(systemd_passwd_agent_t)
@@ -1437,6 +1609,7 @@ init_create_runtime_dirs(systemd_passwd_
 init_read_runtime_pipes(systemd_passwd_agent_t)
 init_read_state(systemd_passwd_agent_t)
 init_read_utmp(systemd_passwd_agent_t)
+init_use_script_ptys(systemd_passwd_agent_t)
 init_stream_connect(systemd_passwd_agent_t)
 
 logging_send_syslog_msg(systemd_passwd_agent_t)
@@ -1649,6 +1822,9 @@ fs_search_ramfs(systemd_sessions_t)
 kernel_read_kernel_sysctls(systemd_sessions_t)
 kernel_dontaudit_getattr_proc(systemd_sessions_t)
 
+fs_getattr_cgroup(systemd_sessions_t)
+fs_search_cgroup_dirs(systemd_sessions_t)
+
 selinux_get_fs_mount(systemd_sessions_t)
 selinux_use_status_page(systemd_sessions_t)
 
@@ -1666,7 +1842,7 @@ systemd_log_parse_environment(systemd_se
 # sys_admin for sysctls such as kernel.kptr_restrict and kernel.dmesg_restrict
 # sys_ptrace for kernel.yama.ptrace_scope
 # net_admin for network sysctls
-allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace };
+allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace sys_resource };
 
 kernel_read_kernel_sysctls(systemd_sysctl_t)
 kernel_request_load_module(systemd_sysctl_t)
@@ -1679,6 +1855,9 @@ fs_getattr_all_fs(systemd_sysctl_t)
 fs_search_cgroup_dirs(systemd_sysctl_t)
 fs_search_ramfs(systemd_sysctl_t)
 
+fs_getattr_cgroup(systemd_sysctl_t)
+fs_search_ramfs(systemd_sysctl_t)
+
 systemd_log_parse_environment(systemd_sysctl_t)
 
 #########################################
@@ -1690,11 +1869,16 @@ allow systemd_sysusers_t self:capability
 allow systemd_sysusers_t self:process setfscreate;
 allow systemd_sysusers_t self:unix_dgram_socket sendto;
 
+domain_obj_id_change_exemption(systemd_sysusers_t)
+
 files_manage_etc_files(systemd_sysusers_t)
 
 fs_getattr_all_fs(systemd_sysusers_t)
 fs_search_all(systemd_sysusers_t)
 
+fs_getattr_cgroup(systemd_sysusers_t)
+fs_search_cgroup_dirs(systemd_sysusers_t)
+
 kernel_read_kernel_sysctls(systemd_sysusers_t)
 
 selinux_use_status_page(systemd_sysusers_t)
@@ -1708,6 +1892,17 @@ seutil_read_file_contexts(systemd_sysuse
 
 systemd_log_parse_environment(systemd_sysusers_t)
 
+userdom_use_inherited_user_terminals(systemd_sysusers_t)
+
+optional_policy(`
+	apt_use_fds(systemd_sysusers_t)
+	apt_use_ptys(systemd_sysusers_t)
+')
+
+optional_policy(`
+	unconfined_use_fds(systemd_sysusers_t)
+')
+
 #########################################
 #
 # Tmpfiles local policy
@@ -1784,10 +1979,13 @@ files_setattr_lock_dirs(systemd_tmpfiles
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
+fs_getattr_cgroup(systemd_tmpfiles_t)
+fs_getattr_all_fs(systemd_tmpfiles_t)
 fs_list_tmpfs(systemd_tmpfiles_t)
 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
-fs_getattr_all_fs(systemd_tmpfiles_t)
+fs_search_auto_mountpoints(systemd_tmpfiles_t)
 fs_search_cgroup_dirs(systemd_tmpfiles_t)
+fs_search_ramfs(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_use_status_page(systemd_tmpfiles_t)
@@ -1843,6 +2041,11 @@ tunable_policy(`systemd_tmpfiles_manage_
 ')
 
 optional_policy(`
+	colord_read_lib_files(systemd_tmpfiles_t)
+	colord_relabel_lib(systemd_tmpfiles_t)
+')
+
+optional_policy(`
 	dbus_manage_lib_files(systemd_tmpfiles_t)
 	dbus_read_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
@@ -2017,16 +2220,20 @@ systemd_log_parse_environment(systemd_us
 # systemd-user-runtime-dir local policy
 #
 
-allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
+allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override mknod };
 allow systemd_user_runtime_dir_t self:process setfscreate;
 
 domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
 
 allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
 allow systemd_user_runtime_dir_t systemd_user_runtime_t:file manage_file_perms;
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
+allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
 
 files_read_etc_files(systemd_user_runtime_dir_t)
 
+fs_getattr_autofs(systemd_logind_t)
+fs_search_auto_mountpoints(systemd_logind_t)
 fs_mount_tmpfs(systemd_user_runtime_dir_t)
 fs_getattr_tmpfs(systemd_user_runtime_dir_t)
 fs_list_tmpfs(systemd_user_runtime_dir_t)
@@ -2061,7 +2268,10 @@ userdom_manage_user_tmp_dirs(systemd_use
 userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
 
 userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
 userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
+userdom_list_user_tmp(systemd_user_runtime_dir_t)
 userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
 userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
 userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
@@ -2071,3 +2281,15 @@ userdom_relabelto_user_runtime_dirs(syst
 optional_policy(`
 	dbus_system_bus_client(systemd_user_runtime_dir_t)
 ')
+
+optional_policy(`
+	dirmngr_unlink_tmp_sock(systemd_user_runtime_dir_t)
+')
+
+optional_policy(`
+	gpg_agent_tmp_unlink_sock(systemd_user_runtime_dir_t)
+')
+
+optional_policy(`
+	userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
+')
Index: refpolicy-2.20240202/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20240202/policy/modules/admin/dpkg.if
@@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
 
 	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
 ')
+
+########################################
+## <summary>
+##	send dbus messages to dpkg_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_dbus_chat',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	read dpkg_t process state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_read_state',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:dir search;
+	allow $1 dpkg_t:file read_file_perms;
+')
Index: refpolicy-2.20240202/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20240202/policy/modules/roles/sysadm.te
@@ -117,6 +117,10 @@ ifdef(`init_systemd',`
 	systemd_dbus_chat_networkd(sysadm_t)
 	fs_read_nsfs_files(sysadm_t)
 
+	systemd_run_nspawn(sysadm_t, sysadm_r)
+	systemd_run_passwd_agent(sysadm_t, sysadm_r)
+	systemd_watch_passwd_runtime_dirs(sysadm_t)
+
 	# Allow sysadm to follow logs in the journal, i.e. with podman logs -f
 	systemd_watch_journal_dirs(sysadm_t)
 ')
Index: refpolicy-2.20240202/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20240202/policy/modules/services/networkmanager.te
@@ -344,6 +344,9 @@ optional_policy(`
 optional_policy(`
 	systemd_read_logind_runtime_files(NetworkManager_t)
 	systemd_read_logind_sessions_files(NetworkManager_t)
+	systemd_watch_logind_runtime_dirs(NetworkManager_t)
+	systemd_watch_logind_sessions_dirs(NetworkManager_t)
+	systemd_watch_machines_dirs(NetworkManager_t)
 	systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
 ')
 
Index: refpolicy-2.20240202/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20240202/policy/modules/services/devicekit.te
@@ -189,6 +189,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_read_logind_sessions_files(devicekit_disk_t)
+	systemd_use_logind_fds(devicekit_disk_t)
+	systemd_write_inherited_logind_inhibit_pipes(devicekit_disk_t)
+')
+
+optional_policy(`
 	udev_domtrans_udevadm(devicekit_disk_t)
 	udev_read_runtime_files(devicekit_disk_t)
 ')
Index: refpolicy-2.20240202/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20240202/policy/modules/services/ssh.te
@@ -269,6 +269,7 @@ ifdef(`init_systemd',`
 	auth_use_pam_systemd(sshd_t)
 	init_dbus_chat(sshd_t)
 	init_rw_stream_sockets(sshd_t)
+	systemd_dgram_nspawn(sshd_t)
 	systemd_write_inherited_logind_sessions_pipes(sshd_t)
 ')
 
Index: refpolicy-2.20240202/policy/modules/apps/gpg.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/apps/gpg.if
+++ refpolicy-2.20240202/policy/modules/apps/gpg.if
@@ -64,6 +64,7 @@ template(`gpg_role',`
 	optional_policy(`
 		systemd_user_app_status($1, gpg_t)
 		systemd_user_app_status($1, gpg_agent_t)
+	systemd_user_app_socket_create($1, gpg_agent_t, gpg_agent_tmp_t)
 	')
 ')
 
@@ -345,6 +346,24 @@ interface(`gpg_agent_tmp_filetrans',`
 ')
 
 ########################################
+## <summary>
+##	unlink gpg_agent_tmp_t sock_file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_agent_tmp_unlink_sock',`
+	gen_require(`
+		type gpg_agent_tmp_t;
+	')
+
+	allow $1 gpg_agent_tmp_t:sock_file unlink;
+')
+
+########################################
 ## <summary>
 ##	filetrans in gpg_runtime_t dirs
 ## </summary>
Index: refpolicy-2.20240202/policy/modules/services/dirmngr.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/services/dirmngr.if
+++ refpolicy-2.20240202/policy/modules/services/dirmngr.if
@@ -46,9 +46,28 @@ template(`dirmngr_role',`
 
 	optional_policy(`
 		systemd_user_app_status($1, dirmngr_t)
+		systemd_user_app_socket_create($1, dirmngr_t, dirmngr_tmp_t)
 	')
 ')
 
+############################################################
+## <summary>
+##	unlink dirmngr_tmp_t sock_file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dirmngr_unlink_tmp_sock',`
+	gen_require(`
+		type dirmngr_tmp_t;
+	')
+
+	allow $1 dirmngr_tmp_t:sock_file unlink;
+')
+
 ########################################
 ## <summary>
 ##	Execute dirmngr in the dirmngr domain.
@@ -110,6 +129,24 @@ interface(`dirmngr_stream_connect',`
 ')
 
 ########################################
+## <summary>
+##	Search dirmngr_tmp_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirmngr_tmp_dir_search',`
+	gen_require(`
+		type dirmngr_tmp_t;
+	')
+
+	allow $1 dirmngr_tmp_t:dir search_dir_perms;
+')
+
+########################################
 ## <summary>
 ##	All of the rules required to
 ##	administrate an dirmngr environment.
Index: refpolicy-2.20240202/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/system/logging.te
+++ refpolicy-2.20240202/policy/modules/system/logging.te
@@ -550,6 +550,7 @@ ifdef(`init_systemd',`
 	logging_send_syslog_msg(syslogd_t)
 
 	systemd_manage_journal_files(syslogd_t)
+	systemd_search_user_runtime(syslogd_t)
 	systemd_watch_journal_dirs(syslogd_t)
 	systemd_relabelfrom_journal_files(syslogd_t)
 	systemd_relabelto_journal_files(syslogd_t)
Index: refpolicy-2.20240202/policy/modules/services/colord.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/services/colord.if
+++ refpolicy-2.20240202/policy/modules/services/colord.if
@@ -58,3 +58,22 @@ interface(`colord_read_lib_files',`
 	files_search_var_lib($1)
 	read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
 ')
+
+######################################
+## <summary>
+##	relabel colord lib files and dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`colord_relabel_lib',`
+	gen_require(`
+		type colord_var_lib_t;
+	')
+
+	allow $1 colord_var_lib_t:dir { list_dir_perms relabelfrom relabelto };
+	allow $1 colord_var_lib_t:file { relabelfrom relabelto };
+')
Index: refpolicy-2.20240202/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/system/udev.if
+++ refpolicy-2.20240202/policy/modules/system/udev.if
@@ -322,6 +322,25 @@ interface(`udev_read_runtime_files',`
 
 ########################################
 ## <summary>
+##	Read udev runtime links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_read_runtime_links',`
+	gen_require(`
+		type udev_runtime_t;
+	')
+
+	files_search_runtime($1)
+	read_lnk_files_pattern($1, udev_runtime_t, udev_runtime_t)
+')
+
+########################################
+## <summary>
 ##	dontaudit attempts to read/write udev runtime files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20240202/policy/modules/kernel/terminal.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/kernel/terminal.if
+++ refpolicy-2.20240202/policy/modules/kernel/terminal.if
@@ -264,6 +264,24 @@ interface(`term_write_console',`
 
 ########################################
 ## <summary>
+##	watch reads on console device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_watch_reads_console',`
+	gen_require(`
+		type console_device_t;
+	')
+
+	allow $1 console_device_t:chr_file watch_reads;
+')
+
+########################################
+## <summary>
 ##	Read from the console.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20240202/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/system/init.te
+++ refpolicy-2.20240202/policy/modules/system/init.te
@@ -560,6 +560,7 @@ ifdef(`init_systemd',`
 	term_setattr_unallocated_ttys(init_t)
 	term_watch_unallocated_ttys(init_t)
 	term_watch_reads_unallocated_ttys(init_t)
+	term_watch_reads_console(init_t)
 
 	# udevd is a "systemd kobject uevent socket activated daemon"
 	udev_create_kobject_uevent_sockets(init_t)
Index: refpolicy-2.20240202/policy/modules/system/fstools.fc
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/system/fstools.fc
+++ refpolicy-2.20240202/policy/modules/system/fstools.fc
@@ -1,3 +1,4 @@
+/usr/lib/systemd/systemd-fsckd	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/addpart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/badblocks		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/blkid			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
Index: refpolicy-2.20240202/policy/modules/services/dbus.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/services/dbus.te
+++ refpolicy-2.20240202/policy/modules/services/dbus.te
@@ -248,6 +248,8 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_connect_machined(system_dbusd_t)
+
 	# for /run/systemd/users/*
 	systemd_read_logind_runtime_files(system_dbusd_t)
 	systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
@@ -341,6 +343,7 @@ fs_getattr_romfs(session_bus_type)
 fs_getattr_xattr_fs(session_bus_type)
 fs_list_inotifyfs(session_bus_type)
 fs_dontaudit_list_nfs(session_bus_type)
+fs_search_tmpfs(session_bus_type)
 
 kernel_getattr_proc(session_bus_type)
 
@@ -350,6 +353,7 @@ selinux_compute_access_vector(session_bu
 selinux_compute_create_context(session_bus_type)
 selinux_compute_relabel_context(session_bus_type)
 selinux_compute_user_contexts(session_bus_type)
+selinux_use_status_page(session_bus_type)
 
 auth_read_pam_console_data(session_bus_type)
 
Index: refpolicy-2.20240202/policy/modules/apps/wm.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/apps/wm.if
+++ refpolicy-2.20240202/policy/modules/apps/wm.if
@@ -86,6 +86,8 @@ template(`wm_role_template',`
 	userdom_rw_user_tmpfs_files($1_wm_t)
 	userdom_map_user_tmpfs_files($1_wm_t)
 
+	dev_rw_input_dev($1_wm_t)
+
 	xserver_role($1, $1_wm_t, $3, $4)
 	xserver_manage_core_devices($1_wm_t)
 
@@ -124,6 +126,7 @@ template(`wm_role_template',`
 
 	optional_policy(`
 		systemd_read_logind_state($1_wm_t)
+		systemd_use_logind_fds($1_wm_t)
 		systemd_user_app_status($1, $1_wm_t)
 		systemd_write_inherited_logind_inhibit_pipes($1_wm_t)
 	')
Index: refpolicy-2.20240202/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20240202/policy/modules/services/xserver.if
@@ -114,6 +114,9 @@ template(`xserver_restricted_role',`
 	xserver_read_xdm_runtime_files($2)
 	# gnome-session creates socket under /tmp/.ICE-unix/
 	xserver_create_xdm_tmp_sockets($2)
+	# if we allow xserver_create_xdm_tmp_sockets and we use wayland then
+	# we need to unlink as well.  Maybe should use a different type.
+	allow $2 xdm_tmp_t:sock_file { unlink };
 	# Needed for escd, remove if we get escd policy
 	xserver_manage_xdm_tmp_files($2)
 
Index: refpolicy-2.20240202/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20240202/policy/modules/services/xserver.te
@@ -635,6 +635,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_dbus_chat_locale(xdm_t)
+')
+
+optional_policy(`
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
 ')
Index: refpolicy-2.20240202/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20240202/policy/modules/system/userdomain.if
@@ -630,6 +630,7 @@ template(`userdom_change_password_templa
 template(`userdom_common_user_template',`
 	gen_require(`
 		attribute unpriv_userdomain;
+		type user_runtime_t;
 	')
 
 	userdom_basic_networking_template($1)
@@ -813,6 +814,7 @@ template(`userdom_common_user_template',
 
 		optional_policy(`
 			systemd_role_template($1, $1_r, $1_t)
+			systemd_user_app_socket_create($1, $1_t, user_runtime_t)
 		')
 	')
 
@@ -924,6 +926,7 @@ template(`userdom_common_user_template',
 	')
 
 	optional_policy(`
+		systemd_dbus_chat_locale($1_t)
 		systemd_stream_connect_userdb($1_t)
 	')
 
Index: refpolicy-2.20240202/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20240202/policy/modules/system/unconfined.if
@@ -126,6 +126,10 @@ interface(`unconfined_domain_noaudit',`
 	')
 
 	optional_policy(`
+		systemd_dbus_chat_locale($1)
+	')
+
+	optional_policy(`
 		xserver_unconfined($1)
 	')
 ')
Index: refpolicy-2.20240202/policy/modules/services/docker.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/services/docker.te
+++ refpolicy-2.20240202/policy/modules/services/docker.te
@@ -75,6 +75,7 @@ ifdef(`init_systemd',`
 	init_stop_system(dockerd_t)
 	init_get_system_status(dockerd_t)
 	init_stop_generic_units(dockerd_t)
+	systemd_connect_machined(dockerd_t)
 ')
 
 ########################################
Index: refpolicy-2.20240202/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20240202/policy/modules/services/mysql.te
@@ -141,6 +141,10 @@ miscfiles_read_localization(mysqld_t)
 userdom_search_user_home_dirs(mysqld_t)
 userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
 
+ifdef(`init_systemd',`
+	systemd_connect_machined(mysqld_t)
+')
+
 tunable_policy(`mysql_connect_any',`
 	corenet_sendrecv_all_client_packets(mysqld_t)
 	corenet_tcp_connect_all_ports(mysqld_t)
Index: refpolicy-2.20240202/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20240202/policy/modules/system/unconfined.te
@@ -67,6 +67,8 @@ ifdef(`init_systemd',`
 	init_pgm_spec_user_daemon_domain(unconfined_t)
 	allow unconfined_t self:system { status start stop reload };
 
+	systemd_use_passwd_agent_fds(unconfined_t)
+
 	optional_policy(`
 		systemd_dbus_chat_resolved(unconfined_t)
 		systemd_filetrans_passwd_runtime_dirs(unconfined_t)
Index: refpolicy-2.20240202/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20240202/policy/modules/kernel/filesystem.if
@@ -619,7 +619,24 @@ interface(`fs_getattr_binfmt_misc_dirs',
 	')
 
 	allow $1 binfmt_misc_fs_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Read/write directories on binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_binfmt_misc_dirs',`
+	gen_require(`
+		type binfmt_misc_fs_t;
+	')
 
+	allow $1 binfmt_misc_fs_t:dir rw_dir_perms;
 ')
 
 ########################################
Index: refpolicy-2.20240202/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20240202/policy/modules/apps/chromium.te
@@ -183,6 +183,8 @@ files_read_usr_files(chromium_t)
 files_map_usr_files(chromium_t)
 files_read_etc_files(chromium_t)
 files_watch_etc_dirs(chromium_t)
+files_watch_runtime_dirs(chromium_t)
+
 # During find for /etc/whatever-release we get lots of output otherwise
 files_dontaudit_getattr_all_dirs(chromium_t)
 
@@ -193,6 +195,8 @@ fs_search_cgroup_dirs(chromium_t)
 miscfiles_read_all_certs(chromium_t)
 miscfiles_read_localization(chromium_t)
 
+mount_list_runtime(chromium_t)
+
 sysnet_dns_name_resolve(chromium_t)
 
 # for /run/udev/data/*
@@ -261,6 +265,7 @@ optional_policy(`
 optional_policy(`
 	dbus_all_session_bus_client(chromium_t)
 	dbus_system_bus_client(chromium_t)
+	dbus_getattr_session_runtime_socket(chromium_t)
 
 	optional_policy(`
 		unconfined_dbus_chat(chromium_t)
@@ -276,6 +281,7 @@ optional_policy(`
 	')
 
 	optional_policy(`
+		systemd_list_resolved_runtime_dir(chromium_t)
 		systemd_dbus_chat_hostnamed(chromium_t)
 	')
 ')
Index: refpolicy-2.20240202/policy/modules/apps/pulseaudio.if
===================================================================
--- refpolicy-2.20240202.orig/policy/modules/apps/pulseaudio.if
+++ refpolicy-2.20240202/policy/modules/apps/pulseaudio.if
@@ -56,6 +56,7 @@ template(`pulseaudio_role',`
 
 	optional_policy(`
 		systemd_user_app_status($1, pulseaudio_t)
+		systemd_user_app_socket_create($1, pulseaudio_t, pulseaudio_tmp_t)
 	')
 ')
 
