Index: refpolicy-2.20210203/policy/modules/services/dovecot.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dovecot.if
+++ refpolicy-2.20210203/policy/modules/services/dovecot.if
@@ -63,6 +63,28 @@ interface(`dovecot_domtrans_deliver',`
 
 ########################################
 ## <summary>
+##	Read dovecot configuration content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_read_config',`
+	gen_require(`
+		type dovecot_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 dovecot_etc_t:dir list_dir_perms;
+	allow $1 dovecot_etc_t:file read_file_perms;
+	allow $1 dovecot_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	dovecot spool files.
 ## </summary>
Index: refpolicy-2.20210203/policy/modules/services/dovecot.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dovecot.te
+++ refpolicy-2.20210203/policy/modules/services/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.26.0)
+policy_module(dovecot, 1.26.1)
 
 ########################################
 #
Index: refpolicy-2.20210203/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20210203/policy/modules/services/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.24.0)
+policy_module(postfix, 1.24.1)
 
 ########################################
 #
@@ -596,6 +596,8 @@ corecmd_exec_bin(postfix_pipe_t)
 
 optional_policy(`
 	dovecot_domtrans_deliver(postfix_pipe_t)
+	dovecot_read_config(postfix_pipe_t)
+	dovecot_stream_connect(postfix_pipe_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210203/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20210203/policy/modules/kernel/files.if
@@ -1609,6 +1609,25 @@ interface(`files_relabel_config_dirs',`
 	relabel_dirs_pattern($1, configfile, configfile)
 ')
 
+#########################################
+## <summary>
+##	Do not audit attempts to relabel configuration directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+##
+#
+interface(`files_dontaudit_relabel_config_dirs',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	dontaudit $1 configfile:dir relabel_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read config files in /etc.
@@ -1667,6 +1686,25 @@ interface(`files_relabel_config_files',`
 	relabel_files_pattern($1, configfile, configfile)
 ')
 
+#######################################
+## <summary>
+##	Do not audit attempts to relabel configuration files
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+##
+#
+interface(`files_dontaudit_relabel_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	dontaudit $1 configfile:file relabel_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on all mount points.
@@ -3118,6 +3156,26 @@ interface(`files_manage_etc_files',`
 ')
 
 ########################################
+## <summary>
+##	Do not audit attempts to create, read, write,
+##	and delete generic files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_dontaudit_manage_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	dontaudit $1 etc_t:file manage_file_perms;
+')
+
+########################################
 ## <summary>
 ##	Delete system configuration files in /etc.
 ## </summary>
Index: refpolicy-2.20210203/policy/modules/kernel/files.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/files.te
+++ refpolicy-2.20210203/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.30.0)
+policy_module(files, 1.30.1)
 
 ########################################
 #
Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if
@@ -4999,7 +4999,7 @@ interface(`fs_dontaudit_use_tmpfs_chr_de
 ##	</summary>
 ## </param>
 #
-interface(`fs_relabel_tmpfs_chr_file',`
+interface(`fs_relabel_tmpfs_chr_files',`
 	gen_require(`
 		type tmpfs_t;
 	')
@@ -5010,6 +5010,21 @@ interface(`fs_relabel_tmpfs_chr_file',`
 
 ########################################
 ## <summary>
+##	Relabel character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_chr_file',`
+	refpolicywarn(`$0($*) has been deprecated, please use fs_relabel_tmpfs_chr_files() instead.')
+	fs_relabel_tmpfs_chr_files($1)
+')
+
+########################################
+## <summary>
 ##	Read and write block nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
@@ -5037,7 +5052,7 @@ interface(`fs_rw_tmpfs_blk_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_relabel_tmpfs_blk_file',`
+interface(`fs_relabel_tmpfs_blk_files',`
 	gen_require(`
 		type tmpfs_t;
 	')
@@ -5047,6 +5062,40 @@ interface(`fs_relabel_tmpfs_blk_file',`
 ')
 
 ########################################
+## <summary>
+##	Relabel block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_blk_file',`
+	refpolicywarn(`$0($*) has been deprecated, please use fs_relabel_tmpfs_blk_files() instead.')
+	fs_relabel_tmpfs_blk_files($1)
+')
+
+########################################
+## <summary>
+##	Relabel named pipes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_fifo_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir list_dir_perms;
+	relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
 ## <summary>
 ##	Read and write, create and delete generic
 ##	files on tmpfs filesystems.
Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.te
+++ refpolicy-2.20210203/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.29.0)
+policy_module(filesystem, 1.29.1)
 
 ########################################
 #
Index: refpolicy-2.20210203/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/kernel.if
+++ refpolicy-2.20210203/policy/modules/kernel/kernel.if
@@ -367,6 +367,24 @@ interface(`kernel_dgram_send',`
 
 ########################################
 ## <summary>
+##	Send messages to kernel netlink audit sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_netlink_audit_sockets',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:netlink_audit_socket { rw_netlink_socket_perms };
+')
+
+########################################
+## <summary>
 ##	Allows caller to load kernel modules
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210203/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20210203/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.29.0)
+policy_module(kernel, 1.29.1)
 
 ########################################
 #
Index: refpolicy-2.20210203/policy/modules/services/dbus.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dbus.te
+++ refpolicy-2.20210203/policy/modules/services/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.30.0)
+policy_module(dbus, 1.30.1)
 
 gen_require(`
 	class dbus all_dbus_perms;
@@ -190,6 +190,9 @@ optional_policy(`
 
 	# for passing around terminal file handles for machinectl shell
 	systemd_use_inherited_machined_ptys(system_dbusd_t)
+
+	# allow populating of /var/lib/dbus by systemd-tmpfilesd
+	systemd_tmpfilesd_managed(system_dbusd_var_lib_t, dir)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210203/policy/modules/services/rpc.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/rpc.fc
+++ refpolicy-2.20210203/policy/modules/services/rpc.fc
@@ -16,6 +16,7 @@
 /usr/lib/systemd/system/nfs.*\.service --   gen_context(system_u:object_r:nfsd_unit_t,s0)
 /usr/lib/systemd/system/rpc.*\.service --   gen_context(system_u:object_r:rpcd_unit_t,s0)
 
+/usr/sbin/blkmapd	--	gen_context(system_u:object_r:blkmapd_exec_t,s0)
 /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
@@ -27,6 +28,7 @@
 
 /var/lib/nfs(/.*)?	gen_context(system_u:object_r:var_lib_nfs_t,s0)
 
+/run/blkmapd\.pid	--	gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/sm-notify\.pid	--	gen_context(system_u:object_r:rpcd_runtime_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20210203/policy/modules/services/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.24.0)
+policy_module(rpc, 1.24.1)
 
 ########################################
 #
@@ -33,6 +33,13 @@ gen_tunable(allow_nfsd_anon_write, false
 
 attribute rpc_domain;
 
+rpc_domain_template(blkmapd)
+
+type blkmapd_runtime_t;
+files_runtime_file(blkmapd_runtime_t)
+files_runtime_filetrans(blkmapd_t, blkmapd_runtime_t, file, "blkmapd.pid")
+allow blkmapd_t blkmapd_runtime_t:file manage_file_perms;
+
 type exports_t;
 files_config_file(exports_t)
 
@@ -135,6 +142,93 @@ optional_policy(`
 
 ########################################
 #
+# BLKMAPD local policy
+#
+
+allow blkmapd_t self:capability sys_rawio;
+allow blkmapd_t self:unix_dgram_socket create_socket_perms;
+
+fs_list_rpc(blkmapd_t)
+storage_raw_read_fixed_disk(blkmapd_t)
+
+########################################
+#
+# GSSD local policy
+#
+
+allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
+allow gssd_t self:process { getsched setsched };
+allow gssd_t self:fifo_file rw_fifo_file_perms;
+
+allow gssd_t gssd_keytab_t:file read_file_perms;
+
+manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+
+kernel_read_network_state(gssd_t)
+kernel_read_network_state_symlinks(gssd_t)
+kernel_request_load_module(gssd_t)
+kernel_search_network_sysctl(gssd_t)
+kernel_signal(gssd_t)
+
+corecmd_exec_bin(gssd_t)
+
+fs_list_inotifyfs(gssd_t)
+fs_list_rpc(gssd_t)
+fs_rw_rpc_sockets(gssd_t)
+fs_read_rpc_files(gssd_t)
+fs_read_nfs_files(gssd_t)
+
+files_list_tmp(gssd_t)
+files_dontaudit_write_var_dirs(gssd_t)
+
+auth_manage_cache(gssd_t)
+
+miscfiles_read_generic_certs(gssd_t)
+miscfiles_read_generic_tls_privkey(gssd_t)
+
+userdom_signal_all_users(gssd_t)
+
+tunable_policy(`allow_gssd_read_tmp',`
+	userdom_list_user_tmp(gssd_t)
+	userdom_read_user_tmp_files(gssd_t)
+	userdom_read_user_tmp_symlinks(gssd_t)
+')
+
+tunable_policy(`allow_gssd_write_tmp',`
+	userdom_list_user_tmp(gssd_t)
+	userdom_rw_user_tmp_files(gssd_t)
+')
+
+optional_policy(`
+	automount_signal(gssd_t)
+')
+
+optional_policy(`
+	gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
+	kerberos_manage_host_rcache(gssd_t)
+	kerberos_read_keytab(gssd_t)
+	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
+	kerberos_use(gssd_t)
+')
+
+optional_policy(`
+	mount_signal(gssd_t)
+')
+
+optional_policy(`
+	pcscd_read_runtime_files(gssd_t)
+')
+
+optional_policy(`
+	xserver_rw_xdm_tmp_files(gssd_t)
+')
+
+########################################
+#
 # Local policy
 #
 
@@ -275,79 +369,3 @@ tunable_policy(`nfs_export_all_ro',`
 optional_policy(`
 	mount_exec(nfsd_t)
 ')
-
-########################################
-#
-# GSSD local policy
-#
-
-allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
-allow gssd_t self:process { getsched setsched };
-allow gssd_t self:fifo_file rw_fifo_file_perms;
-
-allow gssd_t gssd_keytab_t:file read_file_perms;
-
-manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
-
-kernel_read_network_state(gssd_t)
-kernel_read_network_state_symlinks(gssd_t)
-kernel_request_load_module(gssd_t)
-kernel_search_network_sysctl(gssd_t)
-kernel_signal(gssd_t)
-
-corecmd_exec_bin(gssd_t)
-
-fs_list_inotifyfs(gssd_t)
-fs_list_rpc(gssd_t)
-fs_rw_rpc_sockets(gssd_t)
-fs_read_rpc_files(gssd_t)
-fs_read_nfs_files(gssd_t)
-
-files_list_tmp(gssd_t)
-files_dontaudit_write_var_dirs(gssd_t)
-
-auth_manage_cache(gssd_t)
-
-miscfiles_read_generic_certs(gssd_t)
-miscfiles_read_generic_tls_privkey(gssd_t)
-
-userdom_signal_all_users(gssd_t)
-
-tunable_policy(`allow_gssd_read_tmp',`
-	userdom_list_user_tmp(gssd_t)
-	userdom_read_user_tmp_files(gssd_t)
-	userdom_read_user_tmp_symlinks(gssd_t)
-')
-
-tunable_policy(`allow_gssd_write_tmp',`
-	userdom_list_user_tmp(gssd_t)
-	userdom_rw_user_tmp_files(gssd_t)
-')
-
-optional_policy(`
-	automount_signal(gssd_t)
-')
-
-optional_policy(`
-	gssproxy_stream_connect(gssd_t)
-')
-optional_policy(`
-	kerberos_manage_host_rcache(gssd_t)
-	kerberos_read_keytab(gssd_t)
-	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
-	kerberos_use(gssd_t)
-')
-
-optional_policy(`
-	mount_signal(gssd_t)
-')
-
-optional_policy(`
-	pcscd_read_runtime_files(gssd_t)
-')
-
-optional_policy(`
-	xserver_rw_xdm_tmp_files(gssd_t)
-')
Index: refpolicy-2.20210203/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20210203/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.18.0)
+policy_module(authlogin, 2.18.1)
 
 ########################################
 #
@@ -87,7 +87,7 @@ type wtmp_t;
 logging_log_file(wtmp_t)
 
 optional_policy(`
-	systemd_tmpfilesd_managed(faillog_t, file)
+	systemd_tmpfilesd_managed(faillog_t, { dir file })
 	systemd_tmpfilesd_managed(var_auth_t, dir)
 ')
 
Index: refpolicy-2.20210203/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.te
+++ refpolicy-2.20210203/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.10.0)
+policy_module(init, 2.10.1)
 
 gen_require(`
 	class passwd rootok;
@@ -35,6 +35,7 @@ attribute init_path_unit_loc_type;
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
+attribute init_linkable_keyring_type;
 attribute systemdunit;
 attribute initrc_transition_domain;
 
@@ -149,6 +150,9 @@ can_exec(init_t, init_exec_t)
 
 allow init_t initrc_t:unix_stream_socket connectto;
 
+# Mostly for systemd. Allow init to link to various keyrings
+allow init_t init_linkable_keyring_type:key link;
+
 # For /var/run/shutdown.pid.
 allow init_t init_runtime_t:file manage_file_perms;
 files_runtime_filetrans(init_t, init_runtime_t, file)
@@ -252,9 +256,10 @@ ifdef(`init_systemd',`
 
 	allow init_t init_path_unit_loc_type:{ dir file } { getattr watch };
 
-	# for /run/systemd/inaccessible/{chr,blk}
-	allow init_t init_runtime_t:blk_file create_blk_file_perms;
-	allow init_t init_runtime_t:chr_file create_chr_file_perms;
+	# for /run/systemd/inaccessible/{chr,blk,fifo}
+	allow init_t init_runtime_t:blk_file { create_blk_file_perms relabelto };
+	allow init_t init_runtime_t:chr_file { create_chr_file_perms relabelto };
+	allow init_t init_runtime_t:fifo_file { create_fifo_file_perms relabelto };
 
 	allow init_t systemprocess:process { dyntransition siginh };
 	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
@@ -311,6 +316,8 @@ ifdef(`init_systemd',`
 	kernel_setsched(init_t)
 	kernel_link_key(init_t)
 	kernel_rw_unix_sysctls(init_t)
+	kernel_rw_stream_sockets(init_t)
+	kernel_rw_unix_dgram_sockets(init_t)
 
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
@@ -411,6 +418,9 @@ ifdef(`init_systemd',`
 	fs_remount_all_fs(init_t)
 	fs_relabelfrom_tmpfs_symlinks(init_t)
 	fs_unmount_all_fs(init_t)
+	fs_relabel_tmpfs_blk_files(init_t)
+	fs_relabel_tmpfs_chr_files(init_t)
+	fs_relabel_tmpfs_fifo_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
@@ -485,6 +495,8 @@ ifdef(`init_systemd',`
 	# for systemd to read udev status
 	udev_read_runtime_files(init_t)
 
+	userdom_relabel_user_runtime_root_dirs(init_t)
+
 	tunable_policy(`init_mounton_non_security',`
 		files_mounton_non_security(init_t)
 	')
@@ -1022,6 +1034,9 @@ ifdef(`init_systemd',`
 	allow initrc_t systemdunit:service reload;
 	allow initrc_t init_script_file_type:service { stop start status reload };
 
+	# Access to notify socket for services with Type=notify
+	kernel_dgram_send(initrc_t)
+
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
 	# done in traditional sysvinit/upstart.
@@ -1046,6 +1061,7 @@ ifdef(`init_systemd',`
 	logging_manage_audit_config(initrc_t)
 	# journalctl:
 	logging_watch_runtime_dirs(initrc_t)
+	logging_manage_runtime_sockets(initrc_t)
 
 	# lvm2-activation-generator checks file labels
 	seutil_read_file_contexts(initrc_t)
Index: refpolicy-2.20210203/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/logging.if
+++ refpolicy-2.20210203/policy/modules/system/logging.if
@@ -681,10 +681,9 @@ interface(`logging_send_syslog_msg',`
 		# Allow systemd-journald to check whether the process died
 		allow syslogd_t $1:process signull;
 
-		ifdef(`distro_redhat',`
-			kernel_dgram_send($1)
-		')
+		kernel_dgram_send($1)
 	')
+
 ')
 
 ########################################
Index: refpolicy-2.20210203/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/logging.te
+++ refpolicy-2.20210203/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.33.0)
+policy_module(logging, 1.33.1)
 
 ########################################
 #
@@ -501,9 +501,6 @@ auth_use_nsswitch(syslogd_t)
 
 init_use_fds(syslogd_t)
 
-# cjp: this doesnt make sense
-logging_send_syslog_msg(syslogd_t)
-
 miscfiles_read_localization(syslogd_t)
 
 seutil_read_config(syslogd_t)
@@ -525,6 +522,7 @@ ifdef(`init_systemd',`
 	kernel_read_ring_buffer(syslogd_t)
 	kernel_rw_stream_sockets(syslogd_t)
 	kernel_rw_unix_dgram_sockets(syslogd_t)
+	kernel_rw_netlink_audit_sockets(syslogd_t)
 	kernel_use_fds(syslogd_t)
 
 	dev_read_kmsg(syslogd_t)
@@ -544,9 +542,18 @@ ifdef(`init_systemd',`
 	init_read_runtime_symlinks(syslogd_t)
 	init_read_state(syslogd_t)
 
+	# needed for systemd-initrd case when syslog socket is unlabelled
+	logging_send_syslog_msg(syslogd_t)
+
 	systemd_manage_journal_files(syslogd_t)
 
 	udev_read_runtime_files(syslogd_t)
+
+	# journald traverses /run/user/UID (which is mode 0700) to read symlinks in /run/user/UID/systemd/units/
+	allow syslogd_t self:capability dac_read_search;
+	userdom_search_user_runtime_root(syslogd_t)
+	userdom_search_user_runtime(syslogd_t)
+	systemd_read_user_runtime_lnk_files(syslogd_t)
 ')
 
 ifdef(`distro_gentoo',`
Index: refpolicy-2.20210203/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20210203/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.26.0)
+policy_module(lvm, 1.26.1)
 
 ########################################
 #
@@ -29,6 +29,9 @@ files_type(lvm_etc_t)
 
 type lvm_lock_t;
 files_lock_file(lvm_lock_t)
+optional_policy(`
+        systemd_tmpfilesd_managed(lvm_lock_t, dir)
+')
 
 type lvm_metadata_t;
 files_type(lvm_metadata_t)
Index: refpolicy-2.20210203/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.29.0)
+policy_module(selinuxutil, 1.29.1)
 
 gen_require(`  #selint-disable:S-001
 	bool secure_mode;
@@ -671,8 +671,8 @@ ifdef(`distro_debian',`
 ifdef(`distro_redhat', `
 	fs_rw_tmpfs_chr_files(setfiles_t)
 	fs_rw_tmpfs_blk_files(setfiles_t)
-	fs_relabel_tmpfs_blk_file(setfiles_t)
-	fs_relabel_tmpfs_chr_file(setfiles_t)
+	fs_relabel_tmpfs_blk_files(setfiles_t)
+	fs_relabel_tmpfs_chr_files(setfiles_t)
 ')
 
 ifdef(`distro_ubuntu',`
Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20210203/policy/modules/system/sysnetwork.if
@@ -541,6 +541,10 @@ interface(`sysnet_manage_config',`
 	ifdef(`distro_redhat',`
 		manage_files_pattern($1, net_conf_t, net_conf_t)
 	')
+
+	ifdef(`init_systemd',`
+		manage_files_pattern($1, net_conf_t, net_conf_t)
+	')
 ')
 
 #######################################
Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.27.0)
+policy_module(sysnetwork, 1.27.1)
 
 ########################################
 #
Index: refpolicy-2.20210203/policy/modules/system/systemd.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.fc
+++ refpolicy-2.20210203/policy/modules/system/systemd.fc
@@ -44,6 +44,11 @@
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
 
 # Systemd unit files
+HOME_DIR/\.config/systemd(/.*)?                gen_context(system_u:object_r:systemd_conf_home_t,s0)
+HOME_DIR/\.local/share/systemd(/.*)?           gen_context(system_u:object_r:systemd_data_home_t,s0)
+
+/usr/lib/systemd/user(/.*)?            gen_context(system_u:object_r:systemd_user_unit_t,s0)
+
 /usr/lib/systemd/system/[^/]*halt.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/[^/]*hibernate.* --	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/[^/]*power.*	--	gen_context(system_u:object_r:power_unit_t,s0)
@@ -57,6 +62,8 @@
 /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
 /usr/lib/systemd/system/systemd-socket-proxyd\.service	--	gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
 
+/usr/share/factory(/.*)?	gen_context(system_u:object_r:systemd_factory_conf_t,s0)
+
 /var/\.updated				--	gen_context(system_u:object_r:systemd_update_run_t,s0)
 
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
@@ -68,6 +75,13 @@
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 
+/run/user/%{USERID}/systemd    -d      gen_context(system_u:object_r:systemd_user_runtime_t,s0)
+/run/user/%{USERID}/systemd/generator(/.*)?            gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
+/run/user/%{USERID}/systemd/generator\.early(/.*)?             gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
+/run/user/%{USERID}/systemd/generator\.late(/.*)?              gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
+/run/user/%{USERID}/systemd/transient(/.*)?            gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
+/run/user/%{USERID}/systemd/user(/.*)?         gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
+
 /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
Index: refpolicy-2.20210203/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210203/policy/modules/system/systemd.if
@@ -28,8 +28,11 @@
 template(`systemd_role_template',`
 	gen_require(`
 		attribute systemd_user_session_type, systemd_log_parse_env_type;
-		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
+		attribute systemd_user_activated_sock_file_type, systemd_user_unix_stream_activated_socket_type;
 		type systemd_run_exec_t, systemd_analyze_exec_t;
+		type systemd_conf_home_t, systemd_data_home_t;
+		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
+		type systemd_user_unit_t, systemd_user_runtime_unit_t;
 	')
 
 	#################################
@@ -47,39 +50,459 @@ template(`systemd_role_template',`
 	# Local policy
 	#
 
-	allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
-	allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-	allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
-	allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
 	# This domain is per-role because of the below transitions.
 	# See the systemd --user section of systemd.te for the
 	# remainder of the rules.
-	allow $1_systemd_t $3:process { setsched rlimitinh };
+	allow $1_systemd_t self:process { getsched signal };
+	allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
+	allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
 	corecmd_shell_domtrans($1_systemd_t, $3)
 	corecmd_bin_domtrans($1_systemd_t, $3)
-	allow $1_systemd_t self:process signal;
+
+	# systemctl --user rules
+	allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
+	allow $1_systemd_t systemd_user_activated_sock_file_type:dir manage_dir_perms;
+	allow $1_systemd_t systemd_user_activated_sock_file_type:sock_file manage_sock_file_perms;
+
+	allow $1_systemd_t systemd_user_runtime_t:blk_file manage_blk_file_perms;
+	allow $1_systemd_t systemd_user_runtime_t:chr_file manage_chr_file_perms;
+	allow $1_systemd_t systemd_user_runtime_t:dir manage_dir_perms;
+	allow $1_systemd_t systemd_user_runtime_t:file manage_file_perms;
+	allow $1_systemd_t systemd_user_runtime_t:fifo_file manage_fifo_file_perms;
+	allow $1_systemd_t systemd_user_runtime_t:lnk_file manage_lnk_file_perms;
+	allow $1_systemd_t systemd_user_runtime_t:sock_file manage_sock_file_perms;
+
+	allow $1_systemd_t systemd_user_runtime_unit_t:dir manage_dir_perms;
+	allow $1_systemd_t systemd_user_runtime_unit_t:file manage_file_perms;
+	allow $1_systemd_t systemd_user_runtime_unit_t:lnk_file manage_lnk_file_perms;
+
+	allow $1_systemd_t $3:dir search_dir_perms;
+	allow $1_systemd_t $3:file read_file_perms;
+	allow $1_systemd_t $3:lnk_file read_lnk_file_perms;
+
+	filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "generator.early")
+	filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "generator.late")
+	filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "transient")
+	filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "user")
+
+	dev_read_urand($1_systemd_t)
 
 	files_search_home($1_systemd_t)
 
+	fs_manage_cgroup_files($1_systemd_t)
+	fs_watch_cgroup_files($1_systemd_t)
+
+	kernel_dontaudit_getattr_proc($1_systemd_t)
+
+	selinux_use_status_page($1_systemd_t)
+
+	init_linkable_keyring($1_systemd_t)
+	init_list_unit_dirs($1_systemd_t)
+	init_read_generic_units_files($1_systemd_t)
+
+	miscfiles_watch_localization($1_systemd_t)
+
+	mount_read_runtime_files($1_systemd_t)
+	mount_watch_runtime_files($1_systemd_t)
+	mount_watch_reads_runtime_files($1_systemd_t)
+
+	seutil_search_default_contexts($1_systemd_t)
+	seutil_read_file_contexts($1_systemd_t)
+
+	systemd_manage_conf_home_content($1_systemd_t)
+	systemd_manage_data_home_content($1_systemd_t)
+
+	systemd_search_user_runtime_unit_dirs($1_systemd_t)
+
+	systemd_search_user_runtime_unit_dirs($1_systemd_t)
+	systemd_read_user_unit_files($1_systemd_t)
+
+	dbus_system_bus_client($1_systemd_t)
+	dbus_spec_session_bus_client($1, $1_systemd_t)
+
+	# userdomain rules
+	allow $3 $1_systemd_t:process signal;
+	allow $3 $1_systemd_t:unix_stream_socket rw_stream_socket_perms;
 	# Allow using file descriptors for user environment generators
 	allow $3 $1_systemd_t:fd use;
 	allow $3 $1_systemd_t:fifo_file rw_inherited_fifo_file_perms;
-
-	# systemctl --user
 	stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
 
+	allow $3 $1_systemd_t:system { disable enable reload start stop status };
+
+	allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
+	allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+	allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+	allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+	allow $3 systemd_user_unit_t:service { reload start status stop };
+	allow $3 systemd_conf_home_t:service { reload start status stop };
+
 	can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
 
-	dbus_system_bus_client($1_systemd_t)
+	init_dbus_chat($3)
 
-	selinux_use_status_page($1_systemd_t)
+	systemd_list_journal_dirs($3)
+	systemd_read_journal_files($3)
 
-	seutil_read_file_contexts($1_systemd_t)
-	seutil_search_default_contexts($1_systemd_t)
+	systemd_manage_conf_home_content($3)
+	systemd_relabel_conf_home_content($3)
+
+	systemd_manage_data_home_content($3)
+	systemd_relabel_data_home_content($3)
+
+	systemd_read_user_unit_files($3)
+	systemd_list_user_runtime_unit_dirs($3)
+	systemd_read_user_runtime_units($3)
+
+	systemd_reload_user_runtime_units($3)
+	systemd_start_user_runtime_units($3)
+	systemd_status_user_runtime_units($3)
+	systemd_stop_user_runtime_units($3)
+
+	optional_policy(`
+	        xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
+	        xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
+	        xdg_read_config_files($1_systemd_t)
+	        xdg_read_data_files($1_systemd_t)
+	')
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to be started as a daemon by the
+##   specified systemd user instance.
+## </summary>
+## <param name="prefix">
+##   <summary>
+##     Prefix for the user domain.
+##   </summary>
+## </param>
+## <param name="entry_point">
+##   <summary>
+##     Entry point file type for the domain.
+##   </summary>
+## </param>
+## <param name="domain">
+##   <summary>
+##     Domain to allow the systemd user domain to run.
+##   </summary>
+## </param>
+#
+template(`systemd_user_daemon_domain',`
+	gen_require(`
+		type $1_systemd_t;
+	')
+
+	domtrans_pattern($1_systemd_t, $2, $3)
+
+	allow $1_systemd_t $3:process signal_perms;
+	allow $3 $1_systemd_t:unix_stream_socket rw_socket_perms;
+')
+
+######################################
+## <summary>
+##   Associate the specified file type to be a type whose sock files
+##   can be managed by systemd user instances for socket activation.
+## </summary>
+## <param name="file_type">
+##   <summary>
+##     File type to be associated.
+##   </summary>
+## </param>
+#
+interface(`systemd_user_activated_sock_file',`
+	gen_require(`
+		attribute systemd_user_activated_sock_file_type;
+	')
+
+	typeattribute $1 systemd_user_activated_sock_file_type;
+')
+
+######################################
+## <summary>
+##   Associate the specified domain to be a domain whose unix stream
+##   sockets and sock files can be managed by systemd user instances
+##   for socket activation.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain to be associated.
+##   </summary>
+## </param>
+## <param name="sock_file_type">
+##   <summary>
+##     File type of the domain's sock files to be associated.
+##   </summary>
+## </param>
+#
+interface(`systemd_user_unix_stream_activated_socket',`
+	gen_require(`
+		attribute systemd_user_unix_stream_activated_socket_type;
+	')
+
+	typeattribute $1 systemd_user_unix_stream_activated_socket_type;
+	systemd_user_activated_sock_file($2)
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to manage systemd config home
+##   content.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_manage_conf_home_content',`
+	gen_require(`
+		type systemd_conf_home_t;
+	')
+
+	manage_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+	manage_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+	manage_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to relabel systemd config home
+##   content.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_relabel_conf_home_content',`
+	gen_require(`
+		type systemd_conf_home_t;
+	')
+
+	relabel_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+	relabel_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+	relabel_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to manage systemd data home
+##   content.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_manage_data_home_content',`
+	gen_require(`
+		type systemd_data_home_t;
+	')
+
+	allow $1 systemd_data_home_t:dir manage_dir_perms;
+	allow $1 systemd_data_home_t:file manage_file_perms;
+	allow $1 systemd_data_home_t:lnk_file manage_lnk_file_perms;
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to relabel systemd data home
+##   content.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_relabel_data_home_content',`
+	gen_require(`
+		type systemd_data_home_t;
+	')
+
+	relabel_dirs_pattern($1, systemd_data_home_t, systemd_data_home_t)
+	relabel_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
+	relabel_lnk_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to read systemd user runtime lnk files.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_read_user_runtime_lnk_files',`
+	gen_require(`
+		type systemd_user_runtime_t;
+	')
+
+	read_lnk_files_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to read system-wide systemd
+##   user unit files.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_read_user_unit_files',`
+	gen_require(`
+		type systemd_user_unit_t;
+	')
+
+	allow $1 systemd_user_unit_t:dir list_dir_perms;
+	allow $1 systemd_user_unit_t:file read_file_perms;
+	allow $1 systemd_user_unit_t:lnk_file read_lnk_file_perms;
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to read systemd user runtime unit files.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_read_user_runtime_units',`
+	gen_require(`
+		type systemd_user_runtime_unit_t;
+	')
+
+	read_files_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
+	read_lnk_files_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to search systemd user runtime unit
+##   directories.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_search_user_runtime_unit_dirs',`
+	gen_require(`
+		type systemd_user_runtime_unit_t;
+	')
+
+	search_dirs_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to list the contents of systemd
+##   user runtime unit directories.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_list_user_runtime_unit_dirs',`
+	gen_require(`
+		type systemd_user_runtime_unit_t;
+	')
+
+	list_dirs_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to get the status of systemd user runtime units.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_status_user_runtime_units',`
+	gen_require(`
+		type systemd_user_runtime_unit_t;
+		class service status;
+	')
+
+	allow $1 systemd_user_runtime_unit_t:service status;
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to start systemd user runtime units.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_start_user_runtime_units',`
+	gen_require(`
+		type systemd_user_runtime_unit_t;
+		class service start;
+	')
+
+	allow $1 systemd_user_runtime_unit_t:service start;
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to stop systemd user runtime units.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_stop_user_runtime_units',`
+	gen_require(`
+		type systemd_user_runtime_unit_t;
+		class service stop;
+	')
+
+	allow $1 systemd_user_runtime_unit_t:service stop;
+')
+
+######################################
+## <summary>
+##   Allow the specified domain to reload systemd user runtime units.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_reload_user_runtime_units',`
+	gen_require(`
+		type systemd_user_runtime_unit_t;
+		class service reload;
+	')
+
+	allow $1 systemd_user_runtime_unit_t:service reload;
 ')
 
 ######################################
@@ -682,6 +1105,24 @@ interface(`systemd_manage_all_units',`
 
 ########################################
 ## <summary>
+##      Allow domain to list the contents of systemd_journal_t dirs
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_list_journal_dirs',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
+')
+
+########################################
+## <summary>
 ##      Allow domain to read systemd_journal_t files
 ## </summary>
 ## <param name="domain">
@@ -1174,6 +1615,7 @@ interface(`systemd_tmpfilesd_managed',`
 		type systemd_tmpfiles_t;
 	')
 
+	allow systemd_tmpfiles_t $1:dir list_dir_perms;
 	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
 ')
 
Index: refpolicy-2.20210203/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.11.0)
+policy_module(systemd, 1.11.1)
 
 #########################################
 #
@@ -45,9 +45,19 @@ gen_tunable(systemd_socket_proxyd_bind_a
 ## </desc>
 gen_tunable(systemd_socket_proxyd_connect_any, false)
 
+## <desc>
+## <p>
+## Allow systemd-tmpfilesd to populate missing configuration files from factory
+## template directory.
+## </p>
+## </desc>
+gen_tunable(systemd_tmpfilesd_factory, false)
+
 attribute systemd_log_parse_env_type;
 attribute systemd_tmpfiles_conf_type;
 attribute systemd_user_session_type;
+attribute systemd_user_activated_sock_file_type;
+attribute systemd_user_unix_stream_activated_socket_type;
 
 attribute_role systemd_sysusers_roles;
 
@@ -104,6 +114,9 @@ type systemd_detect_virt_t;
 type systemd_detect_virt_exec_t;
 init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
 
+type systemd_factory_conf_t;
+systemd_tmpfiles_conf_file(systemd_factory_conf_t)
+
 type systemd_generator_t;
 type systemd_generator_exec_t;
 typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_generator_t };
@@ -168,6 +181,7 @@ init_system_domain(systemd_networkd_t, s
 
 type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
 files_runtime_file(systemd_networkd_runtime_t)
+init_mountpoint(systemd_networkd_runtime_t)
 
 type systemd_networkd_unit_t;
 init_unit_file(systemd_networkd_unit_t)
@@ -265,6 +279,16 @@ init_system_domain(systemd_update_done_t
 type systemd_update_run_t;
 files_type(systemd_update_run_t)
 
+type systemd_conf_home_t;
+init_unit_file(systemd_conf_home_t)
+
+optional_policy(`
+	xdg_config_content(systemd_conf_home_t)
+')
+
+type systemd_data_home_t;
+xdg_data_content(systemd_data_home_t)
+
 type systemd_user_runtime_notify_t;
 userdom_user_runtime_content(systemd_user_runtime_notify_t)
 
@@ -281,6 +305,13 @@ userdom_user_tmpfs_file(systemd_user_tmp
 type systemd_userdb_runtime_t;
 files_runtime_file(systemd_userdb_runtime_t)
 
+type systemd_user_unit_t;
+init_unit_file(systemd_user_unit_t)
+
+type systemd_user_runtime_unit_t;
+init_unit_file(systemd_user_runtime_unit_t)
+userdom_user_runtime_content(systemd_user_runtime_unit_t)
+
 #
 # Unit file types
 #
@@ -443,6 +474,10 @@ systemd_log_parse_environment(systemd_ge
 
 term_use_unallocated_ttys(systemd_generator_t)
 
+ifdef(`distro_gentoo',`
+	corecmd_shell_entry_type(systemd_generator_t)
+')
+
 optional_policy(`
 	fstools_exec(systemd_generator_t)
 ')
@@ -1279,6 +1314,7 @@ allow systemd_tmpfiles_t systemd_journal
 allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms;
 
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
 kernel_getattr_proc(systemd_tmpfiles_t)
@@ -1314,6 +1350,7 @@ files_relabel_var_lib_dirs(systemd_tmpfi
 files_relabelfrom_home(systemd_tmpfiles_t)
 files_relabelto_home(systemd_tmpfiles_t)
 files_relabelto_etc_dirs(systemd_tmpfiles_t)
+files_setattr_lock_dirs(systemd_tmpfiles_t)
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
@@ -1334,6 +1371,8 @@ auth_relabel_lastlog(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
 
+auth_use_nsswitch(systemd_tmpfiles_t)
+
 init_manage_utmp(systemd_tmpfiles_t)
 init_manage_var_lib_files(systemd_tmpfiles_t)
 # for /proc/1/environ
@@ -1373,6 +1412,22 @@ tunable_policy(`systemd_tmpfiles_manage_
 	files_relabel_non_security_files(systemd_tmpfiles_t)
 ')
 
+tunable_policy(`systemd_tmpfilesd_factory', `
+	allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
+	allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
+
+	files_manage_etc_files(systemd_tmpfiles_t)
+	files_relabel_config_dirs(systemd_tmpfiles_t)
+	files_relabel_config_files(systemd_tmpfiles_t)
+',`
+	dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
+	dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
+
+	files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
+	files_dontaudit_relabel_config_dirs(systemd_tmpfiles_t)
+	files_dontaudit_relabel_config_files(systemd_tmpfiles_t)
+')
+
 optional_policy(`
 	dbus_read_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
@@ -1493,6 +1548,9 @@ allow systemd_user_runtime_dir_t self:pr
 
 domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
 
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:file manage_file_perms;
+
 files_read_etc_files(systemd_user_runtime_dir_t)
 
 fs_mount_tmpfs(systemd_user_runtime_dir_t)
@@ -1511,6 +1569,18 @@ systemd_dbus_chat_logind(systemd_user_ru
 seutil_read_file_contexts(systemd_user_runtime_dir_t)
 seutil_libselinux_linked(systemd_user_runtime_dir_t)
 
+userdom_list_all_user_runtime(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_dirs(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_files(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_symlinks(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_named_pipes(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_blk_files(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_chr_files(systemd_user_runtime_dir_t)
+
+userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
+
 userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
 userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
 userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
Index: refpolicy-2.20210203/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/udev.te
+++ refpolicy-2.20210203/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.29.0)
+policy_module(udev, 1.29.1)
 
 ########################################
 #
@@ -229,8 +229,8 @@ ifdef(`distro_redhat',`
 	fs_manage_tmpfs_sockets(udev_t)
 	fs_manage_tmpfs_blk_files(udev_t)
 	fs_manage_tmpfs_chr_files(udev_t)
-	fs_relabel_tmpfs_blk_file(udev_t)
-	fs_relabel_tmpfs_chr_file(udev_t)
+	fs_relabel_tmpfs_blk_files(udev_t)
+	fs_relabel_tmpfs_chr_files(udev_t)
 
 	term_search_ptys(udev_t)
 
Index: refpolicy-2.20210203/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20210203/policy/modules/services/dbus.if
@@ -63,6 +63,7 @@ template(`dbus_role_template',`
 		attribute session_bus_type;
 		type system_dbusd_t, dbusd_exec_t;
 		type session_dbusd_tmp_t, session_dbusd_home_t;
+		type session_dbusd_runtime_t;
 	')
 
 	##############################
@@ -86,10 +87,13 @@ template(`dbus_role_template',`
 	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
 	allow $3 $1_dbusd_t:fd use;
 
+	dontaudit $1_dbusd_t self:process getcap;
+
 	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 
 	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
+	allow $3 session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 	userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
 
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
@@ -110,6 +114,8 @@ template(`dbus_role_template',`
 
 	optional_policy(`
 		systemd_read_logind_runtime_files($1_dbusd_t)
+		systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
+		systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
 	')
 ')
 
Index: refpolicy-2.20210203/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.if
+++ refpolicy-2.20210203/policy/modules/system/init.if
@@ -3274,6 +3274,24 @@ interface(`init_list_unit_dirs',`
 
 ########################################
 ## <summary>
+##     Read systemd unit files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_read_generic_units_files',`
+	gen_require(`
+		type systemd_unit_t;
+	')
+
+	allow $1 systemd_unit_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read systemd unit links
 ## </summary>
 ## <param name="domain">
@@ -3482,6 +3500,25 @@ interface(`init_manage_all_unit_files',`
 	manage_lnk_files_pattern($1, systemdunit, systemdunit)
 ')
 
+#########################################
+## <summary>
+##     Associate the specified domain to be a domain whose
+##     keyring init should be allowed to link.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain whose keyring init should be allowed to link.
+##     </summary>
+## </param>
+#
+interface(`init_linkable_keyring',`
+	gen_require(`
+		attribute init_linkable_keyring_type;
+	')
+
+	typeattribute $1 init_linkable_keyring_type;
+')
+
 ########################################
 ## <summary>
 ##      Allow unconfined access to send instructions to init
Index: refpolicy-2.20210203/policy/modules/system/mount.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/mount.if
+++ refpolicy-2.20210203/policy/modules/system/mount.if
@@ -224,6 +224,42 @@ interface(`mount_watch_runtime_dirs',`
 
 ########################################
 ## <summary>
+##     Watch mount runtime files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_watch_runtime_files',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:file watch;
+')
+
+########################################
+## <summary>
+##     Watch reads on mount runtime files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_watch_reads_runtime_files',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:file watch_reads;
+')
+
+########################################
+## <summary>
 ##     Getattr on mount_runtime_t files
 ## </summary>
 ## <param name="domain">
@@ -241,6 +277,24 @@ interface(`mount_getattr_runtime_files',
 ')
 
 ########################################
+## <summary>
+##     Read mount runtime files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_read_runtime_files',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	read_files_pattern($1, mount_runtime_t, mount_runtime_t)
+')
+
+########################################
 ## <summary>
 ##	Read and write mount runtime files.
 ## </summary>
Index: refpolicy-2.20210203/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210203/policy/modules/system/userdomain.if
@@ -3614,6 +3614,42 @@ interface(`userdom_delete_all_user_runti
 
 ########################################
 ## <summary>
+##     delete user runtime blk files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_blk_files',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	delete_blk_files_pattern($1, user_runtime_content_type, user_runtime_content_type)
+')
+
+########################################
+## <summary>
+##     delete user runtime chr files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_chr_files',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	delete_chr_files_pattern($1, user_runtime_content_type, user_runtime_content_type)
+')
+
+########################################
+## <summary>
 ##	Create objects in the pid directory
 ##	with an automatic type transition to
 ##	the user runtime root type.  (Deprecated)
