diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index 7efcf71de2..5629c03ad5 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -3,9 +3,10 @@
/usr/bin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/dnf-[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-3 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf5 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/dnf-automatic -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/dnf-automatic-[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-automatic-?[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 43febed3fa..2fd8704434 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -229,6 +229,7 @@ userdom_user_runtime_root_filetrans_user_runtime(rpm_t, dir)
ifdef(`init_systemd', `
systemd_use_logind_fds(rpm_t)
systemd_dbus_chat_logind(rpm_t)
+ systemd_manage_updates_symlink(rpm_t)
')
optional_policy(`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e1fafd4abd..ff351f8f23 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3677,6 +3677,37 @@ interface(`files_create_boot_flag',`
filetrans_pattern($1, root_t, etc_runtime_t, file, $2)
')
+########################################
+##
+## Create a symlink boot flag.
+##
+##
+##
+## Create a boot flag that is a symlink, such as
+## /system-update
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+##
+#
+interface(`files_create_link_boot_flag',`
+ gen_require(`
+ type root_t, etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:lnk_file manage_lnk_file_perms;
+ filetrans_pattern($1, root_t, etc_runtime_t, lnk_file, $2)
+')
+
########################################
##
## Delete a boot flag.
@@ -3702,6 +3733,31 @@ interface(`files_delete_boot_flag',`
delete_files_pattern($1, root_t, etc_runtime_t)
')
+########################################
+##
+## Delete a symlink boot flag.
+##
+##
+##
+## Delete a symlink boot flag, such as
+## /system-update
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_delete_link_boot_flag',`
+ gen_require(`
+ type root_t, etc_runtime_t;
+ ')
+
+ delete_lnk_files_pattern($1, root_t, etc_runtime_t)
+')
+
########################################
##
## Get the attributes of the
@@ -3953,6 +4009,27 @@ interface(`files_manage_etc_runtime_files',`
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
')
+########################################
+##
+## Create, read, write, and delete symlinks in
+## /etc that are dynamically created on boot,
+## such as mtab.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_manage_etc_runtime_symlinks',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
+')
+
########################################
##
## Relabel to etc_runtime_t files.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 43d62b2e18..c522b2c709 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -543,6 +543,7 @@ ifdef(`init_systemd',`
systemd_manage_userdb_runtime_symlinks(init_t)
systemd_filetrans_userdb_runtime_dirs(init_t)
systemd_stream_connect_userdb(init_t)
+ systemd_clean_updates_symlink(initrc_t)
term_create_devpts_dirs(init_t)
term_create_ptmx(init_t)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 9e901829cb..5b85155820 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -1,3 +1,5 @@
+/system-update -l gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/system-update -l gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0)
/etc/systemd/dont-synthesize-nobody -- gen_context(system_u:object_r:systemd_conf_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b6b50bca9e..172cf33eac 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2744,6 +2744,37 @@ interface(`systemd_getattr_updated_runtime',`
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
+#######################################
+##
+## Allow domain to clean up offline updates magic symlink
+##
+##
+##
+## domain allowed access
+##
+##
+#
+interface(`systemd_clean_updates_symlink',`
+ files_delete_link_boot_flag($1)
+ files_manage_etc_runtime_symlinks($1)
+')
+
+#######################################
+##
+## Allow domain to create, read, and clean up offline updates magic symlink
+##
+##
+##
+## domain allowed access
+##
+##
+#
+interface(`systemd_manage_updates_symlink',`
+ files_create_link_boot_flag($1, "system-update")
+ files_etc_filetrans_etc_runtime($1, lnk_file, "system-update")
+ files_read_etc_runtime_files($1)
+')
+
########################################
##
## Search keys for the all systemd --user domains.