Index: refpolicy-2.20171212/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20171212.orig/policy/modules/system/init.te
+++ refpolicy-2.20171212/policy/modules/system/init.te
@@ -355,6 +355,7 @@ ifdef(`init_systemd',`
 	fs_manage_hugetlbfs_dirs(init_t)
 	fs_getattr_tmpfs(init_t)
 	fs_read_tmpfs_files(init_t)
+	fs_read_tmpfs_symlinks(init_t)
 	fs_relabel_cgroup_symlinks(init_t)
 	fs_relabel_pstore_dirs(init_t)
 	fs_dontaudit_getattr_xattr_fs(init_t)
@@ -471,7 +472,6 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
-	fs_read_tmpfs_symlinks(init_t)
 	fs_rw_tmpfs_chr_files(init_t)
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
 ')
Index: refpolicy-2.20171212/policy/modules/contrib/entropyd.te
===================================================================
--- refpolicy-2.20171212.orig/policy/modules/contrib/entropyd.te
+++ refpolicy-2.20171212/policy/modules/contrib/entropyd.te
@@ -50,6 +50,7 @@ files_read_usr_files(entropyd_t)
 
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)
 
 domain_use_interactive_fds(entropyd_t)
 
@@ -65,6 +66,10 @@ tunable_policy(`entropyd_use_audio',`
 	dev_write_sound(entropyd_t)
 ')
 
+ifdef(`init_systemd',`
+	init_bounded(entropyd_t, entropyd_exec_t)
+')
+
 optional_policy(`
 	tunable_policy(`entropyd_use_audio',`
 		alsa_read_lib(entropyd_t)
Index: refpolicy-2.20171212/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20171212.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20171212/policy/modules/contrib/tor.te
@@ -118,6 +118,10 @@ tunable_policy(`tor_bind_all_unreserved_
 	corenet_tcp_bind_all_unreserved_ports(tor_t)
 ')
 
+ifdef(`init_systemd',`
+	init_bounded(tor_t, tor_exec_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(tor_t)
 ')
Index: refpolicy-2.20171212/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20171212.orig/policy/modules/system/init.if
+++ refpolicy-2.20171212/policy/modules/system/init.if
@@ -378,6 +378,31 @@ interface(`init_ranged_daemon_domain',`
 	')
 ')
 
+########################################
+## <summary>
+##     Make a domain be bounded by init_t
+##     NB init_t needs to have all the permissions of the domain in question
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Bounded domain
+##     </summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`init_bounded',`
+	gen_require(`
+		type init_t;
+	')
+
+	typebounds init_t $1;
+	allow init_t $2:file entrypoint;
+')
+
 #########################################
 ## <summary>
 ##	Abstract socket service activation (systemd).
Index: refpolicy-2.20171212/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy-2.20171212.orig/policy/modules/contrib/mysql.te
+++ refpolicy-2.20171212/policy/modules/contrib/mysql.te
@@ -125,6 +125,7 @@ domain_use_interactive_fds(mysqld_t)
 
 fs_getattr_all_fs(mysqld_t)
 fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
 fs_rw_hugetlbfs_files(mysqld_t)
 
 files_read_etc_runtime_files(mysqld_t)
@@ -149,6 +150,10 @@ optional_policy(`
 	daemontools_service_domain(mysqld_t, mysqld_exec_t)
 ')
 
+ifdef(`init_systemd',`
+	init_bounded(mysqld_t, mysqld_exec_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(mysqld_t)
 ')
