diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf
index d90e3cb..853e975 100644
--- a/modules-minimum-base.conf
+++ b/modules-minimum-base.conf
@@ -412,4 +412,3 @@ packagekit = module
# Name service cache daemon
#
nscd = module
-
diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf
index f5bcc4c..5e255b5 100644
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@@ -412,3 +412,10 @@ rtorrent = module
# Policy for wicked
#
wicked = module
+
+# Layer: system
+# Module: rebootmgr
+#
+# Policy for rebootmgr
+#
+rebootmgr = module
diff --git a/rebootmgr.fc b/rebootmgr.fc
new file mode 100644
index 0000000..156f78f
--- /dev/null
+++ b/rebootmgr.fc
@@ -0,0 +1 @@
+/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0)
diff --git a/rebootmgr.if b/rebootmgr.if
new file mode 100644
index 0000000..bb42f80
--- /dev/null
+++ b/rebootmgr.if
@@ -0,0 +1,61 @@
+
+## policy for rebootmgr
+
+########################################
+##
+## Execute rebootmgr_exec_t in the rebootmgr domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rebootmgr_domtrans',`
+ gen_require(`
+ type rebootmgr_t, rebootmgr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
+')
+
+######################################
+##
+## Execute rebootmgr in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rebootmgr_exec',`
+ gen_require(`
+ type rebootmgr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rebootmgr_exec_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## rebootmgr over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rebootmgr_dbus_chat',`
+ gen_require(`
+ type rebootmgr_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rebootmgr_t:dbus send_msg;
+ allow rebootmgr_t $1:dbus send_msg;
+')
diff --git a/rebootmgr.te b/rebootmgr.te
new file mode 100644
index 0000000..46878c5
--- /dev/null
+++ b/rebootmgr.te
@@ -0,0 +1,33 @@
+policy_module(rebootmgr, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rebootmgr_t;
+type rebootmgr_exec_t;
+init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
+
+permissive rebootmgr_t;
+
+########################################
+#
+# rebootmgr local policy
+#
+allow rebootmgr_t self:process { fork };
+allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
+allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(rebootmgr_t)
+
+files_read_etc_files(rebootmgr_t)
+
+logging_send_syslog_msg(rebootmgr_t)
+
+miscfiles_read_localization(rebootmgr_t)
+
+optional_policy(`
+ dbus_system_bus_client(rebootmgr_t)
+ dbus_connect_system_bus(rebootmgr_t)
+')
diff --git a/selinux-policy.changes b/selinux-policy.changes
index 2c52444..81a5bfc 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek
+
+- Added policy module for rebootmgr (jsc#SMO-28)
+
-------------------------------------------------------------------
Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dce81b7..22171f3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -81,6 +81,9 @@ Source125: rtorrent.fc
Source126: wicked.te
Source127: wicked.if
Source128: wicked.fc
+Source129: rebootmgr.te
+Source130: rebootmgr.if
+Source131: rebootmgr.fc
Patch001: fix_djbdns.patch
Patch002: fix_dbus.patch
@@ -422,7 +425,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
cp $i selinux_config
done
-for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do
+for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
cp $i policy/modules/contrib
done