What were you trying to do that didn't work?

Use systemd-sysctl after adding a conf in /run/sysctl.d/

Please provide the package NVR for which bug is seen:

selinux-policy-40.13.9-1.el10.noarch
selinux-policy-targeted-40.13.9-1.el10.noarch
systemd-256-14.el10.x86_64
systemd-libs-256-14.el10.x86_64
systemd-pam-256-14.el10.x86_64
systemd-udev-256-14.el10.x86_64

How reproducible:

100%

Steps to reproduce

I'm using a python script running under systemd to create the conf file so the type is actually var_run_t, smallest reproducer:

systemd-run /bin/bash -c 'mkdir -pZ /run/sysctl.d; echo "net.ipv4.conf.eno1.rp_filter=0" > /run/sysctl.d/51-rp_filter.conf; restorecon -v /run/sysctl.d/51-rp_filter.conf; /usr/lib/systemd/systemd-sysctl --prefix=net.ipv4.conf'

Expected results

It works

Actual results

# ls -laZ /run/sysctl.d/
total 4
drwxr-xr-x.  2 root root system_u:object_r:var_run_t:s0   60 Sep  3 12:48 .
drwxr-xr-x. 41 root root system_u:object_r:var_run_t:s0 1040 Sep  3 12:48 ..
-rw-r--r--.  1 root root system_u:object_r:var_run_t:s0   31 Sep  3 12:48 51-rp_filter.conf 

# audit2allow -b -v

#============= systemd_sysctl_t ==============
# src="systemd_sysctl_t" tgt="var_run_t" class="file", perms="{ getattr ioctl open read }"
# comm="systemd-sysctl" exe="" path=""
allow systemd_sysctl_t var_run_t:file { getattr ioctl open read }; 

(this is the result when selinux is permissive)