Merge pull request #381 from rhatdan/main

BUmp to v2.238.0

.fmf/version

@@ -0,0 +1 @@
+1

.packit.sh

@@ -1,27 +0,0 @@
-#!/usr/bin/env bash
-
-# Packit's default fix-spec-file often doesn't fetch version string correctly.
-# This script handles any custom processing of the dist-git spec file and gets used by the
-# fix-spec-file action in .packit.yaml
-
-set -eo pipefail
-
-# Get Version from HEAD
-HEAD_VERSION=$(grep '^policy_module' container.te | sed 's/[^0-9.]//g')
-
-# Generate source tarball
-git archive --prefix=container-selinux-$HEAD_VERSION/ -o container-selinux-$HEAD_VERSION.tar.gz HEAD
-
-# RPM Spec modifications
-
-# Update Version in spec with Version from container.te
-sed -i "s/^Version:.*/Version: $HEAD_VERSION/" container-selinux.spec
-
-# Update Release in spec with Packit's release envvar
-sed -i "s/^Release:.*/Release: $PACKIT_RPMSPEC_RELEASE%{?dist}/" container-selinux.spec
-
-# Update Source tarball name in spec
-sed -i "s/^Source:.*.tar.gz/Source: %{name}-$HEAD_VERSION.tar.gz/" container-selinux.spec
-
-# Update setup macro to use the correct build dir
-sed -i "s/^%setup.*/%autosetup -Sgit -n %{name}-$HEAD_VERSION/" container-selinux.spec

.packit.yaml

@@ -1,30 +1,133 @@
+---
 # See the documentation for more information:
 # https://packit.dev/docs/configuration/
 
-# Build targets can be found at:
-# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/packit-builds/
+downstream_package_name: container-selinux
+upstream_tag_template: v{version}
 
-specfile_path: container-selinux.spec
+# Ref: https://packit.dev/docs/configuration#files_to_sync
+files_to_sync:
+  - src: rpm/gating.yaml
+    dest: gating.yaml
+    delete: true
+  - src: plans/
+    dest: plans/
+    delete: true
+    mkpath: true
+  - src: test/
+    dest: test/
+    delete: true
+    mkpath: true
+  - src: .fmf/
+    dest: .fmf/
+    delete: true
+  - .packit.yaml
+
+packages:
+  container-selinux-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-eln:
+    specfile_path: rpm/container-selinux.spec
+
+srpm_build_deps:
+  - make
 
 jobs:
-  - &copr
-    job: copr_build
-    # Run on every PR
+  - job: copr_build
     trigger: pull_request
-    owner: rhcontainerbot
-    project: packit-builds
+    packages: [container-selinux-fedora]
+    notifications: &copr_build_failure_notification
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
     enable_net: true
-    srpm_build_deps:
-      - make
-      - rpkg
-    actions:
-      post-upstream-clone:
-        - rpkg spec --outdir ./
-      fix-spec-file:
-        - bash .packit.sh
+    # container-selinux is noarch so we only need to test on one arch
+    targets: &fedora_copr_targets
+      - fedora-all-x86_64
+      - fedora-all-aarch64
 
-  - <<: *copr
-    # Run on commit to main branch
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-eln]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets:
+      - fedora-eln-x86_64
+      - fedora-eln-aarch64
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets: &centos_copr_targets
+      - centos-stream-9-x86_64
+      - centos-stream-9-aarch64
+      - centos-stream-10-x86_64
+      - centos-stream-10-aarch64
+
+  # Run on commit to main branch
+  # Build targets managed in copr settings
+  - job: copr_build
     trigger: commit
+    packages: [container-selinux-fedora]
+    notifications:
+      failure_comment:
+        message: "podman-next COPR build failed. @containers/packit-build please check."
     branch: main
+    owner: rhcontainerbot
     project: podman-next
+    enable_net: true
+
+  # All tests specified in the `/plans/` subdir
+  # Tests for Fedora
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-fedora]
+    notifications: &test_failure_notification
+      failure_comment:
+        message: "Tests failed. @containers/packit-build please check."
+    targets: *fedora_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
+
+  # Tests for CentOS Stream
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *test_failure_notification
+    targets: *centos_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo
+
+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-fedora]
+    dist_git_branches: &fedora_targets
+      - fedora-all
+
+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-centos]
+    dist_git_branches:
+      - c10s
+
+  - job: koji_build
+    trigger: commit
+    packages: [container-selinux-fedora]
+    dist_git_branches: *fedora_targets
+
+  - job: bodhi_update
+    trigger: commit
+    packages: [container-selinux-fedora]
+    dist_git_branches:
+      - fedora-branched # rawhide updates are created automatically

Makefile

@@ -4,6 +4,7 @@ MODULES ?= ${TARGETS:=.pp.bz2}
 # Point SHAREDIR to DATADIR by default to not break existing users
 DATADIR ?= /usr/share
 SHAREDIR ?= ${DATADIR}
+SYSCONFDIR ?= /etc
 
 all: ${TARGETS:=.pp.bz2}
 
@@ -30,6 +31,9 @@ install: man
 	install -D -pm 644 container_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/container_selinux.8
 	install -D -pm 644 container_contexts ${DESTDIR}${SHAREDIR}/containers/selinux/contexts
 
+install.selinux-user:
+	install -D -pm 644 container_u ${DESTDIR}${SYSCONFDIR}/selinux/targeted/contexts/users/container_u
+
 install.udica-templates:
 	install -dp $(DESTDIR)$(SHAREDIR)/udica/templates
 	install -pm 644 udica-templates/*.cil $(DESTDIR)$(SHAREDIR)/udica/templates

OWNERS

@@ -0,0 +1,6 @@
+approvers:
+  - haircommander   
+  - lsm5
+  - rhatdan
+  - wrabcak
+  - zpytela

README.md

@@ -8,7 +8,7 @@ Explains `container_t` vs `container_var_lib_t`
 **[`container_t` versus `svirt_lxc_net_t`](https://danwalsh.livejournal.com/79191.html)**  
 Clarifys `container_t` versus `svirt_lxc_net_t` aliases
 
-**[SELinux, Podman, and Libvert](https://danwalsh.livejournal.com/81143.html)**  
+**[SELinux, Podman, and Libvirt](https://danwalsh.livejournal.com/81143.html)**  
 Information regarding SELinux blocking Podman container from talking to Libvirt
 
 **[Caution Relabeling Volumes with Container Runtimes](https://danwalsh.livejournal.com/76016.html)**  

container.fc

@@ -9,14 +9,19 @@
 /usr/local/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/local/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
-/usr/local/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubenswrapper.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubenswrapper.*	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/s?bin/kubensenter.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubensenter.*	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/containerd.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildah		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkitd.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 
-/usr/s?bin/lxc-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/lxd-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxc-.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd-.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/lxc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/lxd			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/fuidshift		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -59,6 +64,7 @@
 /etc/crio(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /exports(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 
+/var/lib/shared(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/registry(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/lxc(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/lxd(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
@@ -86,6 +92,8 @@
 # Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
 /var/lib/buildkit/containerd-.*(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)
 
+HOME_DIR/\.local/share/ramalama(/.*)?		 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/artifacts(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -103,6 +111,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/containers/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/atomic(/.*)?	<<none>>
 /var/lib/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/containers/storage/artifacts(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -111,15 +120,21 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/containers/storage/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/ocid(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/ocid/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/cache/containers(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/cache/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 
-/var/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+
+/var/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+/opt/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 
 /var/lib/origin(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kubernetes/pods(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 
 /var/lib/kubelet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/kubelet/pod-resources(/.*)?	gen_context(system_u:object_r:kubelet_var_lib_t,s0)
 /var/lib/docker-latest(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/docker-latest/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/docker-latest/containers/.*/.*\.log	gen_context(system_u:object_r:container_log_t,s0)
@@ -130,27 +145,28 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/docker-latest/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 
 /var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
-/var/lib/kubelet/pods(/.*)?							gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/crio(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
+/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
 /var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)
 
-/var/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
-/var/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
+/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
 
 /srv/containers(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /var/srv/containers(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 
-/var/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
+/run/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
 
+/var/log/kube-apiserver(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/lxc(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/lxd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /etc/kubernetes(/.*)?		gen_context(system_u:object_r:kubernetes_file_t,s0)

container.if

@@ -512,6 +512,7 @@ interface(`container_filetrans_named_content',`
     files_pid_filetrans($1, container_var_run_t, dir, "containers")
     files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers")
 
+    logging_log_filetrans($1, container_log_t, dir, "kube-apiserver")
     logging_log_filetrans($1, container_log_t, dir, "lxc")
     files_var_lib_filetrans($1, container_var_lib_t, dir, "containers")
     files_var_lib_filetrans($1, container_file_t, dir, "origin")
@@ -522,6 +523,7 @@ interface(`container_filetrans_named_content',`
     files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers")
     files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd")
     files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit")
+    files_var_lib_filetrans($1, container_ro_file_t, dir, "shared")
 
     filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "config.env")
@@ -535,6 +537,7 @@ interface(`container_filetrans_named_content',`
     #  workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work)
     filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init")
+    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "artifacts")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers")
@@ -560,6 +563,8 @@ interface(`container_filetrans_named_content',`
     # Third-party snapshotters
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci")
 
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "ramalama")
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "artifacts")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")
@@ -572,7 +577,7 @@ interface(`container_filetrans_named_content',`
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers")
     filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
-    files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
+    files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes")
 ')
 
 ########################################
@@ -997,7 +1002,6 @@ interface(`container_kubelet_domtrans',`
 interface(`container_kubelet_run',`
 	gen_require(`
 		type kubelet_t;
-		class dbus send_msg;
 	')
 
 	container_kubelet_domtrans($1)

container.te

@@ -1,7 +1,8 @@
-policy_module(container, 2.205.0)
+policy_module(container, 2.238.0)
 
 gen_require(`
 	class passwd rootok;
+	type system_conf_t;
 ')
 
 ########################################
@@ -17,6 +18,20 @@ gen_require(`
 ## </desc>
 gen_tunable(container_connect_any, false)
 
+## <desc>
+##  <p>
+##  Allow all container domains to read cert files and directories
+##  </p>
+## </desc>
+gen_tunable(container_read_certs, false)
+
+## <desc>
+##  <p>
+##  Determine whether sshd can launch container engines
+##  </p>
+## </desc>
+gen_tunable(sshd_launch_containers, false)
+
 ## <desc>
 ##  <p>
 ##  Allow containers to use any device volume mounted into container
@@ -24,6 +39,20 @@ gen_tunable(container_connect_any, false)
 ## </desc>
 gen_tunable(container_use_devices, false)
 
+## <desc>
+##  <p>
+##  Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
+##  </p>
+## </desc>
+gen_tunable(container_use_xserver_devices, false)
+
+## <desc>
+##  <p>
+##  Allow containers to use any dri device volume mounted into container
+##  </p>
+## </desc>
+gen_tunable(container_use_dri_devices, true)
+
 ## <desc>
 ## <p>
 ## Allow sandbox containers to manage cgroup (systemd)
@@ -74,10 +103,9 @@ ifdef(`enable_mls',`
 	range_transition container_runtime_t conmon_exec_t:process s0;
 ')
 
-type spc_t, container_domain;
+type spc_t;
 domain_type(spc_t)
 role system_r types spc_t;
-init_initrc_domain(spc_t)
 
 type container_auth_t alias docker_auth_t;
 type container_auth_exec_t alias docker_auth_exec_t;
@@ -123,7 +151,9 @@ type container_devpts_t alias docker_devpts_t;
 term_pty(container_devpts_t)
 
 typealias container_ro_file_t alias { container_share_t docker_share_t };
+typeattribute container_ro_file_t container_file_type, user_home_type;
 files_mountpoint(container_ro_file_t)
+userdom_user_home_content(container_ro_file_t)
 
 type container_port_t alias docker_port_t;
 corenet_port(container_port_t)
@@ -162,6 +192,7 @@ allow container_runtime_domain self:tcp_socket create_stream_socket_perms;
 allow container_runtime_domain self:udp_socket create_socket_perms;
 allow container_runtime_domain self:capability2 block_suspend;
 allow container_runtime_domain container_port_t:tcp_socket name_bind;
+allow container_runtime_domain port_t:icmp_socket name_bind;
 allow container_runtime_domain self:filesystem associate;
 allow container_runtime_domain self:packet_socket create_socket_perms;
 allow container_runtime_domain self:socket create_socket_perms;
@@ -198,19 +229,24 @@ manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t
 manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t)
 userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container")
 userdom_manage_user_home_content(container_runtime_domain)
+userdom_map_user_home_files(container_runtime_t)
 
 manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t)
 manage_files_pattern(container_runtime_domain, container_config_t, container_config_t)
-files_etc_filetrans(container_runtime_domain, container_config_t, dir, "container")
+files_etc_filetrans(container_runtime_domain, container_config_t, dir, "containers")
 
 manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t)
 manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t)
 files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc")
+files_manage_generic_locks(container_runtime_domain)
 
 manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t)
 manage_files_pattern(container_runtime_domain, container_log_t, container_log_t)
 manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t)
+
+logging_read_syslog_pid(container_runtime_domain)
 logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file })
+
 allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto };
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log")
 allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint;
@@ -236,8 +272,23 @@ manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, containe
 manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_sock_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto };
 can_exec(container_runtime_domain, container_ro_file_t)
+
+manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+
+manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init")
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay")
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2")
@@ -255,6 +306,7 @@ manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto };
 files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file })
+files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers")
 
 manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
@@ -263,17 +315,30 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
+allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;
 
 allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(container_runtime_domain, container_devpts_t)
 term_use_all_ttys(container_runtime_domain)
 term_use_all_inherited_terms(container_runtime_domain)
 
+mls_file_read_to_clearance(container_runtime_t)
+mls_file_relabel_to_clearance(container_runtime_t)
+mls_file_write_to_clearance(container_runtime_t)
+mls_process_read_to_clearance(container_runtime_t)
+mls_process_write_to_clearance(container_runtime_t)
+mls_socket_read_to_clearance(container_runtime_t)
+mls_socket_write_to_clearance(container_runtime_t)
+mls_sysvipc_read_to_clearance(container_runtime_t)
+mls_sysvipc_write_to_clearance(container_runtime_t)
+
 kernel_read_network_state(container_runtime_domain)
 kernel_read_all_sysctls(container_runtime_domain)
 kernel_rw_net_sysctls(container_runtime_domain)
 kernel_setsched(container_runtime_domain)
 kernel_rw_all_sysctls(container_runtime_domain)
+kernel_mounton_all_proc(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
 
 domain_obj_id_change_exemption(container_runtime_t)
 domain_subj_id_change_exemption(container_runtime_t)
@@ -287,6 +352,8 @@ domain_getattr_all_domains(container_runtime_domain)
 
 userdom_map_tmp_files(container_runtime_domain)
 
+anaconda_domtrans_install(container_runtime_domain)
+
 optional_policy(`
 	gnome_map_generic_data_home_files(container_runtime_domain)
 	allow container_runtime_domain data_home_t:dir { relabelfrom relabelto };
@@ -381,7 +448,10 @@ optional_policy(`
 ')
 
 optional_policy(`
-	iptables_domtrans(container_runtime_domain)
+	gen_require(`
+		role unconfined_r;
+	')
+	iptables_run(container_runtime_domain, unconfined_r)
 
 	container_read_pid_files(iptables_t)
 	container_read_state(iptables_t)
@@ -449,33 +519,38 @@ dev_rw_loop_control(container_runtime_domain)
 dev_rw_lvm_control(container_runtime_domain)
 dev_read_mtrr(container_runtime_domain)
 
+userdom_map_user_home_files(container_runtime_t)
+
 files_getattr_isid_type_dirs(container_runtime_domain)
 files_manage_isid_type_dirs(container_runtime_domain)
 files_manage_isid_type_files(container_runtime_domain)
 files_manage_isid_type_symlinks(container_runtime_domain)
 files_manage_isid_type_chr_files(container_runtime_domain)
 files_manage_isid_type_blk_files(container_runtime_domain)
+files_manage_etc_dirs(container_runtime_domain)
+files_manage_etc_files(container_runtime_domain)
 files_exec_isid_files(container_runtime_domain)
 files_mounton_isid(container_runtime_domain)
 files_mounton_non_security(container_runtime_domain)
 files_mounton_isid_type_chr_file(container_runtime_domain)
 
-fs_mount_all_fs(container_runtime_domain)
-fs_unmount_all_fs(container_runtime_domain)
-fs_remount_all_fs(container_runtime_domain)
 files_mounton_isid(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
+fs_list_hugetlbfs(container_runtime_domain)
 fs_manage_cgroup_dirs(container_runtime_domain)
 fs_manage_cgroup_files(container_runtime_domain)
-fs_rw_nsfs_files(container_runtime_domain)
-fs_relabelfrom_xattr_fs(container_runtime_domain)
-fs_relabelfrom_tmpfs(container_runtime_domain)
-fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_getattr_all_fs(container_runtime_domain)
-fs_rw_inherited_tmpfs_files(container_runtime_domain)
-fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_search_tmpfs(container_runtime_domain)
-fs_list_hugetlbfs(container_runtime_domain)
 fs_manage_hugetlbfs_files(container_runtime_domain)
+fs_mount_all_fs(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_relabelfrom_tmpfs(container_runtime_domain)
+fs_relabelfrom_xattr_fs(container_runtime_domain)
+fs_remount_all_fs(container_runtime_domain)
+fs_rw_inherited_tmpfs_files(container_runtime_domain)
+fs_rw_nsfs_files(container_runtime_domain)
+fs_search_tmpfs(container_runtime_domain)
+fs_set_xattr_fs_quotas(container_runtime_domain)
+fs_unmount_all_fs(container_runtime_domain)
 
 
 term_use_generic_ptys(container_runtime_domain)
@@ -509,7 +584,6 @@ tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_symlinks(container_runtime_domain)
 	fs_remount_nfs(container_runtime_domain)
 	fs_mount_nfs(container_runtime_domain)
-	fs_unmount_nfs(container_runtime_domain)
 	fs_exec_nfs_files(container_runtime_domain)
 	kernel_rw_fs_sysctls(container_runtime_domain)
 	allow container_runtime_domain nfs_t:file execmod;
@@ -554,6 +628,10 @@ tunable_policy(`container_use_cephfs',`
 	allow container_domain cephfs_t:file execmod;
 ')
 
+tunable_policy(`container_read_certs',`
+	miscfiles_read_all_certs(container_domain)
+')
+
 gen_require(`
 	type ecryptfs_t;
 ')
@@ -571,22 +649,16 @@ fs_manage_fusefs_dirs(container_runtime_domain)
 fs_manage_fusefs_files(container_runtime_domain)
 fs_manage_fusefs_symlinks(container_runtime_domain)
 fs_mount_fusefs(container_runtime_domain)
-fs_unmount_fusefs(container_runtime_domain)
 fs_exec_fusefs_files(container_runtime_domain)
 storage_rw_fuse(container_runtime_domain)
 
-
-optional_policy(`
-    files_search_all(container_domain)
-    container_read_share_files(container_domain)
-    container_exec_share_files(container_domain)
-    allow container_domain container_ro_file_t:file execmod;
-    container_lib_filetrans(container_domain,container_file_t, sock_file)
-    container_use_ptys(container_domain)
-    container_spc_stream_connect(container_domain)
-    fs_dontaudit_remount_tmpfs(container_domain)
-    dev_dontaudit_mounton_sysfs(container_domain)
-')
+files_search_all(container_domain)
+container_read_share_files(container_domain)
+container_exec_share_files(container_domain)
+allow container_domain container_ro_file_t:file execmod;
+container_lib_filetrans(container_domain,container_file_t, sock_file)
+container_use_ptys(container_domain)
+container_spc_stream_connect(container_domain)
 
 optional_policy(`
 	apache_exec_modules(container_runtime_domain)
@@ -640,12 +712,12 @@ optional_policy(`
 		role unconfined_r;
 	')
 	role unconfined_r types container_user_domain;
+	role unconfined_r types spc_t;
 	unconfined_domain(container_runtime_t)
 	unconfined_run_to(container_runtime_t, container_runtime_exec_t)
-	role_transition unconfined_r container_runtime_exec_t system_r;
 	allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map };
 	allow container_runtime_domain unconfined_t:fifo_file setattr;
-	allow unconfined_domain_type container_domain:process {transition dyntransition };
+	allow unconfined_domain_type container_domain:process {transition dyntransition};
 	allow unconfined_t unlabeled_t:key manage_key_perms;
 	allow container_runtime_t unconfined_t:process transition;
 	allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint;
@@ -684,33 +756,44 @@ tunable_policy(`container_connect_any',`
 #
 # spc local policy
 #
-allow spc_t { container_var_lib_t container_ro_file_t }:file entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
 role system_r types spc_t;
+dontaudit spc_t self:memprotect mmap_zero;
 
 domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
 domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
 fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
 
-allow container_runtime_domain spc_t:process2 nnp_transition;
+allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
+allow spc_t container_file_type:file execmod;
+
 admin_pattern(spc_t, kubernetes_file_t)
 
 allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
 allow spc_t { container_ro_file_t container_file_t }:system module_load;
 
-allow container_runtime_domain spc_t:process { setsched signal_perms };
+allow container_runtime_domain spc_t:process { dyntransition setsched signal_perms };
 ps_process_pattern(container_runtime_domain, spc_t)
 allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom };
 allow spc_t unlabeled_t:key manage_key_perms;
 allow spc_t unlabeled_t:socket_class_set create_socket_perms;
+fs_fusefs_entrypoint(spc_t)
+corecmd_entrypoint_all_executables(spc_t)
 
 init_dbus_chat(spc_t)
 
 optional_policy(`
 	systemd_dbus_chat_machined(spc_t)
 	systemd_dbus_chat_logind(spc_t)
+	systemd_dbus_chat_timedated(spc_t)
+	systemd_dbus_chat_localed(spc_t)
 ')
 
+domain_transition_all(spc_t)
+
+anaconda_domtrans_install(spc_t)
+
 optional_policy(`
 	dbus_chat_system_bus(spc_t)
 	dbus_chat_session_bus(spc_t)
@@ -723,6 +806,11 @@ optional_policy(`
 	# This should eventually be in upstream policy.
 	# https://github.com/fedora-selinux/selinux-policy/pull/806
 	allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run };
+	allow daemon spc_t:dbus send_msg;
+')
+
+optional_policy(`
+	rtkit_scheduled(spc_t)
 ')
 
 optional_policy(`
@@ -736,7 +824,10 @@ optional_policy(`
 	gen_require(`
 		attribute virt_domain;
 		type virtd_t;
+		role unconfined_r;
 	')
+	role unconfined_r types virt_domain;
+	role unconfined_r types virtd_t;
 	container_spc_read_state(virt_domain)
 	container_spc_rw_pipes(virt_domain)
 	allow container_runtime_t virtd_t:process transition;
@@ -806,10 +897,10 @@ gen_require(`
 ')
 container_manage_files_template(container, container)
 
-typeattribute container_file_t container_file_type;
+typeattribute container_file_t container_file_type, user_home_type;
 typeattribute container_t container_domain, container_net_domain, container_user_domain;
 allow container_user_domain self:process getattr;
-allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
+allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint;
 allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
 allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
 allow container_domain container_runtime_t:unix_dgram_socket sendto;
@@ -828,6 +919,7 @@ dontaudit container_domain self:dir { write add_name };
 allow container_domain self:file rw_file_perms;
 allow container_domain self:lnk_file read_file_perms;
 allow container_domain self:fifo_file create_fifo_file_perms;
+allow container_domain self:fifo_file watch;
 allow container_domain self:filesystem associate;
 allow container_domain self:key manage_key_perms;
 allow container_domain self:netlink_route_socket r_netlink_socket_perms;
@@ -847,28 +939,33 @@ allow container_domain self:unix_dgram_socket create_socket_perms;
 allow container_domain self:unix_stream_socket create_stream_socket_perms;
 dontaudit container_domain self:capability2  block_suspend ;
 allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
-fs_rw_onload_sockets(container_domain)
-fs_fusefs_entrypoint(container_domain)
-
+fs_fusefs_entrypoint(spc_t)
 
 container_read_share_files(container_domain)
 container_exec_share_files(container_domain)
 container_use_ptys(container_domain)
 container_spc_stream_connect(container_domain)
-fs_dontaudit_remount_tmpfs(container_domain)
+
 dev_dontaudit_mounton_sysfs(container_domain)
 dev_dontaudit_mounton_sysfs(container_domain)
-fs_mount_tmpfs(container_domain)
+dev_dontaudit_mounton_sysfs(container_domain)
+dev_getattr_mtrr_dev(container_domain)
+dev_list_sysfs(container_domain)
+dev_mounton_sysfs(container_t)
+dev_read_mtrr(container_domain)
+dev_read_rand(container_domain)
+dev_read_sysfs(container_domain)
+dev_read_urand(container_domain)
+dev_rw_inherited_dri(container_domain)
+dev_rw_kvm(container_domain)
+dev_rwx_zero(container_domain)
+dev_write_rand(container_domain)
+dev_write_urand(container_domain)
+allow container_domain sysfs_t:dir watch;
 
 dontaudit container_domain container_runtime_tmpfs_t:dir read;
 allow container_domain container_runtime_tmpfs_t:dir mounton;
-
-dev_getattr_mtrr_dev(container_domain)
-dev_list_sysfs(container_domain)
-allow container_domain sysfs_t:dir watch;
-
-dev_rw_kvm(container_domain)
-dev_rwx_zero(container_domain)
+can_exec(container_domain, container_runtime_tmpfs_t)
 
 allow container_domain self:key manage_key_perms;
 dontaudit container_domain container_domain:key search;
@@ -884,10 +981,11 @@ allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
 allow container_domain self:passwd rootok;
 allow container_domain self:filesystem associate;
 allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
+allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
 
 kernel_getattr_proc(container_domain)
 kernel_list_all_proc(container_domain)
+kernel_mounton_all_proc(container_domain)
 kernel_read_all_sysctls(container_domain)
 kernel_dontaudit_write_kernel_sysctl(container_domain)
 kernel_read_network_state(container_domain)
@@ -901,16 +999,42 @@ kernel_dontaudit_write_usermodehelper_state(container_domain)
 kernel_read_irq_sysctls(container_domain)
 kernel_get_sysvipc_info(container_domain)
 
-fs_getattr_all_fs(container_domain)
-fs_rw_inherited_tmpfs_files(container_domain)
-fs_read_tmpfs_symlinks(container_domain)
-fs_search_tmpfs(container_domain)
-fs_list_hugetlbfs(container_domain)
-fs_manage_hugetlbfs_files(container_domain)
-fs_exec_hugetlbfs_files(container_domain)
 fs_dontaudit_getattr_all_dirs(container_domain)
 fs_dontaudit_getattr_all_files(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_exec_fusefs_files(container_domain)
+fs_exec_hugetlbfs_files(container_domain)
+fs_fusefs_entrypoint(container_domain)
+fs_getattr_all_fs(container_domain)
+fs_list_cgroup_dirs(container_domain)
+fs_list_hugetlbfs(container_domain)
+fs_manage_bpf_files(container_domain)
+fs_manage_fusefs_dirs(container_domain)
+fs_manage_fusefs_files(container_domain)
+fs_manage_fusefs_named_pipes(container_domain)
+fs_manage_fusefs_named_sockets(container_domain)
+fs_manage_fusefs_symlinks(container_domain)
+fs_manage_hugetlbfs_files(container_domain)
+fs_mount_fusefs(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_mount_tmpfs(container_domain)
+fs_unmount_tmpfs(container_domain)
+fs_mount_xattr_fs(container_domain)
+fs_unmount_xattr_fs(container_domain)
+fs_mounton_cgroup(container_domain)
+fs_mounton_fusefs(container_domain)
+fs_read_cgroup_files(container_domain)
 fs_read_nsfs_files(container_domain)
+fs_read_tmpfs_symlinks(container_domain)
+fs_remount_xattr_fs(container_domain)
+fs_rw_inherited_tmpfs_files(container_domain)
+fs_rw_onload_sockets(container_domain)
+fs_search_tmpfs(container_domain)
+fs_unmount_cgroup(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_unmount_nsfs(container_domain)
+fs_unmount_xattr_fs(container_domain)
 
 term_use_all_inherited_terms(container_domain)
 
@@ -934,18 +1058,6 @@ gen_require(`
 	type cgroup_t;
 ')
 
-dev_read_sysfs(container_domain)
-dev_read_mtrr(container_domain)
-dev_mounton_sysfs(container_t)
-
-fs_mounton_cgroup(container_t)
-fs_unmount_cgroup(container_t)
-
-dev_read_rand(container_domain)
-dev_write_rand(container_domain)
-dev_read_urand(container_domain)
-dev_write_urand(container_domain)
-
 files_read_kernel_modules(container_domain)
 
 allow container_file_t cgroup_t:filesystem associate;
@@ -991,7 +1103,7 @@ allow container_net_domain self:rawip_socket create_stream_socket_perms;
 allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
 allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;
 
-
+allow container_domain spc_t:unix_stream_socket { read write };
 kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
 kernel_unlabeled_entry_type(spc_t)
 allow container_runtime_domain unlabeled_t:key manage_key_perms;
@@ -1001,9 +1113,6 @@ gen_require(`
 ')
 dontaudit container_domain usermodehelper_t:file write;
 
-fs_read_cgroup_files(container_domain)
-fs_list_cgroup_dirs(container_domain)
-
 sysnet_read_config(container_domain)
 
 allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
@@ -1031,20 +1140,6 @@ tunable_policy(`container_manage_cgroup',`
 	fs_manage_cgroup_files(container_domain)
 ')
 
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_manage_fusefs_dirs(container_domain)
-fs_manage_fusefs_files(container_domain)
-fs_manage_fusefs_symlinks(container_domain)
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_exec_fusefs_files(container_domain)
-fs_mount_xattr_fs(container_domain)
-fs_unmount_xattr_fs(container_domain)
-fs_remount_xattr_fs(container_domain)
-fs_mount_fusefs(container_domain)
-fs_unmount_fusefs(container_domain)
-fs_mounton_fusefs(container_domain)
 storage_rw_fuse(container_domain)
 allow container_domain fusefs_t:file { mounton execmod };
 allow container_domain fusefs_t:filesystem remount;
@@ -1119,6 +1214,7 @@ dev_mount_sysfs_fs(container_userns_t)
 dev_mounton_sysfs(container_userns_t)
 
 fs_mount_tmpfs(container_userns_t)
+fs_unmount_tmpfs(container_userns_t)
 fs_relabelfrom_tmpfs(container_userns_t)
 fs_remount_cgroup(container_userns_t)
 
@@ -1163,6 +1259,7 @@ logging_read_all_logs(container_logreader_t)
 allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
 logging_read_audit_log(container_logreader_t)
 logging_list_logs(container_logreader_t)
+allow container_logreader_t container_log_t:file watch;
 
 # Container Logwriter
 container_domain_template(container_logwriter, container)
@@ -1172,6 +1269,7 @@ manage_files_pattern(container_logwriter_t, logfile, logfile)
 manage_dirs_pattern(container_logwriter_t, logfile, logfile)
 manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
 logging_manage_audit_log(container_logwriter_t)
+allow container_logwriter_t container_log_t:file watch;
 
 optional_policy(`
 	gen_require(`
@@ -1180,6 +1278,8 @@ optional_policy(`
 		attribute userdomain;
 	')
 
+	allow userdomain container_domain:process transition;
+
 	can_exec(userdomain, container_runtime_exec_t)
 	container_manage_files(userdomain)
 	container_manage_share_dirs(userdomain)
@@ -1272,6 +1372,7 @@ logging_send_syslog_msg(container_kvm_t)
 optional_policy(`
 	qemu_entry_type(container_kvm_t)
 	qemu_exec(container_kvm_t)
+	allow container_kvm_t qemu_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
 ')
 
 manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t)
@@ -1308,8 +1409,17 @@ optional_policy(`
 ')
 
 tunable_policy(`container_use_devices',`
-	allow container_domain device_node:chr_file rw_chr_file_perms;
-	allow container_domain device_node:blk_file rw_blk_file_perms;
+	allow container_domain device_node:chr_file {rw_chr_file_perms map};
+	allow container_domain device_node:blk_file {rw_blk_file_perms map};
+')
+
+tunable_policy(`container_use_xserver_devices',`
+	dev_getattr_xserver_misc_dev(container_t)
+	dev_rw_xserver_misc(container_t)
+')
+
+tunable_policy(`container_use_dri_devices',`
+	dev_rw_dri(container_domain)
 ')
 
 tunable_policy(`virt_sandbox_use_sys_admin',`
@@ -1328,19 +1438,44 @@ fs_mounton_cgroup(container_engine_t)
 fs_unmount_cgroup(container_engine_t)
 fs_manage_cgroup_dirs(container_engine_t)
 fs_manage_cgroup_files(container_engine_t)
-fs_mount_tmpfs(container_engine_t)
 fs_write_cgroup_files(container_engine_t)
-
-allow container_engine_t proc_t:file mounton;
-allow container_engine_t sysctl_t:file mounton;
-allow container_engine_t sysfs_t:filesystem remount;
-
+fs_remount_cgroup(container_engine_t)
+fs_mount_all_fs(container_engine_t)
+fs_remount_all_fs(container_engine_t)
+fs_unmount_all_fs(container_engine_t)
+kernel_mounton_all_sysctls(container_engine_t)
 kernel_mount_proc(container_engine_t)
-kernel_mounton_core_if(container_engine_t)
 kernel_mounton_proc(container_engine_t)
+kernel_mounton_core_if(container_engine_t)
 kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
-
 term_mount_pty_fs(container_engine_t)
+term_use_generic_ptys(container_engine_t)
+
+allow container_engine_t container_file_t:chr_file mounton;
+allow container_engine_t filesystem_type:{dir file} mounton;
+allow container_engine_t proc_kcore_t:file mounton;
+allow container_engine_t proc_t:filesystem remount;
+allow container_engine_t sysctl_t:{dir file} mounton;
+allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
+allow container_engine_t fusefs_t:file relabelto;
+allow container_engine_t kernel_t:system module_request;
+allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
+allow container_engine_t random_device_t:chr_file mounton;
+allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
+allow container_engine_t urandom_device_t:chr_file mounton;
+allow container_engine_t zero_device_t:chr_file mounton;
+allow container_engine_t container_file_t:sock_file mounton;
+allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms };
+allow container_engine_t devpts_t:chr_file setattr;
+
+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
+
+optional_policy(`
+	gen_require(`
+		type devtty_t;
+	')
+	allow container_engine_t devtty_t:chr_file mounton;
+')
 
 type kubelet_t, container_runtime_domain;
 domain_type(kubelet_t)
@@ -1353,12 +1488,24 @@ optional_policy(`
 	unconfined_domain(kubelet_t)
 ')
 
+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
 
 type kubelet_exec_t;
 application_executable_file(kubelet_exec_t)
 can_exec(container_runtime_t, kubelet_exec_t)
 allow kubelet_t kubelet_exec_t:file entrypoint;
 
+type kubelet_var_lib_t;
+files_type(kubelet_var_lib_t)
+
+manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+
+files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources")
+filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources")
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
 ')
@@ -1376,7 +1523,6 @@ optional_policy(`
 	gen_require(`
 		type sysadm_t;
 		role sysadm_r;
-		attribute userdomain;
 		role unconfined_r;
 	')
 
@@ -1393,9 +1539,12 @@ allow container_device_t device_node:chr_file rw_chr_file_perms;
 # Standard container which needs to be allowed to use any device and
 # communicate with kubelet
 container_domain_template(container_device_plugin, container)
+typeattribute container_device_plugin_t container_net_domain;
 allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
 dev_rw_sysfs(container_device_plugin_t)
+kernel_read_debugfs(container_device_plugin_t)
 container_kubelet_stream_connect(container_device_plugin_t)
+stream_connect_pattern(container_device_plugin_t, container_var_lib_t,  kubelet_var_lib_t, kubelet_t)
 
 # Standard container which needs to be allowed to use any device and
 # modify kubelet configuration
@@ -1411,7 +1560,7 @@ optional_policy(`
 		type syslogd_t;
 	')
 
-	allow syslogd_t container_runtime_tmpfs_t:file { read write };
+	allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms;
 	logging_send_syslog_msg(container_runtime_t)
 ')
 
@@ -1422,3 +1571,63 @@ manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_
 manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
 manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
 manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+
+tunable_policy(`sshd_launch_containers',`
+	gen_require(`
+		type sshd_t;
+		type systemd_logind_t;
+		type iptables_var_run_t;
+	')
+
+	container_runtime_domtrans(sshd_t)
+	dontaudit systemd_logind_t iptables_var_run_t:dir read;
+')
+
+role container_user_r;
+userdom_restricted_user_template(container_user)
+userdom_manage_home_role(container_user_r, container_user_t)
+
+allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop };
+
+role container_user_r types container_domain;
+role container_user_r types container_user_domain;
+role container_user_r types container_net_domain;
+role container_user_r types container_file_type;
+container_runtime_run(container_user_t, container_user_r)
+unconfined_role_change_to(container_user_r)
+
+container_use_ptys(container_user_t)
+
+fs_manage_cgroup_dirs(container_user_t)
+fs_manage_cgroup_files(container_user_t)
+
+selinux_compute_access_vector(container_user_t)
+systemd_dbus_chat_hostnamed(container_user_t)
+systemd_start_systemd_services(container_user_t)
+
+allow container_runtime_t container_user_t:process transition;
+allow container_runtime_t container_user_t:process2 nnp_transition;
+allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;
+
+allow container_user_t container_file_t:chr_file manage_chr_file_perms;
+allow container_user_t container_file_t:file entrypoint;
+
+allow container_domain container_file_t:file entrypoint;
+allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
+allow container_domain container_var_lib_t:file entrypoint;
+allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
+
+allow install_t container_runtime_t:process2 { nnp_transition nosuid_transition };
+
+corecmd_entrypoint_all_executables(container_kvm_t)
+allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
+allow svirt_sandbox_domain mountpoint:file entrypoint;
+
+tunable_policy(`deny_ptrace',`',`
+	allow container_domain self:process ptrace;
+	allow spc_t self:process ptrace;
+')
+
+# netavark needs to write to /run/sysctl.d and needs the right label for systemd to read it.
+# https://issues.redhat.com/browse/RHEL-91380
+files_pid_filetrans(container_runtime_t, system_conf_t, dir, "sysctl.d")

container_selinux.8

@@ -1,4 +1,4 @@
-.TH  "container_selinux"  "8"  "22-12-13" "container" "SELinux Policy container"
+.TH  "container_selinux"  "8"  "25-03-11" "container" "SELinux Policy container"
 .SH "NAME"
 container_selinux \- Security Enhanced Linux Policy for the container processes
 .SH "DESCRIPTION"
@@ -23,7 +23,7 @@ SELinux container policy is very flexible allowing users to setup their containe
 The following process types are defined for container:
 
 .EX
-.B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_t
+.B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_user_t, container_t
 .EE
 .PP
 Note:
@@ -39,6 +39,14 @@ For example one process might be launched with container_t:s0:c1,c2, and another
 SELinux policy is customizable based on least access required.  container policy is extremely flexible and has several booleans that allow you to manipulate the policy and run container with the tightest access possible.
 
 
+.PP
+If you want to allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration, you must turn on the container_use_xserver_devices boolean. Disabled by default.
+
+.EX
+.B setsebool -P container_use_xserver_devices 1
+
+.EE
+
 .PP
 If you want to deny any process from ptracing or debugging any other processes, you must turn on the deny_ptrace boolean. Disabled by default.
 
@@ -102,6 +110,12 @@ The following port types are defined for container:
 
 The SELinux process type container_t can manage files labeled with the following file types.  The paths listed are the default paths for these file types.  Note the processes UID still need to have DAC permissions.
 
+.br
+.B bpf_t
+
+	/sys/fs/bpf
+.br
+
 .br
 .B cifs_t
 
@@ -122,16 +136,24 @@ The SELinux process type container_t can manage files labeled with the following
 	/var/srv/containers(/.*)?
 .br
 	/var/lib/containerd/[^/]*/snapshots(/.*)?
-.br
-	/var/lib/kubelet/pods(/.*)?
 .br
 	/var/lib/kubernetes/pods(/.*)?
+.br
+	/opt/local-path-provisioner(/.*)?
+.br
+	/var/local-path-provisioner(/.*)?
 .br
 	/var/lib/containers/storage/volumes/[^/]*/.*
 .br
 	/home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*
 .br
-	/home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
+
+.br
+.B ecryptfs_t
+
+	/home/[^/]+/\.Private(/.*)?
+.br
+	/home/[^/]+/\.ecryptfs(/.*)?
 .br
 
 .br
@@ -141,9 +163,7 @@ The SELinux process type container_t can manage files labeled with the following
 .br
 .B fusefs_t
 
-	/var/run/user/[0-9]+/gvfs
-.br
-	/var/run/user/4003/gvfs
+	/run/user/[0-9]+/gvfs
 .br
 
 .br
@@ -154,38 +174,6 @@ The SELinux process type container_t can manage files labeled with the following
 	/usr/lib/udev/devices/hugepages
 .br
 
-.br
-.B initrc_tmp_t
-
-
-.br
-.B mnt_t
-
-	/mnt(/[^/]*)?
-.br
-	/mnt(/[^/]*)?
-.br
-	/rhev(/[^/]*)?
-.br
-	/rhev/[^/]*/.*
-.br
-	/media(/[^/]*)?
-.br
-	/media(/[^/]*)?
-.br
-	/media/\.hal-.*
-.br
-	/var/run/media(/[^/]*)?
-.br
-	/afs
-.br
-	/net
-.br
-	/misc
-.br
-	/rhev
-.br
-
 .br
 .B nfs_t
 
@@ -209,40 +197,6 @@ The SELinux process type container_t can manage files labeled with the following
 .br
 	/home/[^/]+/\.local/share/gnome-boxes/images(/.*)?
 .br
-	/home/selinuxuser/\.libvirt/qemu(/.*)?
-.br
-	/home/selinuxuser/\.cache/libvirt/qemu(/.*)?
-.br
-	/home/selinuxuser/\.config/libvirt/qemu(/.*)?
-.br
-	/home/selinuxuser/\.local/share/libvirt/boot(/.*)?
-.br
-	/home/selinuxuser/\.local/share/libvirt/images(/.*)?
-.br
-	/home/selinuxuser/\.local/share/gnome-boxes/images(/.*)?
-.br
-
-.br
-.B tmp_t
-
-	/sandbox(/.*)?
-.br
-	/tmp
-.br
-	/usr/tmp
-.br
-	/var/tmp
-.br
-	/var/tmp
-.br
-	/tmp-inst
-.br
-	/var/tmp-inst
-.br
-	/var/tmp/tmp-inst
-.br
-	/var/tmp/vi\.recover
-.br
 
 .SH FILE CONTEXTS
 SELinux requires files to have an extended attribute to define the file type.
@@ -288,14 +242,6 @@ container policy stores data with multiple different file context types under th
 .B restorecon -R -v /srv/docker
 .PP
 
-.PP
-container policy stores data with multiple different file context types under the /var/lib/kubelet directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
-.PP
-.B semanage fcontext -a -e /var/lib/kubelet /srv/kubelet
-.br
-.B restorecon -R -v /srv/kubelet
-.PP
-
 .PP
 container policy stores data with multiple different file context types under the /var/lib/nerdctl directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
 .PP
@@ -312,29 +258,13 @@ container policy stores data with multiple different file context types under th
 .B restorecon -R -v /srv/ocid
 .PP
 
-.PP
-container policy stores data with multiple different file context types under the /var/run/containerd directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
-.PP
-.B semanage fcontext -a -e /var/run/containerd /srv/containerd
-.br
-.B restorecon -R -v /srv/containerd
-.PP
-
-.PP
-container policy stores data with multiple different file context types under the /var/run/docker directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
-.PP
-.B semanage fcontext -a -e /var/run/docker /srv/docker
-.br
-.B restorecon -R -v /srv/docker
-.PP
-
 .PP
 .B STANDARD FILE CONTEXT
 
 SELinux defines the file context types for the container, if you wanted to
-store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
+store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
 
-.B semanage fcontext -a -t container_ro_file_t '/srv/mycontainer_content(/.*)?'
+.B semanage fcontext -a -t container_var_lib_t '/srv/container/content(/.*)?'
 .br
 .B restorecon -R -v /srv/mycontainer_content
 
@@ -377,7 +307,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubelet/pods(/.*)?, /var/lib/kubernetes/pods(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*, /home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
+/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubernetes/pods(/.*)?, /opt/local-path-provisioner(/.*)?, /var/local-path-provisioner(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*
 
 .EX
 .PP
@@ -413,7 +343,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/var/log/lxc(/.*)?, /var/log/lxd(/.*)?, /var/log/pods(/.*)?, /var/log/containers(/.*)?, /var/lib/docker/containers/.*/.*\.log, /var/lib/docker-latest/containers/.*/.*\.log
+/var/log/lxc(/.*)?, /var/log/lxd(/.*)?, /var/log/pods(/.*)?, /var/log/containers(/.*)?, /var/log/kube-apiserver(/.*)?, /var/lib/docker/containers/.*/.*\.log, /var/lib/docker-latest/containers/.*/.*\.log
 
 .EX
 .PP
@@ -433,7 +363,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay-images(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay-layers(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2-images(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2-layers(/.*)?
+/var/lib/shared(/.*)?, /var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/artifacts(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/ramalama(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/artifacts(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?
 
 .EX
 .PP
@@ -445,7 +375,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin
+/usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/buildah, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin
 
 .EX
 .PP
@@ -485,7 +415,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/lib/docker-latest(/.*)?
+/exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/crio(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/cache/containers(/.*)?, /var/lib/docker-latest(/.*)?
 
 .EX
 .PP
@@ -497,7 +427,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/var/run/crio(/.*)?, /var/run/docker(/.*)?, /var/run/flannel(/.*)?, /var/run/buildkit(/.*)?, /var/run/containerd(/.*)?, /var/run/containers(/.*)?, /var/run/docker-client(/.*)?, /var/run/docker\.pid, /var/run/docker\.sock
+/run/crio(/.*)?, /run/docker(/.*)?, /run/flannel(/.*)?, /run/buildkit(/.*)?, /run/containerd(/.*)?, /run/containers(/.*)?, /run/docker-client(/.*)?, /run/docker\.pid, /run/docker\.sock
 
 .PP
 Note: File context can be temporarily modified with the chcon command.  If you want to permanently change the file context you need to use the
@@ -531,4 +461,4 @@ This manual page was auto-generated using
 .B "sepolicy manpage".
 
 .SH "SEE ALSO"
-selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_userns_selinux(8), container_userns_selinux(8)
+selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_user_selinux(8), container_user_selinux(8), container_userns_selinux(8), container_userns_selinux(8)

container_u

@@ -0,0 +1,8 @@
+system_r:init_t:s0		container_user_r:container_user_t:s0
+system_r:local_login_t:s0	container_user_r:container_user_t:s0
+system_r:remote_login_t:s0	container_user_r:container_user_t:s0
+system_r:sshd_t:s0		container_user_r:container_user_t:s0
+system_r:cockpit_session_t:s0	container_user_r:container_user_t:s0
+system_r:crond_t:s0		container_user_r:container_user_t:s0 container_user_r:cronjob_t:s0
+system_r:xdm_t:s0		container_user_r:container_user_t:s0
+

plans/main.fmf

@@ -0,0 +1,20 @@
+discover:
+    how: fmf
+execute:
+    how: tmt
+prepare:
+    - when: distro == centos-stream or distro == rhel
+      how: shell
+      script: |
+        dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm --eval '%{?rhel}').noarch.rpm
+        dnf -y config-manager --set-enabled epel
+      order: 10
+    - when: initiator == packit
+      how: shell
+      script: |
+        COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo"
+        if compgen -G $COPR_REPO_FILE > /dev/null; then
+            sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE
+        fi
+        dnf -y upgrade --allowerasing
+      order: 20

rpm/container-selinux.spec

@@ -1,13 +1,7 @@
-# For automatic rebuilds in COPR
-
-# The following tag is to get correct syntax highlighting for this file in vim text editor
-# vim: syntax=spec
-
 %global debug_package %{nil}
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
-%global selinuxtype targeted
 %global moduletype services
 %global modulenames container
 
@@ -16,15 +10,37 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
-Name: {{{ git_dir_name }}}
-Epoch: 101
-Version: {{{ git_dir_version }}}
-Release: 1%{?dist}
-License: GPLv2
-URL: https://github.com/containers/container-selinux
+# RHEL < 10 and Fedora < 40 use file context entries in /var/run
+%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
+%define legacy_var_run 1
+%endif
+
+# https://github.com/containers/container-selinux/issues/203
+%if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9
+%define no_user_namespace 1
+%endif
+
+# copr_build is more intuitive than copr_username
+%if %{defined copr_username}
+%define copr_build 1
+%endif
+
+Name: container-selinux
+# Set different Epochs for copr and koji
+%if %{defined copr_build}
+Epoch: 102
+%else
+Epoch: 4
+%endif
+# Keep Version in upstream specfile at 0. It will be automatically set
+# to the correct value by Packit for copr and koji builds.
+# IGNORE this comment if you're looking at it in dist-git.
+Version: 0
+Release: %autorelease
+License: GPL-2.0-only
+URL: https://github.com/containers/%{name}
 Summary: SELinux policies for container runtimes
-VCS: {{{ git_dir_vcs }}}
-Source: {{{ git_dir_pack }}}
+Source0: %{url}/archive/v%{version}.tar.gz
 BuildArch: noarch
 BuildRequires: make
 BuildRequires: git-core
@@ -34,7 +50,8 @@ BuildRequires: selinux-policy-devel >= %_selinux_policy_version
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy
 Requires: selinux-policy >= %_selinux_policy_version
 Requires(post): selinux-policy-base >= %_selinux_policy_version
-Requires(post): selinux-policy-targeted >= %_selinux_policy_version
+Requires(post): selinux-policy-any >= %_selinux_policy_version
+Recommends: selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires(post): sed
@@ -48,21 +65,17 @@ Conflicts: k3s-selinux <= 0.4-1
 SELinux policy modules for use with container runtimes.
 
 %prep
-{{{ git_dir_setup_macro }}}
+%autosetup -Sgit %{name}-%{version}
 
-# Remove some lines for RHEL 8 build
-%if ! 0%{?fedora} && 0%{?rhel} <= 8
-sed -i 's/watch watch_reads//' container.if
-sed -i '/sysfs_t:dir watch/d' container.te
-sed -i '/systemd_chat_resolved/d' container.te
+sed -i 's/^man: install-policy/man:/' Makefile
+sed -i 's/^install: man/install:/' Makefile
+
+%if %{defined no_user_namespace}
+sed -i '/user_namespace/d' container.te
 %endif
 
-sed -i 's/man: install-policy/man:/' Makefile
-sed -i 's/install: man/install:/' Makefile
-
-# https://github.com/containers/container-selinux/issues/203
-%if 0%{?fedora} <= 37 || 0%{?rhel} <= 9
-sed -i '/user_namespace/d' container.te
+%if %{defined legacy_var_run}
+sed -i 's|^/run/|/var/run/|' container.fc
 %endif
 
 %build
@@ -71,12 +84,10 @@ make
 %install
 # install policy modules
 %_format MODULES $x.pp.bz2
-%{__make} DATADIR=%{buildroot}%{_datadir} install install.udica-templates
-
-%check
+%{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user
 
 %pre
-%selinux_relabel_pre -s %{selinuxtype}
+%selinux_relabel_pre
 
 %post
 # Install all modules in a single transaction
@@ -84,21 +95,24 @@ if [ $1 -eq 1 ]; then
    %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
 fi
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
-%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
-%selinux_modules_install -s %{selinuxtype} $MODULES
 . %{_sysconfdir}/selinux/config
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null
+%selinux_modules_install -s ${SELINUXTYPE} $MODULES
 sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
 matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
 
 %postun
 if [ $1 -eq 0 ]; then
-   %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
+   %selinux_modules_uninstall %{modulenames} docker
 fi
 
 %posttrans
-%selinux_relabel_post -s %{selinuxtype}
+%selinux_relabel_post
+
+# Empty placeholder check to silence rpmlint
+%check
 
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
@@ -106,11 +120,16 @@ fi
 %files
 %doc README.md
 %{_datadir}/selinux/*
-%{_mandir}/man8/*
 %dir %{_datadir}/containers/selinux
 %{_datadir}/containers/selinux/contexts
+%dir %{_datadir}/udica
 %dir %{_datadir}/udica/templates/
 %{_datadir}/udica/templates/*
+# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
+%{_mandir}/man8/container_selinux.8.gz
+%{_sysconfdir}/selinux/targeted/contexts/users/container_u
+%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames}
+%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames}
 
 %triggerpostun -- container-selinux < 2:2.162.1-3
 if %{_sbindir}/selinuxenabled ; then
@@ -119,4 +138,4 @@ if %{_sbindir}/selinuxenabled ; then
 fi
 
 %changelog
-{{{ git_dir_changelog }}}
+%autochangelog

rpm/gating.yaml

@@ -0,0 +1,14 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts:
+  - bodhi_update_push_stable
+  - bodhi_update_push_testing
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules: []

test/main.fmf

@@ -0,0 +1,17 @@
+require:
+    - attr
+    - bats
+    - container-selinux
+    - podman-tests
+    - policycoreutils
+
+/basic_check:
+    summary: Run basic checks
+    test: |
+        semodule --list=full | grep container
+        semodule -B
+        rpm -Vqf /var/lib/selinux/*/active/modules/200/container
+
+/podman_system_test:
+    summary: Run SELinux specific Podman system tests
+    test: bash ./podman-tests.sh

test/podman-tests.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+if [[ "$(id -u)" -ne 0 ]];then
+    echo "Please run as superuser"
+    exit 1
+fi
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy
+
+# Run podman system tests
+bats /usr/share/podman/test/system/410-selinux.bats