Don't allow containers by default setexec setfscreate

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Containers need to use hsa devices for ROCM
2025-07-14 14:36:28 -04:00 · 2025-07-03 08:43:18 -04:00 · 2025-05-30 16:00:49 +00:00 · 2025-05-30 11:43:54 -04:00 · 2025-05-30 11:42:45 -04:00 · 2025-05-30 16:14:40 +02:00
17 changed files with 550 additions and 418 deletions
--- a/.packit.sh
+++ b/.packit.sh
@ -1,27 +0,0 @@
-#!/usr/bin/env bash
-
-# Packit's default fix-spec-file often doesn't fetch version string correctly.
-# This script handles any custom processing of the dist-git spec file and gets used by the
-# fix-spec-file action in .packit.yaml
-
-set -eo pipefail
-
-# Set path to rpm spec file
-SPEC_FILE=rpm/container-selinux.spec
-
-# Get Version from HEAD
-HEAD_VERSION=$(grep '^policy_module' container.te | sed 's/[^0-9.]//g')
-
-# Generate source tarball
-git archive --prefix=container-selinux-$HEAD_VERSION/ -o rpm/container-selinux-$HEAD_VERSION.tar.gz HEAD
-
-# RPM Spec modifications
-
-# Update Version in spec with Version from container.te
-sed -i "s/^Version:.*/Version: $HEAD_VERSION/" $SPEC_FILE
-
-# Update Release in spec with Packit's release envvar
-sed -i "s/^Release:.*/Release: $PACKIT_RPMSPEC_RELEASE%{?dist}/" $SPEC_FILE
-
-# Update Source tarball name in spec
-sed -i "s/^Source0:.*.tar.gz/Source0: %{name}-$HEAD_VERSION.tar.gz/" $SPEC_FILE
--- a/.packit.yaml
+++ b/.packit.yaml
@ -2,85 +2,132 @@
 # See the documentation for more information:
 # https://packit.dev/docs/configuration/

-# Build targets can be found at:
-# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/packit-builds/
-
-specfile_path: rpm/container-selinux.spec
+downstream_package_name: container-selinux
 upstream_tag_template: v{version}

-jobs:
-  - &copr
-    job: copr_build
-    # Run on every PR
-    trigger: pull_request
-    owner: rhcontainerbot
-    project: packit-builds
-    enable_net: true
-    # x86_64 is assumed by default
-    # container-selinux is noarch so we only need to test on one arch
-    targets: &pr_copr_targets
-      - fedora-rawhide
-      - fedora-38
-      - fedora-37
-      - centos-stream-9
-      - centos-stream-8
-    srpm_build_deps:
-      - make
-      - rpkg
-    actions:
-      fix-spec-file:
-        - bash .packit.sh
+# Ref: https://packit.dev/docs/configuration#files_to_sync
+files_to_sync:
+  - src: rpm/gating.yaml
+    dest: gating.yaml
+    delete: true
+  - src: plans/
+    dest: plans/
+    delete: true
+    mkpath: true
+  - src: test/
+    dest: test/
+    delete: true
+    mkpath: true
+  - src: .fmf/
+    dest: .fmf/
+    delete: true
+  - .packit.yaml

-  - <<: *copr
-    # Run on commit to main branch
-    trigger: commit
-    branch: main
-    project: podman-next
+packages:
+  container-selinux-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-eln:
+    specfile_path: rpm/container-selinux.spec
+
+srpm_build_deps:
+  - make
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-fedora]
+    notifications: &copr_build_failure_notification
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
+    enable_net: true
+    # container-selinux is noarch so we only need to test on one arch
+    targets: &fedora_copr_targets
+      - fedora-all-x86_64
+      - fedora-all-aarch64
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-eln]
+    notifications: *copr_build_failure_notification
+    enable_net: true
    targets:
-      - fedora-rawhide-aarch64
-      - fedora-rawhide-ppc64le
-      - fedora-rawhide-s390x
-      - fedora-rawhide-x86_64
-      - fedora-38-aarch64
-      - fedora-38-ppc64le
-      - fedora-38-s390x
-      - fedora-38-x86_64
-      - fedora-37-aarch64
-      - fedora-37-ppc64le
-      - fedora-37-s390x
-      - fedora-37-x86_64
-      - centos-stream+epel-next-9-aarch64
-      - centos-stream+epel-next-9-ppc64le
-      - centos-stream+epel-next-9-s390x
-      - centos-stream+epel-next-9-x86_64
+      - fedora-eln-x86_64
+      - fedora-eln-aarch64
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets: &centos_copr_targets
+      - centos-stream-9-x86_64
+      - centos-stream-9-aarch64
+      - centos-stream-10-x86_64
+      - centos-stream-10-aarch64
+
+  # Run on commit to main branch
+  # Build targets managed in copr settings
+  - job: copr_build
+    trigger: commit
+    packages: [container-selinux-fedora]
+    notifications:
+      failure_comment:
+        message: "podman-next COPR build failed. @containers/packit-build please check."
+    branch: main
+    owner: rhcontainerbot
+    project: podman-next
+    enable_net: true

  # All tests specified in the `/plans/` subdir
-  # FIXME: uncomment e2e tests after disk space issues resolved on testing farm
-  #- job: tests
-  #  trigger: pull_request
-  #  targets: *test_targets
-  #  identifier: podman_e2e_test
-  #  tmt_plan: "/plans/podman_e2e_test"
-
+  # Tests for Fedora
  - job: tests
    trigger: pull_request
-    # arch assumed to be x86_64 by default.
-    targets: *pr_copr_targets
-    identifier: podman_system_test
-    tmt_plan: "/plans/podman_system_test"
+    packages: [container-selinux-fedora]
+    notifications: &test_failure_notification
+      failure_comment:
+        message: "Tests failed. @containers/packit-build please check."
+    targets: *fedora_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
+
+  # Tests for CentOS Stream
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *test_failure_notification
+    targets: *centos_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo

  - job: propose_downstream
    trigger: release
-    update_release: false
-    dist_git_branches:
+    packages: [container-selinux-fedora]
+    dist_git_branches: &fedora_targets
      - fedora-all

+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-centos]
+    dist_git_branches:
+      - c10s
+
  - job: koji_build
    trigger: commit
-    dist_git_branches:
-      - fedora-all
+    packages: [container-selinux-fedora]
+    dist_git_branches: *fedora_targets

  - job: bodhi_update
    trigger: commit
+    packages: [container-selinux-fedora]
    dist_git_branches:
      - fedora-branched # rawhide updates are created automatically
--- a/6
+++ b/6
@ -0,0 +1,6 @@
+approvers:
+  - haircommander   
+  - lsm5
+  - rhatdan
+  - wrabcak
+  - zpytela
--- a/README.md
+++ b/README.md
@ -8,7 +8,7 @@ Explains `container_t` vs `container_var_lib_t`
 **[`container_t` versus `svirt_lxc_net_t`](https://danwalsh.livejournal.com/79191.html)**  
 Clarifys `container_t` versus `svirt_lxc_net_t` aliases

-**[SELinux, Podman, and Libvert](https://danwalsh.livejournal.com/81143.html)**  
+**[SELinux, Podman, and Libvirt](https://danwalsh.livejournal.com/81143.html)**  
 Information regarding SELinux blocking Podman container from talking to Libvirt

 **[Caution Relabeling Volumes with Container Runtimes](https://danwalsh.livejournal.com/76016.html)**  
--- a/container.fc
+++ b/container.fc
@ -9,14 +9,19 @@
 /usr/local/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/local/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
-/usr/local/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubenswrapper.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubenswrapper.*	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/s?bin/kubensenter.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubensenter.*	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/containerd.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildah		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkitd.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)

-/usr/s?bin/lxc-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/lxd-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxc-.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd-.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/lxc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/lxd			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/fuidshift		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
@ -87,6 +92,8 @@
 # Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
 /var/lib/buildkit/containerd-.*(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)

+HOME_DIR/\.local/share/ramalama(/.*)?		 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/artifacts(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
@ -104,6 +111,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/containers/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/atomic(/.*)?	<<none>>
 /var/lib/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/containers/storage/artifacts(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
@ -112,10 +120,12 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/containers/storage/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/ocid(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/ocid/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/cache/containers(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/cache/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)

-/var/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)

 /var/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /opt/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
@ -124,6 +134,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/kubernetes/pods(/.*)?	gen_context(system_u:object_r:container_file_t,s0)

 /var/lib/kubelet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/kubelet/pod-resources(/.*)?	gen_context(system_u:object_r:kubelet_var_lib_t,s0)
 /var/lib/docker-latest(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/docker-latest/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/docker-latest/containers/.*/.*\.log	gen_context(system_u:object_r:container_log_t,s0)
@ -134,27 +145,28 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/docker-latest/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)

 /var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
-/var/lib/kubelet/pods(/.*)?							gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/crio(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
+/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
 /var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)

-/var/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
-/var/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
+/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)

 /srv/containers(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /var/srv/containers(/.*)?	gen_context(system_u:object_r:container_file_t,s0)

-/var/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
+/run/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)

+/var/log/kube-apiserver(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/lxc(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/lxd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /etc/kubernetes(/.*)?		gen_context(system_u:object_r:kubernetes_file_t,s0)
--- a/container.if
+++ b/container.if
@ -512,6 +512,7 @@ interface(`container_filetrans_named_content',`
    files_pid_filetrans($1, container_var_run_t, dir, "containers")
    files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers")

+    logging_log_filetrans($1, container_log_t, dir, "kube-apiserver")
    logging_log_filetrans($1, container_log_t, dir, "lxc")
    files_var_lib_filetrans($1, container_var_lib_t, dir, "containers")
    files_var_lib_filetrans($1, container_file_t, dir, "origin")
@ -536,6 +537,7 @@ interface(`container_filetrans_named_content',`
    #  workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work)
    filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots")
    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init")
+    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "artifacts")
    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay")
    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images")
    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers")
@ -561,6 +563,8 @@ interface(`container_filetrans_named_content',`
    # Third-party snapshotters
    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci")

+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "ramalama")
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "artifacts")
    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images")
    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")
@ -573,7 +577,7 @@ interface(`container_filetrans_named_content',`
    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers")
    filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
-    files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
+    files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes")
 ')

 ########################################
--- a/container.te
+++ b/container.te
@ -1,7 +1,8 @@
-policy_module(container, 2.213.0)
+policy_module(container, 2.240.0)

 gen_require(`
 	class passwd rootok;
+	type system_conf_t;
 ')

 ########################################
@ -17,6 +18,13 @@ gen_require(`
 ## </desc>
 gen_tunable(container_connect_any, false)

+## <desc>
+##  <p>
+##  Allow all container domains to read cert files and directories
+##  </p>
+## </desc>
+gen_tunable(container_read_certs, false)
+
 ## <desc>
 ##  <p>
 ##  Determine whether sshd can launch container engines
@ -31,6 +39,20 @@ gen_tunable(sshd_launch_containers, false)
 ## </desc>
 gen_tunable(container_use_devices, false)

+## <desc>
+##  <p>
+##  Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
+##  </p>
+## </desc>
+gen_tunable(container_use_xserver_devices, false)
+
+## <desc>
+##  <p>
+##  Allow containers to use any dri device volume mounted into container
+##  </p>
+## </desc>
+gen_tunable(container_use_dri_devices, true)
+
 ## <desc>
 ## <p>
 ## Allow sandbox containers to manage cgroup (systemd)
@ -38,6 +60,13 @@ gen_tunable(container_use_devices, false)
 ## </desc>
 gen_tunable(container_manage_cgroup, false)

+## <desc>
+## <p>
+## Allow containers to manipulate SELinux labels
+## </p>
+## </desc>
+gen_tunable(container_modify_selinux_labels, false)
+
 ## <desc>
 ##  <p>
 ##  Determine whether container can
@ -129,6 +158,7 @@ type container_devpts_t alias docker_devpts_t;
 term_pty(container_devpts_t)

 typealias container_ro_file_t alias { container_share_t docker_share_t };
+typeattribute container_ro_file_t container_file_type, user_home_type;
 files_mountpoint(container_ro_file_t)
 userdom_user_home_content(container_ro_file_t)

@ -169,6 +199,7 @@ allow container_runtime_domain self:tcp_socket create_stream_socket_perms;
 allow container_runtime_domain self:udp_socket create_socket_perms;
 allow container_runtime_domain self:capability2 block_suspend;
 allow container_runtime_domain container_port_t:tcp_socket name_bind;
+allow container_runtime_domain port_t:icmp_socket name_bind;
 allow container_runtime_domain self:filesystem associate;
 allow container_runtime_domain self:packet_socket create_socket_perms;
 allow container_runtime_domain self:socket create_socket_perms;
@ -205,19 +236,24 @@ manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t
 manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t)
 userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container")
 userdom_manage_user_home_content(container_runtime_domain)
+userdom_map_user_home_files(container_runtime_t)

 manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t)
 manage_files_pattern(container_runtime_domain, container_config_t, container_config_t)
-files_etc_filetrans(container_runtime_domain, container_config_t, dir, "container")
+files_etc_filetrans(container_runtime_domain, container_config_t, dir, "containers")

 manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t)
 manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t)
 files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc")
+files_manage_generic_locks(container_runtime_domain)

 manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t)
 manage_files_pattern(container_runtime_domain, container_log_t, container_log_t)
 manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t)
+
+logging_read_syslog_pid(container_runtime_domain)
 logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file })
+
 allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto };
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log")
 allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint;
@ -243,8 +279,23 @@ manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, containe
 manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_sock_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto };
 can_exec(container_runtime_domain, container_ro_file_t)
+
+manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+
+manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init")
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay")
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2")
@ -262,6 +313,7 @@ manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto };
 files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file })
+files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers")

 manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
@ -270,17 +322,30 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
+allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;

 allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(container_runtime_domain, container_devpts_t)
 term_use_all_ttys(container_runtime_domain)
 term_use_all_inherited_terms(container_runtime_domain)

+mls_file_read_to_clearance(container_runtime_t)
+mls_file_relabel_to_clearance(container_runtime_t)
+mls_file_write_to_clearance(container_runtime_t)
+mls_process_read_to_clearance(container_runtime_t)
+mls_process_write_to_clearance(container_runtime_t)
+mls_socket_read_to_clearance(container_runtime_t)
+mls_socket_write_to_clearance(container_runtime_t)
+mls_sysvipc_read_to_clearance(container_runtime_t)
+mls_sysvipc_write_to_clearance(container_runtime_t)
+
 kernel_read_network_state(container_runtime_domain)
 kernel_read_all_sysctls(container_runtime_domain)
 kernel_rw_net_sysctls(container_runtime_domain)
 kernel_setsched(container_runtime_domain)
 kernel_rw_all_sysctls(container_runtime_domain)
+kernel_mounton_all_proc(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)

 domain_obj_id_change_exemption(container_runtime_t)
 domain_subj_id_change_exemption(container_runtime_t)
@ -461,33 +526,38 @@ dev_rw_loop_control(container_runtime_domain)
 dev_rw_lvm_control(container_runtime_domain)
 dev_read_mtrr(container_runtime_domain)

+userdom_map_user_home_files(container_runtime_t)
+
 files_getattr_isid_type_dirs(container_runtime_domain)
 files_manage_isid_type_dirs(container_runtime_domain)
 files_manage_isid_type_files(container_runtime_domain)
 files_manage_isid_type_symlinks(container_runtime_domain)
 files_manage_isid_type_chr_files(container_runtime_domain)
 files_manage_isid_type_blk_files(container_runtime_domain)
+files_manage_etc_dirs(container_runtime_domain)
+files_manage_etc_files(container_runtime_domain)
 files_exec_isid_files(container_runtime_domain)
 files_mounton_isid(container_runtime_domain)
 files_mounton_non_security(container_runtime_domain)
 files_mounton_isid_type_chr_file(container_runtime_domain)

-fs_mount_all_fs(container_runtime_domain)
-fs_unmount_all_fs(container_runtime_domain)
-fs_remount_all_fs(container_runtime_domain)
 files_mounton_isid(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
+fs_list_hugetlbfs(container_runtime_domain)
 fs_manage_cgroup_dirs(container_runtime_domain)
 fs_manage_cgroup_files(container_runtime_domain)
-fs_rw_nsfs_files(container_runtime_domain)
-fs_relabelfrom_xattr_fs(container_runtime_domain)
-fs_relabelfrom_tmpfs(container_runtime_domain)
-fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_getattr_all_fs(container_runtime_domain)
-fs_rw_inherited_tmpfs_files(container_runtime_domain)
-fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_search_tmpfs(container_runtime_domain)
-fs_list_hugetlbfs(container_runtime_domain)
 fs_manage_hugetlbfs_files(container_runtime_domain)
+fs_mount_all_fs(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_relabelfrom_tmpfs(container_runtime_domain)
+fs_relabelfrom_xattr_fs(container_runtime_domain)
+fs_remount_all_fs(container_runtime_domain)
+fs_rw_inherited_tmpfs_files(container_runtime_domain)
+fs_rw_nsfs_files(container_runtime_domain)
+fs_search_tmpfs(container_runtime_domain)
+fs_set_xattr_fs_quotas(container_runtime_domain)
+fs_unmount_all_fs(container_runtime_domain)


 term_use_generic_ptys(container_runtime_domain)
@ -514,6 +584,10 @@ userdom_use_user_ptys(container_runtime_domain)
 userdom_connectto_stream(container_runtime_domain)
 allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt };

+tunable_policy(`container_modify_selinux_labels',`
+	allow container_domain self:process { setexec setfscreate};
+')
+
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(container_runtime_domain)
 	fs_manage_nfs_files(container_runtime_domain)
@ -521,7 +595,6 @@ tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_symlinks(container_runtime_domain)
 	fs_remount_nfs(container_runtime_domain)
 	fs_mount_nfs(container_runtime_domain)
-	fs_unmount_nfs(container_runtime_domain)
 	fs_exec_nfs_files(container_runtime_domain)
 	kernel_rw_fs_sysctls(container_runtime_domain)
 	allow container_runtime_domain nfs_t:file execmod;
@ -566,6 +639,10 @@ tunable_policy(`container_use_cephfs',`
 	allow container_domain cephfs_t:file execmod;
 ')

+tunable_policy(`container_read_certs',`
+	miscfiles_read_all_certs(container_domain)
+')
+
 gen_require(`
 	type ecryptfs_t;
 ')
@ -583,21 +660,16 @@ fs_manage_fusefs_dirs(container_runtime_domain)
 fs_manage_fusefs_files(container_runtime_domain)
 fs_manage_fusefs_symlinks(container_runtime_domain)
 fs_mount_fusefs(container_runtime_domain)
-fs_unmount_fusefs(container_runtime_domain)
 fs_exec_fusefs_files(container_runtime_domain)
 storage_rw_fuse(container_runtime_domain)

-optional_policy(`
-    files_search_all(container_domain)
-    container_read_share_files(container_domain)
-    container_exec_share_files(container_domain)
-    allow container_domain container_ro_file_t:file execmod;
-    container_lib_filetrans(container_domain,container_file_t, sock_file)
-    container_use_ptys(container_domain)
-    container_spc_stream_connect(container_domain)
-    fs_dontaudit_remount_tmpfs(container_domain)
-    dev_dontaudit_mounton_sysfs(container_domain)
-')
+files_search_all(container_domain)
+container_read_share_files(container_domain)
+container_exec_share_files(container_domain)
+allow container_domain container_ro_file_t:file execmod;
+container_lib_filetrans(container_domain,container_file_t, sock_file)
+container_use_ptys(container_domain)
+container_spc_stream_connect(container_domain)

 optional_policy(`
 	apache_exec_modules(container_runtime_domain)
@ -646,6 +718,14 @@ optional_policy(`
 	udev_read_db(container_runtime_domain)
 ')

+optional_policy(`
+	require {
+		type hsa_device_t;
+	}
+
+	allow container_domain hsa_device_t:chr_file rw_chr_file_perms;
+')
+
 optional_policy(`
 	gen_require(`
 		role unconfined_r;
@ -695,21 +775,24 @@ tunable_policy(`container_connect_any',`
 #
 # spc local policy
 #
-allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
 role system_r types spc_t;
+dontaudit spc_t self:memprotect mmap_zero;

 domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
 domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
 fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })

-allow container_runtime_domain spc_t:process2 nnp_transition;
+allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
+allow spc_t container_file_type:file execmod;
+
 admin_pattern(spc_t, kubernetes_file_t)

 allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
 allow spc_t { container_ro_file_t container_file_t }:system module_load;

-allow container_runtime_domain spc_t:process { setsched signal_perms };
+allow container_runtime_domain spc_t:process { dyntransition setsched signal_perms };
 ps_process_pattern(container_runtime_domain, spc_t)
 allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom };
 allow spc_t unlabeled_t:key manage_key_perms;
@ -722,8 +805,14 @@ init_dbus_chat(spc_t)
 optional_policy(`
 	systemd_dbus_chat_machined(spc_t)
 	systemd_dbus_chat_logind(spc_t)
+	systemd_dbus_chat_timedated(spc_t)
+	systemd_dbus_chat_localed(spc_t)
 ')

+domain_transition_all(spc_t)
+
+anaconda_domtrans_install(spc_t)
+
 optional_policy(`
 	dbus_chat_system_bus(spc_t)
 	dbus_chat_session_bus(spc_t)
@ -739,6 +828,10 @@ optional_policy(`
 	allow daemon spc_t:dbus send_msg;
 ')

+optional_policy(`
+	rtkit_scheduled(spc_t)
+')
+
 optional_policy(`
 	virt_transition_svirt_sandbox(spc_t, system_r)
 	virt_sandbox_entrypoint(spc_t)
@ -826,7 +919,7 @@ container_manage_files_template(container, container)
 typeattribute container_file_t container_file_type, user_home_type;
 typeattribute container_t container_domain, container_net_domain, container_user_domain;
 allow container_user_domain self:process getattr;
-allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
+allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint;
 allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
 allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
 allow container_domain container_runtime_t:unix_dgram_socket sendto;
@ -845,6 +938,7 @@ dontaudit container_domain self:dir { write add_name };
 allow container_domain self:file rw_file_perms;
 allow container_domain self:lnk_file read_file_perms;
 allow container_domain self:fifo_file create_fifo_file_perms;
+allow container_domain self:fifo_file watch;
 allow container_domain self:filesystem associate;
 allow container_domain self:key manage_key_perms;
 allow container_domain self:netlink_route_socket r_netlink_socket_perms;
@ -853,7 +947,7 @@ allow container_domain self:netlink_xfrm_socket create_socket_perms;
 allow container_domain self:packet_socket create_socket_perms;
 allow container_domain self:passwd rootok;
 allow container_domain self:peer recv;
-allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate};
+allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop};
 allow container_domain self:sem create_sem_perms;
 allow container_domain self:shm create_shm_perms;
 allow container_domain self:socket create_socket_perms;
@ -864,28 +958,33 @@ allow container_domain self:unix_dgram_socket create_socket_perms;
 allow container_domain self:unix_stream_socket create_stream_socket_perms;
 dontaudit container_domain self:capability2  block_suspend ;
 allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
-fs_rw_onload_sockets(container_domain)
-fs_fusefs_entrypoint(container_domain)
 fs_fusefs_entrypoint(spc_t)

 container_read_share_files(container_domain)
 container_exec_share_files(container_domain)
 container_use_ptys(container_domain)
 container_spc_stream_connect(container_domain)
-fs_dontaudit_remount_tmpfs(container_domain)
+
 dev_dontaudit_mounton_sysfs(container_domain)
 dev_dontaudit_mounton_sysfs(container_domain)
-fs_mount_tmpfs(container_domain)
+dev_dontaudit_mounton_sysfs(container_domain)
+dev_getattr_mtrr_dev(container_domain)
+dev_list_sysfs(container_domain)
+dev_mounton_sysfs(container_t)
+dev_read_mtrr(container_domain)
+dev_read_rand(container_domain)
+dev_read_sysfs(container_domain)
+dev_read_urand(container_domain)
+dev_rw_inherited_dri(container_domain)
+dev_rw_kvm(container_domain)
+dev_rwx_zero(container_domain)
+dev_write_rand(container_domain)
+dev_write_urand(container_domain)
+allow container_domain sysfs_t:dir watch;

 dontaudit container_domain container_runtime_tmpfs_t:dir read;
 allow container_domain container_runtime_tmpfs_t:dir mounton;
-
-dev_getattr_mtrr_dev(container_domain)
-dev_list_sysfs(container_domain)
-allow container_domain sysfs_t:dir watch;
-
-dev_rw_kvm(container_domain)
-dev_rwx_zero(container_domain)
+can_exec(container_domain, container_runtime_tmpfs_t)

 allow container_domain self:key manage_key_perms;
 dontaudit container_domain container_domain:key search;
@ -901,10 +1000,11 @@ allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
 allow container_domain self:passwd rootok;
 allow container_domain self:filesystem associate;
 allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
+allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };

 kernel_getattr_proc(container_domain)
 kernel_list_all_proc(container_domain)
+kernel_mounton_all_proc(container_domain)
 kernel_read_all_sysctls(container_domain)
 kernel_dontaudit_write_kernel_sysctl(container_domain)
 kernel_read_network_state(container_domain)
@ -918,16 +1018,42 @@ kernel_dontaudit_write_usermodehelper_state(container_domain)
 kernel_read_irq_sysctls(container_domain)
 kernel_get_sysvipc_info(container_domain)

-fs_getattr_all_fs(container_domain)
-fs_rw_inherited_tmpfs_files(container_domain)
-fs_read_tmpfs_symlinks(container_domain)
-fs_search_tmpfs(container_domain)
-fs_list_hugetlbfs(container_domain)
-fs_manage_hugetlbfs_files(container_domain)
-fs_exec_hugetlbfs_files(container_domain)
 fs_dontaudit_getattr_all_dirs(container_domain)
 fs_dontaudit_getattr_all_files(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_exec_fusefs_files(container_domain)
+fs_exec_hugetlbfs_files(container_domain)
+fs_fusefs_entrypoint(container_domain)
+fs_getattr_all_fs(container_domain)
+fs_list_cgroup_dirs(container_domain)
+fs_list_hugetlbfs(container_domain)
+fs_manage_bpf_files(container_domain)
+fs_manage_fusefs_dirs(container_domain)
+fs_manage_fusefs_files(container_domain)
+fs_manage_fusefs_named_pipes(container_domain)
+fs_manage_fusefs_named_sockets(container_domain)
+fs_manage_fusefs_symlinks(container_domain)
+fs_manage_hugetlbfs_files(container_domain)
+fs_mount_fusefs(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_mount_tmpfs(container_domain)
+fs_unmount_tmpfs(container_domain)
+fs_mount_xattr_fs(container_domain)
+fs_unmount_xattr_fs(container_domain)
+fs_mounton_cgroup(container_domain)
+fs_mounton_fusefs(container_domain)
+fs_read_cgroup_files(container_domain)
 fs_read_nsfs_files(container_domain)
+fs_read_tmpfs_symlinks(container_domain)
+fs_remount_xattr_fs(container_domain)
+fs_rw_inherited_tmpfs_files(container_domain)
+fs_rw_onload_sockets(container_domain)
+fs_search_tmpfs(container_domain)
+fs_unmount_cgroup(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_unmount_nsfs(container_domain)
+fs_unmount_xattr_fs(container_domain)

 term_use_all_inherited_terms(container_domain)

@ -951,18 +1077,6 @@ gen_require(`
 	type cgroup_t;
 ')

-dev_read_sysfs(container_domain)
-dev_read_mtrr(container_domain)
-dev_mounton_sysfs(container_t)
-
-fs_mounton_cgroup(container_t)
-fs_unmount_cgroup(container_t)
-
-dev_read_rand(container_domain)
-dev_write_rand(container_domain)
-dev_read_urand(container_domain)
-dev_write_urand(container_domain)
-
 files_read_kernel_modules(container_domain)

 allow container_file_t cgroup_t:filesystem associate;
@ -1008,6 +1122,7 @@ allow container_net_domain self:rawip_socket create_stream_socket_perms;
 allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
 allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;

+allow container_domain spc_t:unix_stream_socket { read write };
 kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
 kernel_unlabeled_entry_type(spc_t)
 allow container_runtime_domain unlabeled_t:key manage_key_perms;
@ -1017,9 +1132,6 @@ gen_require(`
 ')
 dontaudit container_domain usermodehelper_t:file write;

-fs_read_cgroup_files(container_domain)
-fs_list_cgroup_dirs(container_domain)
-
 sysnet_read_config(container_domain)

 allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
@ -1047,20 +1159,6 @@ tunable_policy(`container_manage_cgroup',`
 	fs_manage_cgroup_files(container_domain)
 ')

-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_manage_fusefs_dirs(container_domain)
-fs_manage_fusefs_files(container_domain)
-fs_manage_fusefs_symlinks(container_domain)
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_exec_fusefs_files(container_domain)
-fs_mount_xattr_fs(container_domain)
-fs_unmount_xattr_fs(container_domain)
-fs_remount_xattr_fs(container_domain)
-fs_mount_fusefs(container_domain)
-fs_unmount_fusefs(container_domain)
-fs_mounton_fusefs(container_domain)
 storage_rw_fuse(container_domain)
 allow container_domain fusefs_t:file { mounton execmod };
 allow container_domain fusefs_t:filesystem remount;
@ -1135,6 +1233,7 @@ dev_mount_sysfs_fs(container_userns_t)
 dev_mounton_sysfs(container_userns_t)

 fs_mount_tmpfs(container_userns_t)
+fs_unmount_tmpfs(container_userns_t)
 fs_relabelfrom_tmpfs(container_userns_t)
 fs_remount_cgroup(container_userns_t)

@ -1179,6 +1278,7 @@ logging_read_all_logs(container_logreader_t)
 allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
 logging_read_audit_log(container_logreader_t)
 logging_list_logs(container_logreader_t)
+allow container_logreader_t container_log_t:file watch;

 # Container Logwriter
 container_domain_template(container_logwriter, container)
@ -1188,6 +1288,7 @@ manage_files_pattern(container_logwriter_t, logfile, logfile)
 manage_dirs_pattern(container_logwriter_t, logfile, logfile)
 manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
 logging_manage_audit_log(container_logwriter_t)
+allow container_logwriter_t container_log_t:file watch;

 optional_policy(`
 	gen_require(`
@ -1331,6 +1432,15 @@ tunable_policy(`container_use_devices',`
 	allow container_domain device_node:blk_file {rw_blk_file_perms map};
 ')

+tunable_policy(`container_use_xserver_devices',`
+	dev_getattr_xserver_misc_dev(container_t)
+	dev_rw_xserver_misc(container_t)
+')
+
+tunable_policy(`container_use_dri_devices',`
+	dev_rw_dri(container_domain)
+')
+
 tunable_policy(`virt_sandbox_use_sys_admin',`
 	allow container_init_t self:capability sys_admin;
 	allow container_init_t self:cap_userns sys_admin;
@ -1347,19 +1457,44 @@ fs_mounton_cgroup(container_engine_t)
 fs_unmount_cgroup(container_engine_t)
 fs_manage_cgroup_dirs(container_engine_t)
 fs_manage_cgroup_files(container_engine_t)
-fs_mount_tmpfs(container_engine_t)
 fs_write_cgroup_files(container_engine_t)
-
-allow container_engine_t proc_t:file mounton;
-allow container_engine_t sysctl_t:file mounton;
-allow container_engine_t sysfs_t:filesystem remount;
-
+fs_remount_cgroup(container_engine_t)
+fs_mount_all_fs(container_engine_t)
+fs_remount_all_fs(container_engine_t)
+fs_unmount_all_fs(container_engine_t)
+kernel_mounton_all_sysctls(container_engine_t)
 kernel_mount_proc(container_engine_t)
-kernel_mounton_core_if(container_engine_t)
 kernel_mounton_proc(container_engine_t)
+kernel_mounton_core_if(container_engine_t)
 kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
-
 term_mount_pty_fs(container_engine_t)
+term_use_generic_ptys(container_engine_t)
+
+allow container_engine_t container_file_t:chr_file mounton;
+allow container_engine_t filesystem_type:{dir file} mounton;
+allow container_engine_t proc_kcore_t:file mounton;
+allow container_engine_t proc_t:filesystem remount;
+allow container_engine_t sysctl_t:{dir file} mounton;
+allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
+allow container_engine_t fusefs_t:file relabelto;
+allow container_engine_t kernel_t:system module_request;
+allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
+allow container_engine_t random_device_t:chr_file mounton;
+allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
+allow container_engine_t urandom_device_t:chr_file mounton;
+allow container_engine_t zero_device_t:chr_file mounton;
+allow container_engine_t container_file_t:sock_file mounton;
+allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms };
+allow container_engine_t devpts_t:chr_file setattr;
+
+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
+
+optional_policy(`
+	gen_require(`
+		type devtty_t;
+	')
+	allow container_engine_t devtty_t:chr_file mounton;
+')

 type kubelet_t, container_runtime_domain;
 domain_type(kubelet_t)
@ -1372,12 +1507,24 @@ optional_policy(`
 	unconfined_domain(kubelet_t)
 ')

+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)

 type kubelet_exec_t;
 application_executable_file(kubelet_exec_t)
 can_exec(container_runtime_t, kubelet_exec_t)
 allow kubelet_t kubelet_exec_t:file entrypoint;

+type kubelet_var_lib_t;
+files_type(kubelet_var_lib_t)
+
+manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+
+files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources")
+filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources")
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
 ')
@ -1411,10 +1558,12 @@ allow container_device_t device_node:chr_file rw_chr_file_perms;
 # Standard container which needs to be allowed to use any device and
 # communicate with kubelet
 container_domain_template(container_device_plugin, container)
+typeattribute container_device_plugin_t container_net_domain;
 allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
 dev_rw_sysfs(container_device_plugin_t)
 kernel_read_debugfs(container_device_plugin_t)
 container_kubelet_stream_connect(container_device_plugin_t)
+stream_connect_pattern(container_device_plugin_t, container_var_lib_t,  kubelet_var_lib_t, kubelet_t)

 # Standard container which needs to be allowed to use any device and
 # modify kubelet configuration
@ -1464,6 +1613,9 @@ role container_user_r types container_user_domain;
 role container_user_r types container_net_domain;
 role container_user_r types container_file_type;
 container_runtime_run(container_user_t, container_user_r)
+unconfined_role_change_to(container_user_r)
+
+container_use_ptys(container_user_t)

 fs_manage_cgroup_dirs(container_user_t)
 fs_manage_cgroup_files(container_user_t)
@ -1472,12 +1624,29 @@ selinux_compute_access_vector(container_user_t)
 systemd_dbus_chat_hostnamed(container_user_t)
 systemd_start_systemd_services(container_user_t)

+allow container_runtime_t container_user_t:process transition;
+allow container_runtime_t container_user_t:process2 nnp_transition;
+allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;
+
+allow container_user_t container_file_t:chr_file manage_chr_file_perms;
+allow container_user_t container_file_t:file entrypoint;

 allow container_domain container_file_t:file entrypoint;
 allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
 allow container_domain container_var_lib_t:file entrypoint;
 allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };

+allow install_t container_runtime_t:process2 { nnp_transition nosuid_transition };
+
 corecmd_entrypoint_all_executables(container_kvm_t)
 allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
 allow svirt_sandbox_domain mountpoint:file entrypoint;
+
+tunable_policy(`deny_ptrace',`',`
+	allow container_domain self:process ptrace;
+	allow spc_t self:process ptrace;
+')
+
+# netavark needs to write to /run/sysctl.d and needs the right label for systemd to read it.
+# https://issues.redhat.com/browse/RHEL-91380
+files_pid_filetrans(container_runtime_t, system_conf_t, dir, "sysctl.d")
--- a/container_selinux.8
+++ b/container_selinux.8
@ -1,4 +1,4 @@
-.TH  "container_selinux"  "8"  "22-12-13" "container" "SELinux Policy container"
+.TH  "container_selinux"  "8"  "25-03-11" "container" "SELinux Policy container"
 .SH "NAME"
 container_selinux \- Security Enhanced Linux Policy for the container processes
 .SH "DESCRIPTION"
@ -23,7 +23,7 @@ SELinux container policy is very flexible allowing users to setup their containe
 The following process types are defined for container:

 .EX
-.B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_t
+.B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_user_t, container_t
 .EE
 .PP
 Note:
@ -39,6 +39,14 @@ For example one process might be launched with container_t:s0:c1,c2, and another
 SELinux policy is customizable based on least access required.  container policy is extremely flexible and has several booleans that allow you to manipulate the policy and run container with the tightest access possible.


+.PP
+If you want to allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration, you must turn on the container_use_xserver_devices boolean. Disabled by default.
+
+.EX
+.B setsebool -P container_use_xserver_devices 1
+
+.EE
+
 .PP
 If you want to deny any process from ptracing or debugging any other processes, you must turn on the deny_ptrace boolean. Disabled by default.

@ -102,6 +110,12 @@ The following port types are defined for container:

 The SELinux process type container_t can manage files labeled with the following file types.  The paths listed are the default paths for these file types.  Note the processes UID still need to have DAC permissions.

+.br
+.B bpf_t
+
+	/sys/fs/bpf
+.br
+
 .br
 .B cifs_t

@ -122,16 +136,24 @@ The SELinux process type container_t can manage files labeled with the following
 	/var/srv/containers(/.*)?
 .br
 	/var/lib/containerd/[^/]*/snapshots(/.*)?
-.br
-	/var/lib/kubelet/pods(/.*)?
 .br
 	/var/lib/kubernetes/pods(/.*)?
+.br
+	/opt/local-path-provisioner(/.*)?
+.br
+	/var/local-path-provisioner(/.*)?
 .br
 	/var/lib/containers/storage/volumes/[^/]*/.*
 .br
 	/home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*
 .br
-	/home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
+
+.br
+.B ecryptfs_t
+
+	/home/[^/]+/\.Private(/.*)?
+.br
+	/home/[^/]+/\.ecryptfs(/.*)?
 .br

 .br
@ -141,9 +163,7 @@ The SELinux process type container_t can manage files labeled with the following
 .br
 .B fusefs_t

-	/var/run/user/[0-9]+/gvfs
-.br
-	/var/run/user/4003/gvfs
+	/run/user/[0-9]+/gvfs
 .br

 .br
@ -154,38 +174,6 @@ The SELinux process type container_t can manage files labeled with the following
 	/usr/lib/udev/devices/hugepages
 .br

-.br
-.B initrc_tmp_t
-
-
-.br
-.B mnt_t
-
-	/mnt(/[^/]*)?
-.br
-	/mnt(/[^/]*)?
-.br
-	/rhev(/[^/]*)?
-.br
-	/rhev/[^/]*/.*
-.br
-	/media(/[^/]*)?
-.br
-	/media(/[^/]*)?
-.br
-	/media/\.hal-.*
-.br
-	/var/run/media(/[^/]*)?
-.br
-	/afs
-.br
-	/net
-.br
-	/misc
-.br
-	/rhev
-.br
-
 .br
 .B nfs_t

@ -209,40 +197,6 @@ The SELinux process type container_t can manage files labeled with the following
 .br
 	/home/[^/]+/\.local/share/gnome-boxes/images(/.*)?
 .br
-	/home/selinuxuser/\.libvirt/qemu(/.*)?
-.br
-	/home/selinuxuser/\.cache/libvirt/qemu(/.*)?
-.br
-	/home/selinuxuser/\.config/libvirt/qemu(/.*)?
-.br
-	/home/selinuxuser/\.local/share/libvirt/boot(/.*)?
-.br
-	/home/selinuxuser/\.local/share/libvirt/images(/.*)?
-.br
-	/home/selinuxuser/\.local/share/gnome-boxes/images(/.*)?
-.br
-
-.br
-.B tmp_t
-
-	/sandbox(/.*)?
-.br
-	/tmp
-.br
-	/usr/tmp
-.br
-	/var/tmp
-.br
-	/var/tmp
-.br
-	/tmp-inst
-.br
-	/var/tmp-inst
-.br
-	/var/tmp/tmp-inst
-.br
-	/var/tmp/vi\.recover
-.br

 .SH FILE CONTEXTS
 SELinux requires files to have an extended attribute to define the file type.
@ -288,14 +242,6 @@ container policy stores data with multiple different file context types under th
 .B restorecon -R -v /srv/docker
 .PP

-.PP
-container policy stores data with multiple different file context types under the /var/lib/kubelet directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
-.PP
-.B semanage fcontext -a -e /var/lib/kubelet /srv/kubelet
-.br
-.B restorecon -R -v /srv/kubelet
-.PP
-
 .PP
 container policy stores data with multiple different file context types under the /var/lib/nerdctl directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
 .PP
@ -312,29 +258,13 @@ container policy stores data with multiple different file context types under th
 .B restorecon -R -v /srv/ocid
 .PP

-.PP
-container policy stores data with multiple different file context types under the /var/run/containerd directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
-.PP
-.B semanage fcontext -a -e /var/run/containerd /srv/containerd
-.br
-.B restorecon -R -v /srv/containerd
-.PP
-
-.PP
-container policy stores data with multiple different file context types under the /var/run/docker directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
-.PP
-.B semanage fcontext -a -e /var/run/docker /srv/docker
-.br
-.B restorecon -R -v /srv/docker
-.PP
-
 .PP
 .B STANDARD FILE CONTEXT

 SELinux defines the file context types for the container, if you wanted to
-store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
+store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.

-.B semanage fcontext -a -t container_ro_file_t '/srv/mycontainer_content(/.*)?'
+.B semanage fcontext -a -t container_var_lib_t '/srv/container/content(/.*)?'
 .br
 .B restorecon -R -v /srv/mycontainer_content

@ -377,7 +307,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubelet/pods(/.*)?, /var/lib/kubernetes/pods(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*, /home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
+/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubernetes/pods(/.*)?, /opt/local-path-provisioner(/.*)?, /var/local-path-provisioner(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*

 .EX
 .PP
@ -413,7 +343,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/var/log/lxc(/.*)?, /var/log/lxd(/.*)?, /var/log/pods(/.*)?, /var/log/containers(/.*)?, /var/lib/docker/containers/.*/.*\.log, /var/lib/docker-latest/containers/.*/.*\.log
+/var/log/lxc(/.*)?, /var/log/lxd(/.*)?, /var/log/pods(/.*)?, /var/log/containers(/.*)?, /var/log/kube-apiserver(/.*)?, /var/lib/docker/containers/.*/.*\.log, /var/lib/docker-latest/containers/.*/.*\.log

 .EX
 .PP
@ -433,7 +363,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay-images(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay-layers(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2-images(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2-layers(/.*)?
+/var/lib/shared(/.*)?, /var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/artifacts(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/ramalama(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/artifacts(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?

 .EX
 .PP
@ -445,7 +375,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin
+/usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/buildah, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin

 .EX
 .PP
@ -485,7 +415,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/lib/docker-latest(/.*)?
+/exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/crio(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/cache/containers(/.*)?, /var/lib/docker-latest(/.*)?

 .EX
 .PP
@ -497,7 +427,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/var/run/crio(/.*)?, /var/run/docker(/.*)?, /var/run/flannel(/.*)?, /var/run/buildkit(/.*)?, /var/run/containerd(/.*)?, /var/run/containers(/.*)?, /var/run/docker-client(/.*)?, /var/run/docker\.pid, /var/run/docker\.sock
+/run/crio(/.*)?, /run/docker(/.*)?, /run/flannel(/.*)?, /run/buildkit(/.*)?, /run/containerd(/.*)?, /run/containers(/.*)?, /run/docker-client(/.*)?, /run/docker\.pid, /run/docker\.sock

 .PP
 Note: File context can be temporarily modified with the chcon command.  If you want to permanently change the file context you need to use the
@ -531,4 +461,4 @@ This manual page was auto-generated using
 .B "sepolicy manpage".

 .SH "SEE ALSO"
-selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_userns_selinux(8), container_userns_selinux(8)
+selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_user_selinux(8), container_user_selinux(8), container_userns_selinux(8), container_userns_selinux(8)
--- a/plans/common_setup.sh
+++ b/plans/common_setup.sh
@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-
-# Clean all prior dnf metadata
-dnf clean all
-
-# Disable rhcontainerbot/packit-builds to avoid testing with
-# packages built from unmerged content of other repos.
-dnf -y copr disable rhcontainerbot/packit-builds
-
-# Fetch podman and other dependencies from rhcontainerbot/podman-next.
-. /etc/os-release
-if [ $(NAME) == "CentOS Stream" ]; then
-    dnf -y copr enable rhcontainerbot/podman-next centos-stream+epel-next-$(VERSION)
-else
-    dnf -y copr enable rhcontainerbot/podman-next
-fi
-dnf -y --disablerepo=testing-farm-* install bats golang podman podman-tests
--- a/plans/main.fmf
+++ b/plans/main.fmf
@ -1,11 +1,20 @@
-/podman_e2e_test:
-    summary: Run SELinux specific Podman e2e tests
-    execute:
-        how: tmt
-        script: bash plans/podman_e2e_test.sh
-
-/podman_system_test:
-    summary: Run SELinux specific Podman system tests
-    execute:
-        how: tmt
-        script: bash plans/podman_system_test.sh
+discover:
+    how: fmf
+execute:
+    how: tmt
+prepare:
+    - when: distro == centos-stream or distro == rhel
+      how: shell
+      script: |
+        dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm --eval '%{?rhel}').noarch.rpm
+        dnf -y config-manager --set-enabled epel
+      order: 10
+    - when: initiator == packit
+      how: shell
+      script: |
+        COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo"
+        if compgen -G $COPR_REPO_FILE > /dev/null; then
+            sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE
+        fi
+        dnf -y upgrade --allowerasing
+      order: 20
--- a/plans/podman_e2e_test.sh
+++ b/plans/podman_e2e_test.sh
@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-
-# Copr repo setup handled in common_setup.sh
-. ./plans/common_setup.sh
-
-# Fetch and prep Podman source from latest SRPM on
-# rhcontainerbot/podman-next copr
-dnf --disablerepo=* --enablerepo=copr:copr.fedorainfracloud.org:rhcontainerbot:podman-next download --source podman
-rpm2cpio podman*.src.rpm | cpio -di
-tar zxf podman*.tar.gz
-cd podman/test/e2e
-
-# Run SELinux specific Podman e2e tests
-PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go common_test.go libpod_suite_test.go run_selinux_test.go
--- a/plans/podman_system_test.sh
+++ b/plans/podman_system_test.sh
@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-
-# Copr repo setup handled in common_setup.sh
-. ./plans/common_setup.sh
-
-# Run Podman's SELinux system tests
-bats /usr/bin/podman /usr/share/podman/test/system/410-selinux.bats
--- a/rpm/container-selinux.spec
+++ b/rpm/container-selinux.spec
@ -1,11 +1,7 @@
 %global debug_package %{nil}

-# container-selinux upstream
-%global git0 https://github.com/containers/container-selinux
-
 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
-%global selinuxtype targeted
 %global moduletype services
 %global modulenames container

@ -14,35 +10,27 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;

-# copr_username is only set on copr environments, not on others like koji
-%if "%{?copr_username}" != "rhcontainerbot"
-%bcond_with copr
-%else
-%bcond_without copr
-%endif
-
-# RHEL 8 doesn't allow watch and systemd_chat_resolved
-%if 0%{?rhel} == 8
-%bcond_without no_watch
-%bcond_without no_systemd_chat_resolved
-%else
-%bcond_with no_watch
-%bcond_with no_systemd_chat_resolved
+# RHEL < 10 and Fedora < 40 use file context entries in /var/run
+%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
+%define legacy_var_run 1
 %endif

 # https://github.com/containers/container-selinux/issues/203
-%if 0%{?fedora} <= 37 || 0%{?rhel} <= 9
-%bcond_without no_user_namespace
-%else
-%bcond_with no_user_namespace
+%if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9
+%define no_user_namespace 1
+%endif
+
+# copr_build is more intuitive than copr_username
+%if %{defined copr_username}
+%define copr_build 1
 %endif

 Name: container-selinux
 # Set different Epochs for copr and koji
-%if %{with copr}
-Epoch: 101
+%if %{defined copr_build}
+Epoch: 102
 %else
-Epoch: 2
+Epoch: 4
 %endif
 # Keep Version in upstream specfile at 0. It will be automatically set
 # to the correct value by Packit for copr and koji builds.
@ -50,9 +38,9 @@ Epoch: 2
 Version: 0
 Release: %autorelease
 License: GPL-2.0-only
-URL: %{git0}
+URL: https://github.com/containers/%{name}
 Summary: SELinux policies for container runtimes
-Source0: %{git0}/archive/v%{version}.tar.gz
+Source0: %{url}/archive/v%{version}.tar.gz
 BuildArch: noarch
 BuildRequires: make
 BuildRequires: git-core
@ -62,7 +50,8 @@ BuildRequires: selinux-policy-devel >= %_selinux_policy_version
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy
 Requires: selinux-policy >= %_selinux_policy_version
 Requires(post): selinux-policy-base >= %_selinux_policy_version
-Requires(post): selinux-policy-targeted >= %_selinux_policy_version
+Requires(post): selinux-policy-any >= %_selinux_policy_version
+Recommends: selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires(post): sed
@ -81,20 +70,14 @@ SELinux policy modules for use with container runtimes.
 sed -i 's/^man: install-policy/man:/' Makefile
 sed -i 's/^install: man/install:/' Makefile

-%if %{with no_watch}
-sed -i 's/watch watch_reads//' container.if
-sed -i 's/watch watch_reads//' container.te
-sed -i '/sysfs_t:dir watch/d' container.te
-%endif
-
-%if %{with no_systemd_chat_resolved}
-sed -i '/^systemd_chat_resolved/d' container.te
-%endif
-
-%if %{with no_user_namespace}
+%if %{defined no_user_namespace}
 sed -i '/user_namespace/d' container.te
 %endif

+%if %{defined legacy_var_run}
+sed -i 's|^/run/|/var/run/|' container.fc
+%endif
+
 %build
 make

@ -104,7 +87,7 @@ make
 %{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user

 %pre
-%selinux_relabel_pre -s %{selinuxtype}
+%selinux_relabel_pre

 %post
 # Install all modules in a single transaction
@ -112,21 +95,24 @@ if [ $1 -eq 1 ]; then
   %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
 fi
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
-%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
-%selinux_modules_install -s %{selinuxtype} $MODULES
 . %{_sysconfdir}/selinux/config
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null
+%selinux_modules_install -s ${SELINUXTYPE} $MODULES
 sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
 matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :

 %postun
 if [ $1 -eq 0 ]; then
-   %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
+   %selinux_modules_uninstall %{modulenames} docker
 fi

 %posttrans
-%selinux_relabel_post -s %{selinuxtype}
+%selinux_relabel_post
+
+# Empty placeholder check to silence rpmlint
+%check

 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
@ -136,11 +122,14 @@ fi
 %{_datadir}/selinux/*
 %dir %{_datadir}/containers/selinux
 %{_datadir}/containers/selinux/contexts
+%dir %{_datadir}/udica
 %dir %{_datadir}/udica/templates/
 %{_datadir}/udica/templates/*
+# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
 %{_mandir}/man8/container_selinux.8.gz
-%{_sysconfdir}/selinux/targeted/contexts/users/*
-%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames}
+%{_sysconfdir}/selinux/targeted/contexts/users/container_u
+%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames}
+%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames}

 %triggerpostun -- container-selinux < 2:2.162.1-3
 if %{_sbindir}/selinuxenabled ; then
@ -148,10 +137,5 @@ if %{_sbindir}/selinuxenabled ; then
    %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay*  2> /dev/null
 fi

-%if 0%{?centos} <= 8
-* Mon May 01 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
- Dummy changelog for CentOS Stream 8
-%else
 %changelog
 %autochangelog
-%endif
--- a/rpm/gating.yaml
+++ b/rpm/gating.yaml
@ -0,0 +1,14 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts:
+  - bodhi_update_push_stable
+  - bodhi_update_push_testing
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules: []
--- a/rpm/update-spec-version.sh
+++ b/rpm/update-spec-version.sh
@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-
-# This script will update the Version field in the spec which is set to 0 by
-# default. Useful for local manual rpm builds where the Version needs to be set
-# correctly.
-
-SPEC_FILE=$(pwd)/container-selinux.spec
-LATEST_TAG=$(git tag --sort=creatordate | tail -1)
-LATEST_VERSION=$(echo $LATEST_TAG | sed -e 's/^v//')
-
-sed -i "s/^Version:.*/Version: $LATEST_VERSION/" $SPEC_FILE
--- a/test/main.fmf
+++ b/test/main.fmf
@ -0,0 +1,17 @@
+require:
+    - attr
+    - bats
+    - container-selinux
+    - podman-tests
+    - policycoreutils
+
+/basic_check:
+    summary: Run basic checks
+    test: |
+        semodule --list=full | grep container
+        semodule -B
+        rpm -Vqf /var/lib/selinux/*/active/modules/200/container
+
+/podman_system_test:
+    summary: Run SELinux specific Podman system tests
+    test: bash ./podman-tests.sh
--- a/test/podman-tests.sh
+++ b/test/podman-tests.sh
@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+if [[ "$(id -u)" -ne 0 ]];then
+    echo "Please run as superuser"
+    exit 1
+fi
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy
+
+# Run podman system tests
+bats /usr/share/podman/test/system/410-selinux.bats