Don't allow containers by default setexec setfscreate

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

.packit.yaml

@@ -2,30 +2,78 @@
 # See the documentation for more information:
 # https://packit.dev/docs/configuration/
 
-specfile_path: rpm/container-selinux.spec
+downstream_package_name: container-selinux
 upstream_tag_template: v{version}
 
+# Ref: https://packit.dev/docs/configuration#files_to_sync
+files_to_sync:
+  - src: rpm/gating.yaml
+    dest: gating.yaml
+    delete: true
+  - src: plans/
+    dest: plans/
+    delete: true
+    mkpath: true
+  - src: test/
+    dest: test/
+    delete: true
+    mkpath: true
+  - src: .fmf/
+    dest: .fmf/
+    delete: true
+  - .packit.yaml
+
+packages:
+  container-selinux-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-eln:
+    specfile_path: rpm/container-selinux.spec
+
 srpm_build_deps:
   - make
 
 jobs:
   - job: copr_build
     trigger: pull_request
-    notifications:
+    packages: [container-selinux-fedora]
+    notifications: &copr_build_failure_notification
       failure_comment:
         message: "Ephemeral COPR build failed. @containers/packit-build please check."
     enable_net: true
     # container-selinux is noarch so we only need to test on one arch
+    targets: &fedora_copr_targets
+      - fedora-all-x86_64
+      - fedora-all-aarch64
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-eln]
+    notifications: *copr_build_failure_notification
+    enable_net: true
     targets:
-      - fedora-all
+      - fedora-eln-x86_64
-      - fedora-eln
+      - fedora-eln-aarch64
-      - epel-9
+
-      - epel-8
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets: &centos_copr_targets
+      - centos-stream-9-x86_64
+      - centos-stream-9-aarch64
+      - centos-stream-10-x86_64
+      - centos-stream-10-aarch64
 
   # Run on commit to main branch
   # Build targets managed in copr settings
   - job: copr_build
     trigger: commit
+    packages: [container-selinux-fedora]
     notifications:
       failure_comment:
         message: "podman-next COPR build failed. @containers/packit-build please check."
@@ -35,67 +83,51 @@ jobs:
     enable_net: true
 
   # All tests specified in the `/plans/` subdir
-  # Podman e2e tests for Fedora and CentOS Stream
+  # Tests for Fedora
   - job: tests
     trigger: pull_request
-    notifications:
+    packages: [container-selinux-fedora]
+    notifications: &test_failure_notification
       failure_comment:
-        message: "podman e2e tests failed. @containers/packit-build please check."
+        message: "Tests failed. @containers/packit-build please check."
-    targets: &pr_test_targets
+    targets: *fedora_copr_targets
-      - fedora-all
+    tf_extra_params:
-      - epel-9
+      environments:
-      - epel-8
+        - artifacts:
-    identifier: podman_e2e_test
+          - type: repository-file
-    tmt_plan: "/plans/podman_e2e_test"
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
 
-  # Podman system tests for Fedora and CentOS Stream
+  # Tests for CentOS Stream
   - job: tests
     trigger: pull_request
-    notifications:
+    packages: [container-selinux-centos]
-      failure_comment:
+    notifications: *test_failure_notification
-        message: "podman system tests failed. @containers/packit-build please check."
+    targets: *centos_copr_targets
-    targets: *pr_test_targets
+    tf_extra_params:
-    identifier: podman_system_test
+      environments:
-    tmt_plan: "/plans/podman_system_test"
+        - artifacts:
-
+          - type: repository-file
-  # Podman e2e tests for RHEL
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo
-  - job: tests
-    trigger: pull_request
-    use_internal_tf: true
-    notifications:
-      failure_comment:
-        message: "podman e2e tests failed on RHEL. @containers/packit-build please check."
-    targets: &pr_test_targets_rhel
-      epel-9-x86_64:
-        distros: [RHEL-9.3.0-Nightly,RHEL-9.4.0-Nightly]
-      epel-8-x86_64:
-        distros: [RHEL-8.9.0-Nightly,RHEL-8.10.0-Nightly]
-    identifier: podman_e2e_test_internal
-    tmt_plan: "/plans/podman_e2e_test"
-
-  # Podman system tests for RHEL
-  - job: tests
-    trigger: pull_request
-    use_internal_tf: true
-    notifications:
-      failure_comment:
-        message: "podman system tests failed on RHEL. @containers/packit-build please check."
-    targets: *pr_test_targets_rhel
-    identifier: podman_system_test_internal
-    tmt_plan: "/plans/podman_system_test"
 
   - job: propose_downstream
     trigger: release
-    update_release: false
+    packages: [container-selinux-fedora]
-    dist_git_branches:
+    dist_git_branches: &fedora_targets
       - fedora-all
 
+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-centos]
+    dist_git_branches:
+      - c10s
+
   - job: koji_build
     trigger: commit
-    dist_git_branches:
+    packages: [container-selinux-fedora]
-      - fedora-all
+    dist_git_branches: *fedora_targets
 
   - job: bodhi_update
     trigger: commit
+    packages: [container-selinux-fedora]
     dist_git_branches:
       - fedora-branched # rawhide updates are created automatically

OWNERS

@@ -0,0 +1,6 @@
+approvers:
+  - haircommander   
+  - lsm5
+  - rhatdan
+  - wrabcak
+  - zpytela

container.fc

@@ -13,14 +13,15 @@
 /usr/local/s?bin/kubenswrapper.*	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/s?bin/kubensenter.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/local/s?bin/kubensenter.*	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
-/usr/local/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/containerd.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildah		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkitd.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 
-/usr/s?bin/lxc-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxc-.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/lxd-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd-.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/lxc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/lxd			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/fuidshift		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -91,6 +92,8 @@
 # Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
 /var/lib/buildkit/containerd-.*(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)
 
+HOME_DIR/\.local/share/ramalama(/.*)?		 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/artifacts(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -108,6 +111,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/containers/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/atomic(/.*)?	<<none>>
 /var/lib/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/containers/storage/artifacts(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -121,7 +125,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/cache/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 
-/var/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
 
 /var/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /opt/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
@@ -130,7 +134,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/kubernetes/pods(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 
 /var/lib/kubelet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/kubelet/pod-resources/kubelet.sock		gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/kubelet/pod-resources(/.*)?	gen_context(system_u:object_r:kubelet_var_lib_t,s0)
 /var/lib/docker-latest(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/docker-latest/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/docker-latest/containers/.*/.*\.log	gen_context(system_u:object_r:container_log_t,s0)
@@ -141,26 +145,28 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/docker-latest/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 
 /var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
+/var/lib/crio(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
+/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
 /var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)
 
-/var/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
-/var/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
+/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
 
 /srv/containers(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /var/srv/containers(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 
-/var/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
+/run/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
 
+/var/log/kube-apiserver(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/lxc(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/lxd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /etc/kubernetes(/.*)?		gen_context(system_u:object_r:kubernetes_file_t,s0)

container.if

@@ -512,6 +512,7 @@ interface(`container_filetrans_named_content',`
     files_pid_filetrans($1, container_var_run_t, dir, "containers")
     files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers")
 
+    logging_log_filetrans($1, container_log_t, dir, "kube-apiserver")
     logging_log_filetrans($1, container_log_t, dir, "lxc")
     files_var_lib_filetrans($1, container_var_lib_t, dir, "containers")
     files_var_lib_filetrans($1, container_file_t, dir, "origin")
@@ -536,6 +537,7 @@ interface(`container_filetrans_named_content',`
     #  workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work)
     filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init")
+    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "artifacts")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers")
@@ -561,6 +563,8 @@ interface(`container_filetrans_named_content',`
     # Third-party snapshotters
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci")
 
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "ramalama")
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "artifacts")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")

container.te

@@ -1,7 +1,8 @@
-policy_module(container, 2.228.1)
+policy_module(container, 2.240.0)
 
 gen_require(`
 	class passwd rootok;
+	type system_conf_t;
 ')
 
 ########################################
@@ -38,6 +39,13 @@ gen_tunable(sshd_launch_containers, false)
 ## </desc>
 gen_tunable(container_use_devices, false)
 
+## <desc>
+##  <p>
+##  Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
+##  </p>
+## </desc>
+gen_tunable(container_use_xserver_devices, false)
+
 ## <desc>
 ##  <p>
 ##  Allow containers to use any dri device volume mounted into container
@@ -52,6 +60,13 @@ gen_tunable(container_use_dri_devices, true)
 ## </desc>
 gen_tunable(container_manage_cgroup, false)
 
+## <desc>
+## <p>
+## Allow containers to manipulate SELinux labels
+## </p>
+## </desc>
+gen_tunable(container_modify_selinux_labels, false)
+
 ## <desc>
 ##  <p>
 ##  Determine whether container can
@@ -569,6 +584,10 @@ userdom_use_user_ptys(container_runtime_domain)
 userdom_connectto_stream(container_runtime_domain)
 allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt };
 
+tunable_policy(`container_modify_selinux_labels',`
+	allow container_domain self:process { setexec setfscreate};
+')
+
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(container_runtime_domain)
 	fs_manage_nfs_files(container_runtime_domain)
@@ -699,6 +718,14 @@ optional_policy(`
 	udev_read_db(container_runtime_domain)
 ')
 
+optional_policy(`
+	require {
+		type hsa_device_t;
+	}
+
+	allow container_domain hsa_device_t:chr_file rw_chr_file_perms;
+')
+
 optional_policy(`
 	gen_require(`
 		role unconfined_r;
@@ -750,6 +777,7 @@ tunable_policy(`container_connect_any',`
 #
 allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
 role system_r types spc_t;
+dontaudit spc_t self:memprotect mmap_zero;
 
 domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
@@ -777,6 +805,8 @@ init_dbus_chat(spc_t)
 optional_policy(`
 	systemd_dbus_chat_machined(spc_t)
 	systemd_dbus_chat_logind(spc_t)
+	systemd_dbus_chat_timedated(spc_t)
+	systemd_dbus_chat_localed(spc_t)
 ')
 
 domain_transition_all(spc_t)
@@ -798,6 +828,10 @@ optional_policy(`
 	allow daemon spc_t:dbus send_msg;
 ')
 
+optional_policy(`
+	rtkit_scheduled(spc_t)
+')
+
 optional_policy(`
 	virt_transition_svirt_sandbox(spc_t, system_r)
 	virt_sandbox_entrypoint(spc_t)
@@ -913,7 +947,7 @@ allow container_domain self:netlink_xfrm_socket create_socket_perms;
 allow container_domain self:packet_socket create_socket_perms;
 allow container_domain self:passwd rootok;
 allow container_domain self:peer recv;
-allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate};
+allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop};
 allow container_domain self:sem create_sem_perms;
 allow container_domain self:shm create_shm_perms;
 allow container_domain self:socket create_socket_perms;
@@ -970,6 +1004,7 @@ allow container_domain container_runtime_domain:socket_class_set { accept append
 
 kernel_getattr_proc(container_domain)
 kernel_list_all_proc(container_domain)
+kernel_mounton_all_proc(container_domain)
 kernel_read_all_sysctls(container_domain)
 kernel_dontaudit_write_kernel_sysctl(container_domain)
 kernel_read_network_state(container_domain)
@@ -1001,8 +1036,11 @@ fs_manage_fusefs_named_sockets(container_domain)
 fs_manage_fusefs_symlinks(container_domain)
 fs_manage_hugetlbfs_files(container_domain)
 fs_mount_fusefs(container_domain)
+fs_unmount_fusefs(container_domain)
 fs_mount_tmpfs(container_domain)
+fs_unmount_tmpfs(container_domain)
 fs_mount_xattr_fs(container_domain)
+fs_unmount_xattr_fs(container_domain)
 fs_mounton_cgroup(container_domain)
 fs_mounton_fusefs(container_domain)
 fs_read_cgroup_files(container_domain)
@@ -1084,6 +1122,7 @@ allow container_net_domain self:rawip_socket create_stream_socket_perms;
 allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
 allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;
 
+allow container_domain spc_t:unix_stream_socket { read write };
 kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
 kernel_unlabeled_entry_type(spc_t)
 allow container_runtime_domain unlabeled_t:key manage_key_perms;
@@ -1194,6 +1233,7 @@ dev_mount_sysfs_fs(container_userns_t)
 dev_mounton_sysfs(container_userns_t)
 
 fs_mount_tmpfs(container_userns_t)
+fs_unmount_tmpfs(container_userns_t)
 fs_relabelfrom_tmpfs(container_userns_t)
 fs_remount_cgroup(container_userns_t)
 
@@ -1238,6 +1278,7 @@ logging_read_all_logs(container_logreader_t)
 allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
 logging_read_audit_log(container_logreader_t)
 logging_list_logs(container_logreader_t)
+allow container_logreader_t container_log_t:file watch;
 
 # Container Logwriter
 container_domain_template(container_logwriter, container)
@@ -1247,6 +1288,7 @@ manage_files_pattern(container_logwriter_t, logfile, logfile)
 manage_dirs_pattern(container_logwriter_t, logfile, logfile)
 manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
 logging_manage_audit_log(container_logwriter_t)
+allow container_logwriter_t container_log_t:file watch;
 
 optional_policy(`
 	gen_require(`
@@ -1390,6 +1432,11 @@ tunable_policy(`container_use_devices',`
 	allow container_domain device_node:blk_file {rw_blk_file_perms map};
 ')
 
+tunable_policy(`container_use_xserver_devices',`
+	dev_getattr_xserver_misc_dev(container_t)
+	dev_rw_xserver_misc(container_t)
+')
+
 tunable_policy(`container_use_dri_devices',`
 	dev_rw_dri(container_domain)
 ')
@@ -1428,6 +1475,26 @@ allow container_engine_t filesystem_type:{dir file} mounton;
 allow container_engine_t proc_kcore_t:file mounton;
 allow container_engine_t proc_t:filesystem remount;
 allow container_engine_t sysctl_t:{dir file} mounton;
+allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
+allow container_engine_t fusefs_t:file relabelto;
+allow container_engine_t kernel_t:system module_request;
+allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
+allow container_engine_t random_device_t:chr_file mounton;
+allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
+allow container_engine_t urandom_device_t:chr_file mounton;
+allow container_engine_t zero_device_t:chr_file mounton;
+allow container_engine_t container_file_t:sock_file mounton;
+allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms };
+allow container_engine_t devpts_t:chr_file setattr;
+
+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
+
+optional_policy(`
+	gen_require(`
+		type devtty_t;
+	')
+	allow container_engine_t devtty_t:chr_file mounton;
+')
 
 type kubelet_t, container_runtime_domain;
 domain_type(kubelet_t)
@@ -1440,12 +1507,24 @@ optional_policy(`
 	unconfined_domain(kubelet_t)
 ')
 
+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
 
 type kubelet_exec_t;
 application_executable_file(kubelet_exec_t)
 can_exec(container_runtime_t, kubelet_exec_t)
 allow kubelet_t kubelet_exec_t:file entrypoint;
 
+type kubelet_var_lib_t;
+files_type(kubelet_var_lib_t)
+
+manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+
+files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources")
+filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources")
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
 ')
@@ -1479,10 +1558,12 @@ allow container_device_t device_node:chr_file rw_chr_file_perms;
 # Standard container which needs to be allowed to use any device and
 # communicate with kubelet
 container_domain_template(container_device_plugin, container)
+typeattribute container_device_plugin_t container_net_domain;
 allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
 dev_rw_sysfs(container_device_plugin_t)
 kernel_read_debugfs(container_device_plugin_t)
 container_kubelet_stream_connect(container_device_plugin_t)
+stream_connect_pattern(container_device_plugin_t, container_var_lib_t,  kubelet_var_lib_t, kubelet_t)
 
 # Standard container which needs to be allowed to use any device and
 # modify kubelet configuration
@@ -1532,6 +1613,9 @@ role container_user_r types container_user_domain;
 role container_user_r types container_net_domain;
 role container_user_r types container_file_type;
 container_runtime_run(container_user_t, container_user_r)
+unconfined_role_change_to(container_user_r)
+
+container_use_ptys(container_user_t)
 
 fs_manage_cgroup_dirs(container_user_t)
 fs_manage_cgroup_files(container_user_t)
@@ -1540,12 +1624,20 @@ selinux_compute_access_vector(container_user_t)
 systemd_dbus_chat_hostnamed(container_user_t)
 systemd_start_systemd_services(container_user_t)
 
+allow container_runtime_t container_user_t:process transition;
+allow container_runtime_t container_user_t:process2 nnp_transition;
+allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;
+
+allow container_user_t container_file_t:chr_file manage_chr_file_perms;
+allow container_user_t container_file_t:file entrypoint;
 
 allow container_domain container_file_t:file entrypoint;
 allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
 allow container_domain container_var_lib_t:file entrypoint;
 allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
 
+allow install_t container_runtime_t:process2 { nnp_transition nosuid_transition };
+
 corecmd_entrypoint_all_executables(container_kvm_t)
 allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
 allow svirt_sandbox_domain mountpoint:file entrypoint;
@@ -1554,3 +1646,7 @@ tunable_policy(`deny_ptrace',`',`
 	allow container_domain self:process ptrace;
 	allow spc_t self:process ptrace;
 ')
+
+# netavark needs to write to /run/sysctl.d and needs the right label for systemd to read it.
+# https://issues.redhat.com/browse/RHEL-91380
+files_pid_filetrans(container_runtime_t, system_conf_t, dir, "sysctl.d")

container_selinux.8

@@ -1,4 +1,4 @@
-.TH  "container_selinux"  "8"  "22-12-13" "container" "SELinux Policy container"
+.TH  "container_selinux"  "8"  "25-03-11" "container" "SELinux Policy container"
 .SH "NAME"
 container_selinux \- Security Enhanced Linux Policy for the container processes
 .SH "DESCRIPTION"
@@ -23,7 +23,7 @@ SELinux container policy is very flexible allowing users to setup their containe
 The following process types are defined for container:
 
 .EX
-.B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_t
+.B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_user_t, container_t
 .EE
 .PP
 Note:
@@ -39,6 +39,14 @@ For example one process might be launched with container_t:s0:c1,c2, and another
 SELinux policy is customizable based on least access required.  container policy is extremely flexible and has several booleans that allow you to manipulate the policy and run container with the tightest access possible.
 
 
+.PP
+If you want to allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration, you must turn on the container_use_xserver_devices boolean. Disabled by default.
+
+.EX
+.B setsebool -P container_use_xserver_devices 1
+
+.EE
+
 .PP
 If you want to deny any process from ptracing or debugging any other processes, you must turn on the deny_ptrace boolean. Disabled by default.
 
@@ -102,6 +110,12 @@ The following port types are defined for container:
 
 The SELinux process type container_t can manage files labeled with the following file types.  The paths listed are the default paths for these file types.  Note the processes UID still need to have DAC permissions.
 
+.br
+.B bpf_t
+
+	/sys/fs/bpf
+.br
+
 .br
 .B cifs_t
 
@@ -122,16 +136,24 @@ The SELinux process type container_t can manage files labeled with the following
 	/var/srv/containers(/.*)?
 .br
 	/var/lib/containerd/[^/]*/snapshots(/.*)?
-.br
-	/var/lib/kubelet/pods(/.*)?
 .br
 	/var/lib/kubernetes/pods(/.*)?
+.br
+	/opt/local-path-provisioner(/.*)?
+.br
+	/var/local-path-provisioner(/.*)?
 .br
 	/var/lib/containers/storage/volumes/[^/]*/.*
 .br
 	/home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*
 .br
-	/home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
+
+.br
+.B ecryptfs_t
+
+	/home/[^/]+/\.Private(/.*)?
+.br
+	/home/[^/]+/\.ecryptfs(/.*)?
 .br
 
 .br
@@ -141,9 +163,7 @@ The SELinux process type container_t can manage files labeled with the following
 .br
 .B fusefs_t
 
-	/var/run/user/[0-9]+/gvfs
+	/run/user/[0-9]+/gvfs
-.br
-	/var/run/user/4003/gvfs
 .br
 
 .br
@@ -154,38 +174,6 @@ The SELinux process type container_t can manage files labeled with the following
 	/usr/lib/udev/devices/hugepages
 .br
 
-.br
-.B initrc_tmp_t
-
-
-.br
-.B mnt_t
-
-	/mnt(/[^/]*)?
-.br
-	/mnt(/[^/]*)?
-.br
-	/rhev(/[^/]*)?
-.br
-	/rhev/[^/]*/.*
-.br
-	/media(/[^/]*)?
-.br
-	/media(/[^/]*)?
-.br
-	/media/\.hal-.*
-.br
-	/var/run/media(/[^/]*)?
-.br
-	/afs
-.br
-	/net
-.br
-	/misc
-.br
-	/rhev
-.br
-
 .br
 .B nfs_t
 
@@ -209,40 +197,6 @@ The SELinux process type container_t can manage files labeled with the following
 .br
 	/home/[^/]+/\.local/share/gnome-boxes/images(/.*)?
 .br
-	/home/selinuxuser/\.libvirt/qemu(/.*)?
-.br
-	/home/selinuxuser/\.cache/libvirt/qemu(/.*)?
-.br
-	/home/selinuxuser/\.config/libvirt/qemu(/.*)?
-.br
-	/home/selinuxuser/\.local/share/libvirt/boot(/.*)?
-.br
-	/home/selinuxuser/\.local/share/libvirt/images(/.*)?
-.br
-	/home/selinuxuser/\.local/share/gnome-boxes/images(/.*)?
-.br
-
-.br
-.B tmp_t
-
-	/sandbox(/.*)?
-.br
-	/tmp
-.br
-	/usr/tmp
-.br
-	/var/tmp
-.br
-	/var/tmp
-.br
-	/tmp-inst
-.br
-	/var/tmp-inst
-.br
-	/var/tmp/tmp-inst
-.br
-	/var/tmp/vi\.recover
-.br
 
 .SH FILE CONTEXTS
 SELinux requires files to have an extended attribute to define the file type.
@@ -288,14 +242,6 @@ container policy stores data with multiple different file context types under th
 .B restorecon -R -v /srv/docker
 .PP
 
-.PP
-container policy stores data with multiple different file context types under the /var/lib/kubelet directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
-.PP
-.B semanage fcontext -a -e /var/lib/kubelet /srv/kubelet
-.br
-.B restorecon -R -v /srv/kubelet
-.PP
-
 .PP
 container policy stores data with multiple different file context types under the /var/lib/nerdctl directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
 .PP
@@ -312,29 +258,13 @@ container policy stores data with multiple different file context types under th
 .B restorecon -R -v /srv/ocid
 .PP
 
-.PP
-container policy stores data with multiple different file context types under the /var/run/containerd directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
-.PP
-.B semanage fcontext -a -e /var/run/containerd /srv/containerd
-.br
-.B restorecon -R -v /srv/containerd
-.PP
-
-.PP
-container policy stores data with multiple different file context types under the /var/run/docker directory.  If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping.  If you wanted to store this data under the /srv directory you would execute the following command:
-.PP
-.B semanage fcontext -a -e /var/run/docker /srv/docker
-.br
-.B restorecon -R -v /srv/docker
-.PP
-
 .PP
 .B STANDARD FILE CONTEXT
 
 SELinux defines the file context types for the container, if you wanted to
 store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
 
-.B semanage fcontext -a -t container_ro_file_t '/srv/mycontainer_content(/.*)?'
+.B semanage fcontext -a -t container_var_lib_t '/srv/container/content(/.*)?'
 .br
 .B restorecon -R -v /srv/mycontainer_content
 
@@ -377,7 +307,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubelet/pods(/.*)?, /var/lib/kubernetes/pods(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*, /home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
+/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubernetes/pods(/.*)?, /opt/local-path-provisioner(/.*)?, /var/local-path-provisioner(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*
 
 .EX
 .PP
@@ -413,7 +343,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/var/log/lxc(/.*)?, /var/log/lxd(/.*)?, /var/log/pods(/.*)?, /var/log/containers(/.*)?, /var/lib/docker/containers/.*/.*\.log, /var/lib/docker-latest/containers/.*/.*\.log
+/var/log/lxc(/.*)?, /var/log/lxd(/.*)?, /var/log/pods(/.*)?, /var/log/containers(/.*)?, /var/log/kube-apiserver(/.*)?, /var/lib/docker/containers/.*/.*\.log, /var/lib/docker-latest/containers/.*/.*\.log
 
 .EX
 .PP
@@ -433,7 +363,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay-images(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay-layers(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2-images(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2-layers(/.*)?
+/var/lib/shared(/.*)?, /var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/artifacts(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/ramalama(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/artifacts(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?
 
 .EX
 .PP
@@ -445,7 +375,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin
+/usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/buildah, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin
 
 .EX
 .PP
@@ -485,7 +415,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/lib/docker-latest(/.*)?
+/exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/crio(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/cache/containers(/.*)?, /var/lib/docker-latest(/.*)?
 
 .EX
 .PP
@@ -497,7 +427,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/var/run/crio(/.*)?, /var/run/docker(/.*)?, /var/run/flannel(/.*)?, /var/run/buildkit(/.*)?, /var/run/containerd(/.*)?, /var/run/containers(/.*)?, /var/run/docker-client(/.*)?, /var/run/docker\.pid, /var/run/docker\.sock
+/run/crio(/.*)?, /run/docker(/.*)?, /run/flannel(/.*)?, /run/buildkit(/.*)?, /run/containerd(/.*)?, /run/containers(/.*)?, /run/docker-client(/.*)?, /run/docker\.pid, /run/docker\.sock
 
 .PP
 Note: File context can be temporarily modified with the chcon command.  If you want to permanently change the file context you need to use the
@@ -531,4 +461,4 @@ This manual page was auto-generated using
 .B "sepolicy manpage".
 
 .SH "SEE ALSO"
-selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_userns_selinux(8), container_userns_selinux(8)
+selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_user_selinux(8), container_user_selinux(8), container_userns_selinux(8), container_userns_selinux(8)

plans/main.fmf

@@ -1,64 +1,20 @@
-# tmt does provide the `adjust` attribute to manage distro conditionals, but
+discover:
-# the bash way has been rather convenient to read, manage and copy-paste
+    how: fmf
-# Ref: https://tmt.readthedocs.io/en/stable/spec/core.html#adjust
+execute:
+    how: tmt
 prepare:
-    - how: shell
+    - when: distro == centos-stream or distro == rhel
+      how: shell
       script: |
-        RHEL_RELEASE=$(rpm --eval %{?rhel})
+        dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm --eval '%{?rhel}').noarch.rpm
-        ARCH=$(uname -m)
+        dnf -y config-manager --set-enabled epel
-        if [ $RHEL_RELEASE -eq 8 ]; then
+      order: 10
-            echo "Disabling container-tools module..."
+    - when: initiator == packit
-            dnf -y module disable container-tools
+      how: shell
+      script: |
+        COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo"
+        if compgen -G $COPR_REPO_FILE > /dev/null; then
+            sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE
         fi
-        if [ -f /etc/centos-release ]; then
+        dnf -y upgrade --allowerasing
-            echo "Installing epel-release..."
+      order: 20
-            dnf -y install epel-release
-        elif [ $RHEL_RELEASE -ge 8 ]; then
-            echo "Installing epel-release..."
-            dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$RHEL_RELEASE.noarch.rpm
-            echo "Enabling epel repo..."
-            dnf config-manager --set-enabled epel
-            cat /etc/yum.repos.d/epel.repo
-        fi
-        dnf -y copr enable rhcontainerbot/podman-next
-        dnf config-manager --save --setopt="*:rhcontainerbot:podman-next.priority=5"
-    - how: install
-      package:
-        - bats
-        - golang
-        - podman
-        - podman-tests
-
-/podman_e2e_test:
-    summary: Run SELinux specific Podman e2e tests
-    execute:
-        how: tmt
-        script: |
-            echo "Checking /etc/redhat-release..."
-            cat /etc/redhat-release
-            echo "Checking installed versions of required packages..."
-            rpm -q container-selinux golang podman
-            if [ -f /etc/fedora-release ]; then
-                echo "Resizing tmpfs..."
-                mount -o remount,size=10G /tmp
-            fi
-            echo "Fetching podman srpm from copr..."
-            dnf --disablerepo=* --enablerepo=copr:copr.fedorainfracloud.org:rhcontainerbot:podman-next download --source podman
-            echo "Extracting podman source from srpm..."
-            rpm2cpio podman*.src.rpm | cpio -di
-            tar zxf podman-*-dev.tar.gz
-            echo "Running podman e2e tests..."
-            cd podman-*-dev/test/e2e
-            PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go common_test.go libpod_suite_test.go run_selinux_test.go
-
-/podman_system_test:
-    summary: Run SELinux specific Podman system tests
-    execute:
-        how: tmt
-        script: |
-            echo "Checking /etc/redhat-release..."
-            cat /etc/redhat-release
-            echo "Checking installed versions of required packages..."
-            rpm -q container-selinux podman podman-tests
-            echo "Running podman system tests..."
-            bats /usr/bin/podman /usr/share/podman/test/system/410-selinux.bats

rpm/container-selinux.spec

@@ -2,7 +2,6 @@
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
-%global selinuxtype targeted
 %global moduletype services
 %global modulenames container
 
@@ -11,24 +10,27 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
-# RHEL 8 doesn't allow watch and systemd_chat_resolved
+# RHEL < 10 and Fedora < 40 use file context entries in /var/run
-%if %{defined rhel} && 0%{?rhel} == 8
+%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
-%define no_watch 1
+%define legacy_var_run 1
-%define no_systemd_chat_resolved 1
-%global _selinux_policy_version 3.14.3-80.el8
 %endif
 
 # https://github.com/containers/container-selinux/issues/203
-%if %{!defined fedora} && %{!defined rhel} || %{defined fedora} && 0%{?fedora} <= 37 || %{defined rhel} && 0%{?rhel} <= 9
+%if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9
 %define no_user_namespace 1
 %endif
 
+# copr_build is more intuitive than copr_username
+%if %{defined copr_username}
+%define copr_build 1
+%endif
+
 Name: container-selinux
 # Set different Epochs for copr and koji
-%if %{defined copr_username}
+%if %{defined copr_build}
 Epoch: 102
 %else
-Epoch: 2
+Epoch: 4
 %endif
 # Keep Version in upstream specfile at 0. It will be automatically set
 # to the correct value by Packit for copr and koji builds.
@@ -48,7 +50,8 @@ BuildRequires: selinux-policy-devel >= %_selinux_policy_version
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy
 Requires: selinux-policy >= %_selinux_policy_version
 Requires(post): selinux-policy-base >= %_selinux_policy_version
-Requires(post): selinux-policy-targeted >= %_selinux_policy_version
+Requires(post): selinux-policy-any >= %_selinux_policy_version
+Recommends: selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires(post): sed
@@ -67,21 +70,14 @@ SELinux policy modules for use with container runtimes.
 sed -i 's/^man: install-policy/man:/' Makefile
 sed -i 's/^install: man/install:/' Makefile
 
-%if %{defined no_watch}
-sed -i 's/watch watch_reads//' container.if
-sed -i 's/watch watch_reads//' container.te
-sed -i '/sysfs_t:dir watch/d' container.te
-sed -i '/fifo_file watch/d' container.te
-%endif
-
-%if %{defined no_systemd_chat_resolved}
-sed -i '/^systemd_chat_resolved/d' container.te
-%endif
-
 %if %{defined no_user_namespace}
 sed -i '/user_namespace/d' container.te
 %endif
 
+%if %{defined legacy_var_run}
+sed -i 's|^/run/|/var/run/|' container.fc
+%endif
+
 %build
 make
 
@@ -90,11 +86,8 @@ make
 %_format MODULES $x.pp.bz2
 %{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user
 
-# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
-rm %{buildroot}%{_mandir}/man8/container_selinux.8
-
 %pre
-%selinux_relabel_pre -s %{selinuxtype}
+%selinux_relabel_pre
 
 %post
 # Install all modules in a single transaction
@@ -102,21 +95,24 @@ if [ $1 -eq 1 ]; then
    %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
 fi
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
-%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null
-%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
-%selinux_modules_install -s %{selinuxtype} $MODULES
 . %{_sysconfdir}/selinux/config
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null
+%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null
+%selinux_modules_install -s ${SELINUXTYPE} $MODULES
 sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types
 matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || :
 
 %postun
 if [ $1 -eq 0 ]; then
-   %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker
+   %selinux_modules_uninstall %{modulenames} docker
 fi
 
 %posttrans
-%selinux_relabel_post -s %{selinuxtype}
+%selinux_relabel_post
+
+# Empty placeholder check to silence rpmlint
+%check
 
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
@@ -126,12 +122,14 @@ fi
 %{_datadir}/selinux/*
 %dir %{_datadir}/containers/selinux
 %{_datadir}/containers/selinux/contexts
+%dir %{_datadir}/udica
 %dir %{_datadir}/udica/templates/
 %{_datadir}/udica/templates/*
 # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120
-#%%{_mandir}/man8/container_selinux.8.gz
+%{_mandir}/man8/container_selinux.8.gz
-%{_sysconfdir}/selinux/targeted/contexts/users/*
+%{_sysconfdir}/selinux/targeted/contexts/users/container_u
-%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames}
+%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames}
+%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames}
 
 %triggerpostun -- container-selinux < 2:2.162.1-3
 if %{_sbindir}/selinuxenabled ; then
@@ -140,12 +138,4 @@ if %{_sbindir}/selinuxenabled ; then
 fi
 
 %changelog
-%if %{defined autochangelog}
 %autochangelog
-%else
-# NOTE: This changelog will be visible on CentOS 8 Stream builds
-# Other envs are capable of handling autochangelog
-* Tue Jun 13 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
-- Placeholder changelog for envs that are not autochangelog-ready.
-- Contact upstream if you need to report an issue with the build.
-%endif

rpm/gating.yaml

@@ -0,0 +1,14 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts:
+  - bodhi_update_push_stable
+  - bodhi_update_push_testing
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules: []

rpm/update-spec-version.sh

@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-
-# This script will update the Version field in the spec which is set to 0 by
-# default. Useful for local manual rpm builds where the Version needs to be set
-# correctly.
-
-SPEC_FILE=$(pwd)/container-selinux.spec
-LATEST_TAG=$(git tag --sort=creatordate | tail -1)
-LATEST_VERSION=$(echo $LATEST_TAG | sed -e 's/^v//')
-
-sed -i "s/^Version:.*/Version: $LATEST_VERSION/" $SPEC_FILE

test/main.fmf

@@ -0,0 +1,17 @@
+require:
+    - attr
+    - bats
+    - container-selinux
+    - podman-tests
+    - policycoreutils
+
+/basic_check:
+    summary: Run basic checks
+    test: |
+        semodule --list=full | grep container
+        semodule -B
+        rpm -Vqf /var/lib/selinux/*/active/modules/200/container
+
+/podman_system_test:
+    summary: Run SELinux specific Podman system tests
+    test: bash ./podman-tests.sh

test/podman-tests.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+if [[ "$(id -u)" -ne 0 ]];then
+    echo "Please run as superuser"
+    exit 1
+fi
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy
+
+# Run podman system tests
+bats /usr/share/podman/test/system/410-selinux.bats