Sync from SUSE:SLFO:Main selinux-policy revision ab7b2ae489149f3931daa0accda72506

2024-06-14 17:21:15 +02:00 · 2024-06-14 17:21:15 +02:00 · 03dbb9718e
commit 03dbb9718e
parent b0be11a11c
13 changed files with 590 additions and 86 deletions
--- a/4
+++ b/4
@ -4,8 +4,8 @@
    <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
    <param name="scm">git</param>
    <param name="changesgenerate">enable</param>
-    <param name="revision">alp-1.0</param>
-    <param name="match-tag">release-20230523</param>
+    <param name="revision">slfo-main</param>
+    <param name="match-tag">release-20240604</param>
    <param name="versionrewrite-pattern">release-(.*)</param>
    <param name="versionrewrite-replacement">\1</param>
  </service>
--- a/4
+++ b/4
@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">0849f54c7e81665e3dfe7beecd5557b9edb69f2f</param></service><service name="tar_scm">
+              <param name="changesrevision">ee0114f1ae55a70c234ceed91d2b4489fde8bb49</param></service><service name="tar_scm">
                <param name="url">https://github.com/containers/container-selinux.git</param>
-              <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
+              <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
--- a/container.fc
+++ b/container.fc
@ -59,6 +59,7 @@
 /etc/crio(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /exports(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)

+/var/lib/shared(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/registry(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/lxc(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/lxd(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
@ -111,11 +112,16 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/containers/storage/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/ocid(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/ocid/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/cache/containers(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/cache/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)

 /var/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)

+/var/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+/opt/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+
 /var/lib/origin(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kubernetes/pods(/.*)?	gen_context(system_u:object_r:container_file_t,s0)

--- a/container.if
+++ b/container.if
@ -522,6 +522,7 @@ interface(`container_filetrans_named_content',`
    files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers")
    files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd")
    files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit")
+    files_var_lib_filetrans($1, container_ro_file_t, dir, "shared")

    filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data")
    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "config.env")
@ -997,7 +998,6 @@ interface(`container_kubelet_domtrans',`
 interface(`container_kubelet_run',`
 	gen_require(`
 		type kubelet_t;
-		class dbus send_msg;
 	')

 	container_kubelet_domtrans($1)
--- a/container.te
+++ b/container.te
@ -1,4 +1,4 @@
-policy_module(container, 2.210.0)
+policy_module(container, 2.219.0)

 gen_require(`
 	class passwd rootok;
@ -17,6 +17,13 @@ gen_require(`
 ## </desc>
 gen_tunable(container_connect_any, false)

+## <desc>
+##  <p>
+##  Allow all container domains to read cert files and directories
+##  </p>
+## </desc>
+gen_tunable(container_read_certs, false)
+
 ## <desc>
 ##  <p>
 ##  Determine whether sshd can launch container engines
@ -81,7 +88,7 @@ ifdef(`enable_mls',`
 	range_transition container_runtime_t conmon_exec_t:process s0;
 ')

-type spc_t, container_domain;
+type spc_t;
 domain_type(spc_t)
 role system_r types spc_t;

@ -169,6 +176,7 @@ allow container_runtime_domain self:tcp_socket create_stream_socket_perms;
 allow container_runtime_domain self:udp_socket create_socket_perms;
 allow container_runtime_domain self:capability2 block_suspend;
 allow container_runtime_domain container_port_t:tcp_socket name_bind;
+allow container_runtime_domain port_t:icmp_socket name_bind;
 allow container_runtime_domain self:filesystem associate;
 allow container_runtime_domain self:packet_socket create_socket_perms;
 allow container_runtime_domain self:socket create_socket_perms;
@ -205,19 +213,24 @@ manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t
 manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t)
 userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container")
 userdom_manage_user_home_content(container_runtime_domain)
+userdom_map_user_home_files(container_runtime_t)

 manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t)
 manage_files_pattern(container_runtime_domain, container_config_t, container_config_t)
-files_etc_filetrans(container_runtime_domain, container_config_t, dir, "container")
+files_etc_filetrans(container_runtime_domain, container_config_t, dir, "containers")

 manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t)
 manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t)
 files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc")
+files_manage_generic_locks(container_runtime_domain)

 manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t)
 manage_files_pattern(container_runtime_domain, container_log_t, container_log_t)
 manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t)
+
+logging_read_syslog_pid(container_runtime_domain)
 logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file })
+
 allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto };
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log")
 allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint;
@ -243,8 +256,23 @@ manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, containe
 manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_sock_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto };
 can_exec(container_runtime_domain, container_ro_file_t)
+
+manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+
+manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init")
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay")
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2")
@ -262,6 +290,7 @@ manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto };
 files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file })
+files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers")

 manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
@ -270,17 +299,30 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
+allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;

 allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(container_runtime_domain, container_devpts_t)
 term_use_all_ttys(container_runtime_domain)
 term_use_all_inherited_terms(container_runtime_domain)

+mls_file_read_to_clearance(container_runtime_t)
+mls_file_relabel_to_clearance(container_runtime_t)
+mls_file_write_to_clearance(container_runtime_t)
+mls_process_read_to_clearance(container_runtime_t)
+mls_process_write_to_clearance(container_runtime_t)
+mls_socket_read_to_clearance(container_runtime_t)
+mls_socket_write_to_clearance(container_runtime_t)
+mls_sysvipc_read_to_clearance(container_runtime_t)
+mls_sysvipc_write_to_clearance(container_runtime_t)
+
 kernel_read_network_state(container_runtime_domain)
 kernel_read_all_sysctls(container_runtime_domain)
 kernel_rw_net_sysctls(container_runtime_domain)
 kernel_setsched(container_runtime_domain)
 kernel_rw_all_sysctls(container_runtime_domain)
+kernel_mounton_all_proc(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)

 domain_obj_id_change_exemption(container_runtime_t)
 domain_subj_id_change_exemption(container_runtime_t)
@ -390,7 +432,10 @@ optional_policy(`
 ')

 optional_policy(`
-	iptables_domtrans(container_runtime_domain)
+	gen_require(`
+		role unconfined_r;
+	')
+	iptables_run(container_runtime_domain, unconfined_r)

 	container_read_pid_files(iptables_t)
 	container_read_state(iptables_t)
@ -458,33 +503,38 @@ dev_rw_loop_control(container_runtime_domain)
 dev_rw_lvm_control(container_runtime_domain)
 dev_read_mtrr(container_runtime_domain)

+userdom_map_user_home_files(container_runtime_t)
+
 files_getattr_isid_type_dirs(container_runtime_domain)
 files_manage_isid_type_dirs(container_runtime_domain)
 files_manage_isid_type_files(container_runtime_domain)
 files_manage_isid_type_symlinks(container_runtime_domain)
 files_manage_isid_type_chr_files(container_runtime_domain)
 files_manage_isid_type_blk_files(container_runtime_domain)
+files_manage_etc_dirs(container_runtime_domain)
+files_manage_etc_files(container_runtime_domain)
 files_exec_isid_files(container_runtime_domain)
 files_mounton_isid(container_runtime_domain)
 files_mounton_non_security(container_runtime_domain)
 files_mounton_isid_type_chr_file(container_runtime_domain)

-fs_mount_all_fs(container_runtime_domain)
-fs_unmount_all_fs(container_runtime_domain)
-fs_remount_all_fs(container_runtime_domain)
 files_mounton_isid(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
+fs_list_hugetlbfs(container_runtime_domain)
 fs_manage_cgroup_dirs(container_runtime_domain)
 fs_manage_cgroup_files(container_runtime_domain)
-fs_rw_nsfs_files(container_runtime_domain)
-fs_relabelfrom_xattr_fs(container_runtime_domain)
-fs_relabelfrom_tmpfs(container_runtime_domain)
-fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_getattr_all_fs(container_runtime_domain)
-fs_rw_inherited_tmpfs_files(container_runtime_domain)
-fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_search_tmpfs(container_runtime_domain)
-fs_list_hugetlbfs(container_runtime_domain)
 fs_manage_hugetlbfs_files(container_runtime_domain)
+fs_mount_all_fs(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_relabelfrom_tmpfs(container_runtime_domain)
+fs_relabelfrom_xattr_fs(container_runtime_domain)
+fs_remount_all_fs(container_runtime_domain)
+fs_rw_inherited_tmpfs_files(container_runtime_domain)
+fs_rw_nsfs_files(container_runtime_domain)
+fs_search_tmpfs(container_runtime_domain)
+fs_set_xattr_fs_quotas(container_runtime_domain)
+fs_unmount_all_fs(container_runtime_domain)


 term_use_generic_ptys(container_runtime_domain)
@ -563,6 +613,10 @@ tunable_policy(`container_use_cephfs',`
 	allow container_domain cephfs_t:file execmod;
 ')

+tunable_policy(`container_read_certs',`
+	miscfiles_read_all_certs(container_domain)
+')
+
 gen_require(`
 	type ecryptfs_t;
 ')
@ -648,12 +702,12 @@ optional_policy(`
 		role unconfined_r;
 	')
 	role unconfined_r types container_user_domain;
+	role unconfined_r types spc_t;
 	unconfined_domain(container_runtime_t)
 	unconfined_run_to(container_runtime_t, container_runtime_exec_t)
-	role_transition unconfined_r container_runtime_exec_t system_r;
 	allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map };
 	allow container_runtime_domain unconfined_t:fifo_file setattr;
-	allow unconfined_domain_type container_domain:process {transition dyntransition };
+	allow unconfined_domain_type container_domain:process {transition dyntransition};
 	allow unconfined_t unlabeled_t:key manage_key_perms;
 	allow container_runtime_t unconfined_t:process transition;
 	allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint;
@ -692,7 +746,7 @@ tunable_policy(`container_connect_any',`
 #
 # spc local policy
 #
-allow spc_t { container_var_lib_t container_ro_file_t }:file entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file entrypoint;
 role system_r types spc_t;

 domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
@ -700,17 +754,20 @@ domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
 domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
 fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })

-allow container_runtime_domain spc_t:process2 nnp_transition;
+allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
+
 admin_pattern(spc_t, kubernetes_file_t)

 allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
 allow spc_t { container_ro_file_t container_file_t }:system module_load;

-allow container_runtime_domain spc_t:process { setsched signal_perms };
+allow container_runtime_domain spc_t:process { dyntransition setsched signal_perms };
 ps_process_pattern(container_runtime_domain, spc_t)
 allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom };
 allow spc_t unlabeled_t:key manage_key_perms;
 allow spc_t unlabeled_t:socket_class_set create_socket_perms;
+fs_fusefs_entrypoint(spc_t)
+corecmd_entrypoint_all_executables(spc_t)

 init_dbus_chat(spc_t)

@ -731,6 +788,7 @@ optional_policy(`
 	# This should eventually be in upstream policy.
 	# https://github.com/fedora-selinux/selinux-policy/pull/806
 	allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run };
+	allow daemon spc_t:dbus send_msg;
 ')

 optional_policy(`
@ -744,7 +802,10 @@ optional_policy(`
 	gen_require(`
 		attribute virt_domain;
 		type virtd_t;
+		role unconfined_r;
 	')
+	role unconfined_r types virt_domain;
+	role unconfined_r types virtd_t;
 	container_spc_read_state(virt_domain)
 	container_spc_rw_pipes(virt_domain)
 	allow container_runtime_t virtd_t:process transition;
@ -857,7 +918,7 @@ dontaudit container_domain self:capability2  block_suspend ;
 allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
 fs_rw_onload_sockets(container_domain)
 fs_fusefs_entrypoint(container_domain)
-
+fs_fusefs_entrypoint(spc_t)

 container_read_share_files(container_domain)
 container_exec_share_files(container_domain)
@ -999,7 +1060,6 @@ allow container_net_domain self:rawip_socket create_stream_socket_perms;
 allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
 allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;

-
 kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
 kernel_unlabeled_entry_type(spc_t)
 allow container_runtime_domain unlabeled_t:key manage_key_perms;
@ -1188,6 +1248,8 @@ optional_policy(`
 		attribute userdomain;
 	')

+	allow userdomain container_domain:process transition;
+
 	can_exec(userdomain, container_runtime_exec_t)
 	container_manage_files(userdomain)
 	container_manage_share_dirs(userdomain)
@ -1280,6 +1342,7 @@ logging_send_syslog_msg(container_kvm_t)
 optional_policy(`
 	qemu_entry_type(container_kvm_t)
 	qemu_exec(container_kvm_t)
+	allow container_kvm_t qemu_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
 ')

 manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t)
@ -1316,8 +1379,8 @@ optional_policy(`
 ')

 tunable_policy(`container_use_devices',`
-	allow container_domain device_node:chr_file rw_chr_file_perms;
-	allow container_domain device_node:blk_file rw_blk_file_perms;
+	allow container_domain device_node:chr_file {rw_chr_file_perms map};
+	allow container_domain device_node:blk_file {rw_blk_file_perms map};
 ')

 tunable_policy(`virt_sandbox_use_sys_admin',`
@ -1384,7 +1447,6 @@ optional_policy(`
 	gen_require(`
 		type sysadm_t;
 		role sysadm_r;
-		attribute userdomain;
 		role unconfined_r;
 	')

@ -1403,6 +1465,7 @@ allow container_device_t device_node:chr_file rw_chr_file_perms;
 container_domain_template(container_device_plugin, container)
 allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
 dev_rw_sysfs(container_device_plugin_t)
+kernel_read_debugfs(container_device_plugin_t)
 container_kubelet_stream_connect(container_device_plugin_t)

 # Standard container which needs to be allowed to use any device and
@ -1441,3 +1504,32 @@ tunable_policy(`sshd_launch_containers',`
 	container_runtime_domtrans(sshd_t)
 	dontaudit systemd_logind_t iptables_var_run_t:dir read;
 ')
+
+role container_user_r;
+userdom_restricted_user_template(container_user)
+userdom_manage_home_role(container_user_r, container_user_t)
+
+allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop };
+
+role container_user_r types container_domain;
+role container_user_r types container_user_domain;
+role container_user_r types container_net_domain;
+role container_user_r types container_file_type;
+container_runtime_run(container_user_t, container_user_r)
+
+fs_manage_cgroup_dirs(container_user_t)
+fs_manage_cgroup_files(container_user_t)
+
+selinux_compute_access_vector(container_user_t)
+systemd_dbus_chat_hostnamed(container_user_t)
+systemd_start_systemd_services(container_user_t)
+
+
+allow container_domain container_file_t:file entrypoint;
+allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
+allow container_domain container_var_lib_t:file entrypoint;
+allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
+
+corecmd_entrypoint_all_executables(container_kvm_t)
+allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
+allow svirt_sandbox_domain mountpoint:file entrypoint;
--- a/macros.selinux-policy
+++ b/macros.selinux-policy
@ -28,7 +28,7 @@
 %_selinux_store_policy_path %{_selinux_store_path}/${_policytype}

 %_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
-%_file_context_file_pre /run/rpm-state/file_contexts.pre
+%_file_context_file_pre /var/adm/update-scripts/file_contexts.pre

 %_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
 %_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
@ -92,7 +92,7 @@ if %{_sbindir}/selinuxenabled; then \
    _policytype="targeted" \
  fi \
  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-    mkdir -p /run/rpm-state \
+    mkdir -p $(dirname %{_file_context_file_pre}) \
    [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
  fi \
 fi \
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
@ -1475,6 +1475,13 @@ uucp = module
 # 
 virt = module

+# Layer: services
+# Module: virt_supplementary
+#
+# non-libvirt virtualization libraries
+#
+virt_supplementary = module
+
 # Layer: apps
 # Module: vmware
 #
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@ -2115,6 +2115,13 @@ vhostmd = module
 # 
 virt = module

+# Layer: services
+# Module: virt_supplementary
+#
+# non-libvirt virtualization libraries
+#
+virt_supplementary = module
+
 # Layer: apps
 # Module: vhostmd
 #
@ -2692,3 +2699,79 @@ wireguard = module
 #
 keyutils = module

+# Layer: contrib
+# Module: cifsutils
+#
+#  cifsutils - Utilities for managing CIFS mounts
+#
+cifsutils = module
+
+# Layer: contrib
+# Module: boothd
+#
+#  boothd - Booth cluster ticket manager
+#
+boothd = module
+
+# Layer: contrib
+# Module: kafs
+#
+#  kafs - Tools for kAFS
+#
+kafs = module
+
+# Layer: contrib
+# Module: bootupd
+#
+#  bootupd - bootloader update daemon
+#
+bootupd = module
+
+# Layer: contrib
+# Module: fdo
+#
+#  fdo - fido device onboard protocol for IoT devices
+#
+fdo = module
+
+# Layer: contrib
+# Module: qatlib
+#
+#  qatlib - Intel QuickAssist technology library and resources management
+#
+qatlib = module
+
+# Layer: contrib
+# Module: afterburn
+#
+# afterburn
+#
+afterburn = module
+
+# Layer: contrib
+# Module: nvme_stas
+#
+# nvme_stas
+#
+nvme_stas = module
+
+# Layer: contrib
+# Module: coreos_installer
+#
+# coreos_installer
+#
+coreos_installer = module
+
+## Layer: contrib
+## Module: libalternatives
+##
+## libalternatives
+##
+libalternatives = module
+
+## Layer: contrib
+## Module: kiwi
+##
+## kiw
+##
+kiwi = module
--- a/selinux-policy-20230523+git16.0849f54c.tar.xz
+++ b/selinux-policy-20230523+git16.0849f54c.tar.xz
--- a/selinux-policy-20240604+git1.ee0114f1.tar.xz
+++ b/selinux-policy-20240604+git1.ee0114f1.tar.xz
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,72 +1,387 @@
 -------------------------------------------------------------------
-Tue Apr 30 14:46:09 UTC 2024 - jsegitz@suse.com
+Tue Jun 04 16:39:04 UTC 2024 - cathy.hu@suse.com

- Update to version 20230523+git16.0849f54c:
-  * allow firewalld access to /dev/random and write HW acceleration 
-    logs (bsc#1215405)
+- Update to version 20240604+git0.ee0114f1:
+  * allow firewalld access to /dev/random and write HW acceleration logs

 -------------------------------------------------------------------
-Mon Mar 04 16:13:00 UTC 2024 - cathy.hu@suse.com
+Thu Mar 21 10:44:09 UTC 2024 - jsegitz@suse.com

- Update to version 20230523+git14.ef49ab54:
+- Update to version 20240321:
+  * policy module for kiwi (bsc#1221109)
+  * dontaudit execmem for modemmanager (bsc#1219363)
+
+-------------------------------------------------------------------
+Wed Mar 13 11:02:43 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240313:
+  * Assign alts_exec_t to files_type
+
+-------------------------------------------------------------------
+Fri Mar 08 09:05:08 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240308:
+  * Support /bin/alts in the policy (bsc#1217530)
+  * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)"
+
+-------------------------------------------------------------------
+Wed Mar 06 15:41:20 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240306:
+  * Replace init domtrans rule for confined users to allow exec init
+  * Update dbus_role_template() to allow user service status
+  * Allow polkit status all systemd services
+  * Allow setroubleshootd create and use inherited io_uring
+  * Allow load_policy read and write generic ptys
+
+-------------------------------------------------------------------
+Mon Mar 04 16:19:28 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240304:
  * Allow ssh-keygen to use the libica crypto module (bsc#1220373)

 -------------------------------------------------------------------
-Wed Feb 28 16:32:49 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+Mon Feb 05 15:48:02 UTC 2024 - cathy.hu@suse.com

- Extend module list for targeted policy
-  * timedatex
-  * rrdcached
-  * stratisd
-  * ica (bsc#1215405)
-  * fedoratp
-  * stalld
-  * rhcd
-  * wireguard 
-  * keyutils
-
-------------------------------------------------------------------
-Mon Feb 26 15:18:05 UTC 2024 - cathy.hu@suse.com
-
- Update to version 20230523+git12.05dc86ac:
-  * Add dontaudit rules for the checkpoint_restore capability used
-    by getty and plymouth (bsc#1220361)
-
-------------------------------------------------------------------
-Wed Feb 07 09:02:53 UTC 2024 - cathy.hu@suse.com
-
- Update to version 20230523+git10.e010174f:
+- Update to version 20240205:
+  * Allow gpg manage rpm cache
+  * Allow login_userdomain name_bind to howl and xmsg udp ports
+  * Allow rules for confined users logged in plasma
+  * Label /dev/iommu with iommu_device_t
+  * Remove duplicate file context entries in /run
+  * Dontaudit getty and plymouth the checkpoint_restore capability (bsc#1220361)
+  * Allow su domains write login records
+  * Revert "Allow su domains write login records"
+  * Allow login_userdomain delete session dbusd tmp socket files
+  * Allow unix dgram sendto between exim processes
+  * Allow su domains write login records
+  * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
+  * Allow chronyd-restricted read chronyd key files
+  * Allow conntrackd_t to use bpf capability2
+  * Allow systemd-networkd manage its runtime socket files
+  * Allow init_t nnp domain transition to colord_t
+  * Allow polkit status systemd services
+  * nova: Fix duplicate declarations
+  * Allow httpd work with PrivateTmp
+  * Add interfaces for watching and reading ifconfig_var_run_t
+  * Allow collectd read raw fixed disk device
+  * Allow collectd read udev pid files
+  * Set correct label on /etc/pki/pki-tomcat/kra
+  * Allow systemd domains watch system dbus pid socket files
+  * Allow certmonger read network sysctls
+  * Allow mdadm list stratisd data directories
+  * Allow syslog to run unconfined scripts conditionally
+  * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
+  * Allow qatlib set attributes of vfio device files
+  * Allow systemd-sleep set attributes of efivarfs files
+  * Allow samba-dcerpcd read public files
+  * Allow spamd_update_t the sys_ptrace capability in user namespace
+  * Allow bluetooth devices work with alsa
+  * Allow alsa get attributes filesystems with extended attributes
+  * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
+  * Add interface for write-only access to NetworkManager rw conf
+  * Allow systemd-sleep send a message to syslog over a unix dgram socket
+  * Allow init create and use netlink netfilter socket
+  * Allow qatlib load kernel modules
+  * Allow qatlib run lspci
+  * Allow qatlib manage its private runtime socket files
+  * Allow qatlib read/write vfio devices
+  * Label /etc/redis.conf with redis_conf_t
  * Remove the lockdown-class rules from the policy
+  * Allow init read all non-security socket files
+  * Replace redundant dnsmasq pattern macros
+  * Remove unneeded symlink perms in dnsmasq.if
+  * Add additions to dnsmasq interface
+  * Allow nvme_stas_t create and use netlink kobject uevent socket
+  * Allow collectd connect to statsd port
+  * Allow keepalived_t to use sys_ptrace of cap_userns
+  * Allow dovecot_auth_t connect to postgresql using UNIX socket
+  * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
+  * Allow sysadm execute traceroute in sysadm_t domain using sudo
+  * Allow sysadm execute tcpdump in sysadm_t domain using sudo
+  * Allow opafm search nfs directories
+  * Add support for syslogd unconfined scripts
+  * Allow gpsd use /dev/gnss devices
+  * Allow gpg read rpm cache
+  * Allow virtqemud additional permissions
+  * Allow virtqemud manage its private lock files
+  * Allow virtqemud use the io_uring api
+  * Allow ddclient send e-mail notifications
+  * Allow postfix_master_t map postfix data files
+  * Allow init create and use vsock sockets
+  * Allow thumb_t append to init unix domain stream sockets
+  * Label /dev/vas with vas_device_t
+  * Create interface selinux_watch_config and add it to SELinux users
+  * Update cifs interfaces to include fs_search_auto_mountpoints()
+  * Allow sudodomain read var auth files
+  * Allow spamd_update_t read hardware state information
+  * Allow virtnetworkd domain transition on tc command execution
+  * Allow sendmail MTA connect to sendmail LDA
+  * Allow auditd read all domains process state
+  * Allow rsync read network sysctls
+  * Add dhcpcd bpf capability to run bpf programs
+  * Dontaudit systemd-hwdb dac_override capability
+  * Allow systemd-sleep create efivarfs files
+  * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
+  * Allow graphical applications work in Wayland
+  * Allow kdump work with PrivateTmp
+  * Allow dovecot-auth work with PrivateTmp
+  * Allow nfsd get attributes of all filesystems
+  * Allow unconfined_domain_type use io_uring cmd on domain
+  * ci: Only run Rawhide revdeps tests on the rawhide branch
+  * Label /var/run/auditd.state as auditd_var_run_t
+  * Allow fido-device-onboard (FDO) read the crack database
+  * Allow ip an explicit domain transition to other domains
+  * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
+  * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
+  * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
+  * Allow ntp to bind and connect to ntske port.

 -------------------------------------------------------------------
-Wed Jan 31 08:02:35 UTC 2024 - cathy.hu@suse.com
+Tue Jan 16 08:54:51 UTC 2024 - cathy.hu@suse.com

- Update to version 20230523+git8.ab5aa47a:
-  * Allow kdump create and use its memfd: objects (bsc#1219207)
+- Update to version 20240116:
+  * Fix gitolite homedir paths (bsc#1218826)

 -------------------------------------------------------------------
-Tue Nov 28 14:45:47 UTC 2023 - Cathy Hu <cathy.hu@suse.com>
+Tue Jan 09 09:14:44 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240104:
+  * Allow keepalived_t read+write kernel_t pipes (bsc#1216060)
+  * allow rebootmgr to read the system state (bsc#1205931)
+
+-------------------------------------------------------------------
+Tue Nov 28 14:40:23 UTC 2023 - Hu <cathy.hu@suse.com>

 - Trigger rebuild of the policy when pcre2 gets updated to avoid
  regex version mismatch errors (bsc#1216747).

 -------------------------------------------------------------------
-Thu Oct 12 11:56:20 UTC 2023 - cathy.hu@suse.com
+Fri Nov 24 09:34:20 UTC 2023 - cathy.hu@suse.com

- Update to version 20230523+git6.b3649209:
-  * Allow keepalived to manage its tmp files (bsc#1216060)
+- Update to version 20231124:
+  * Allow virtnetworkd_t to execute bin_t (bsc#1216903)

 -------------------------------------------------------------------
-Tue Sep 12 14:51:28 UTC 2023 - cathy.hu@suse.com
+Wed Nov 22 14:37:56 UTC 2023 - Hu <cathy.hu@suse.com>

- Update to version 20230523+git4.261ed027:
+- Add new modules that were missed in the last update to 
+  modules-mls-contrib.conf
+
+-------------------------------------------------------------------
+Wed Nov 22 13:49:14 UTC 2023 - Hu <cathy.hu@suse.com>
+
+- Add new modules that were missed in the last update to 
+  modules-targeted-contrib.conf (bsc#1215405)
+
+-------------------------------------------------------------------
+Mon Oct 30 10:28:10 UTC 2023 - cathy.hu@suse.com
+
+- Update to version 20231030:
+  * Allow system_mail_t manage exim spool files and dirs
+  * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
+  * Label /run/pcsd.socket with cluster_var_run_t
+  * ci: Run cockpit tests in PRs
+  * Add map_read map_write to kernel_prog_run_bpf
+  * Allow systemd-fstab-generator read all symlinks
+  * Allow systemd-fstab-generator the dac_override capability
+  * Allow rpcbind read network sysctls
+  * Support using systemd containers
+  * Allow sysadm_t to connect to iscsid using a unix domain stream socket
+  * Add policy for coreos installer
+  * Add policy for nvme-stas
+  * Confine systemd fstab,sysv,rc-local
+  * Label /etc/aliases.lmdb with etc_aliases_t
+  * Create policy for afterburn
+  * Make new virt drivers permissive
+  * Split virt policy, introduce virt_supplementary module
+  * Allow apcupsd cgi scripts read /sys
+  * Allow kernel_t to manage and relabel all files
+  * Add missing optional_policy() to files_relabel_all_files()
+  * Allow named and ndc use the io_uring api
+  * Deprecate common_anon_inode_perms usage
+  * Improve default file context(None) of /var/lib/authselect/backups
+  * Allow udev_t to search all directories with a filesystem type
+  * Implement proper anon_inode support
+  * Allow targetd write to the syslog pid sock_file
+  * Add ipa_pki_retrieve_key_exec() interface
+  * Allow kdumpctl_t to list all directories with a filesystem type
+  * Allow udev additional permissions
+  * Allow udev load kernel module
+  * Allow sysadm_t to mmap modules_object_t files
+  * Add the unconfined_read_files() and unconfined_list_dirs() interfaces
+  * Set default file context of HOME_DIR/tmp/.* to <<none>>
+  * Allow kernel_generic_helper_t to execute mount(1)
+  * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
+  * Allow systemd-localed create Xserver config dirs
+  * Allow sssd read symlinks in /etc/sssd
+  * Label /dev/gnss[0-9] with gnss_device_t
+  * Allow systemd-sleep read/write efivarfs variables
+  * ci: Fix version number of packit generated srpms
+  * Dontaudit rhsmcertd write memory device
+  * Allow ssh_agent_type create a sockfile in /run/user/USERID
+  * Set default file context of /var/lib/authselect/backups to <<none>>
+  * Allow prosody read network sysctls
+  * Allow cupsd_t to use bpf capability
+  * Allow sssd domain transition on passkey_child execution conditionally
+  * Allow login_userdomain watch lnk_files in /usr
+  * Allow login_userdomain watch video4linux devices
+  * Change systemd-network-generator transition to include class file
+  * Revert "Change file transition for systemd-network-generator"
+  * Allow nm-dispatcher winbind plugin read/write samba var files
+  * Allow systemd-networkd write to cgroup files
+  * Allow kdump create and use its memfd: objects (bsc#1219207)
+  * Allow fedora-third-party get generic filesystem attributes
+  * Allow sssd use usb devices conditionally
+  * Update policy for qatlib
+  * Allow ssh_agent_type manage generic cache home files
+  * Change file transition for systemd-network-generator
+  * Additional support for gnome-initial-setup
+  * Update gnome-initial-setup policy for geoclue
+  * Allow openconnect vpn open vhost net device
+  * Allow cifs.upcall to connect to SSSD also through the /var/run socket
+  * Grant cifs.upcall more required capabilities
+  * Allow xenstored map xenfs files
+  * Update policy for fdo
+  * Allow keepalived watch var_run dirs
+  * Allow svirt to rw /dev/udmabuf
+  * Allow qatlib  to modify hardware state information.
+  * Allow key.dns_resolve connect to avahi over a unix stream socket
+  * Allow key.dns_resolve create and use unix datagram socket
+  * Use quay.io as the container image source for CI
+  * ci: Move srpm/rpm build to packit
+  * .copr: Avoid subshell and changing directory
+  * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
+  * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
+  * Make insights_client_t an unconfined domain
+  * Allow insights-client manage user temporary files
+  * Allow insights-client create all rpm logs with a correct label
+  * Allow insights-client manage generic logs
+  * Allow cloud_init create dhclient var files and init_t manage net_conf_t
+  * Allow insights-client read and write cluster tmpfs files
+  * Allow ipsec read nsfs files
+  * Make tuned work with mls policy
+  * Remove nsplugin_role from mozilla.if
+  * allow mon_procd_t self:cap_userns sys_ptrace
+  * Allow pdns name_bind and name_connect all ports
+  * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
+  * ci: Move to actions/checkout@v3 version
+  * .copr: Replace chown call with standard workflow safe.directory setting
+  * .copr: Enable `set -u` for robustness
+  * .copr: Simplify root directory variable
+  * Allow rhsmcertd dbus chat with policykit
+  * Allow polkitd execute pkla-check-authorization with nnp transition
+  * Allow user_u and staff_u get attributes of non-security dirs
+  * Allow unconfined user filetrans chrome_sandbox_home_t
+  * Allow svnserve execute postdrop with a transition
+  * Do not make postfix_postdrop_t type an MTA executable file
+  * Allow samba-dcerpc service manage samba tmp files
+  * Add use_nfs_home_dirs boolean for mozilla_plugin
+  * Fix labeling for no-stub-resolv.conf
+  * Revert "Allow winbind-rpcd use its private tmp files"
+  * Allow upsmon execute upsmon via a helper script
+  * Allow openconnect vpn read/write inherited vhost net device
+  * Allow winbind-rpcd use its private tmp files
+  * Update samba-dcerpc policy for printing
+  * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
+  * Allow nscd watch system db dirs
+  * Allow qatlib to read sssd public files
+  * Allow fedora-third-party read /sys and proc
+  * Allow systemd-gpt-generator mount a tmpfs filesystem
+  * Allow journald write to cgroup files
+  * Allow rpc.mountd read network sysctls
+  * Allow blueman read the contents of the sysfs filesystem
+  * Allow logrotate_t to map generic files in /etc
+  * Boolean: Allow virt_qemu_ga create ssh directory
+  * Allow systemd-network-generator send system log messages
+  * Dontaudit the execute permission on sock_file globally
+  * Allow fsadm_t the file mounton permission
+  * Allow named and ndc the io_uring sqpoll permission
+  * Allow sssd io_uring sqpoll permission
+  * Fix location for /run/nsd
+  * Allow qemu-ga get fixed disk devices attributes
+  * Update bitlbee policy
+  * Label /usr/sbin/sos with sosreport_exec_t
+  * Update policy for the sblim-sfcb service
+  * Add the files_getattr_non_auth_dirs() interface
+  * Fix the CI to work with DNF5
+  * Make systemd_tmpfiles_t MLS trusted for lowering the level of files
+  * Revert "Allow insights client map cache_home_t"
+  * Allow nfsidmapd connect to systemd-machined over a unix socket
+  * Allow snapperd connect to kernel over a unix domain stream socket
+  * Allow virt_qemu_ga_t create .ssh dir with correct label
+  * Allow targetd read network sysctls
+  * Set the abrt_handle_event boolean to on
+  * Permit kernel_t to change the user identity in object contexts
+  * Allow insights client map cache_home_t
+  * Label /usr/sbin/mariadbd with mysqld_exec_t
+  * Allow httpd tcp connect to redis port conditionally
+  * Label only /usr/sbin/ripd and ripngd with zebra_exec_t
+  * Dontaudit aide the execmem permission
+  * Remove permissive from fdo
+  * Allow sa-update manage spamc home files
+  * Allow sa-update connect to systemlog services
+  * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
+  * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
+  * Allow bootupd search EFI directory
+  * Change init_audit_control default value to true
+  * Allow nfsidmapd connect to systemd-userdbd with a unix socket
+  * Add the qatlib  module
+  * Add the fdo module
+  * Add the bootupd module
+  * Set default ports for keylime policy
+  * Create policy for qatlib
+  * Add policy for FIDO Device Onboard
+  * Add policy for bootupd
+  * Add support for kafs-dns requested by keyutils
+  * Allow insights-client execmem
+  * Add support for chronyd-restricted
+  * Add init_explicit_domain() interface
+  * Allow fsadm_t to get attributes of cgroup filesystems
+  * Add list_dir_perms to kerberos_read_keytab
+  * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
+  * Allow sendmail manage its runtime files
+
+-------------------------------------------------------------------
+Thu Oct 12 07:59:22 UTC 2023 - cathy.hu@suse.com
+
+- Update to version 20231012:
+  * Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052)
  * Revert fix for bsc#1205770 since it causes a regression for bsc#1214887
-  * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)

 -------------------------------------------------------------------
-Tue May 23 13:38:15 UTC 2023 - cathy.hu@suse.com
+Wed Oct  4 14:40:03 UTC 2023 - Johannes Segitz <jsegitz@suse.com>

- Initial ALP release using git workflow: 20230523+git0.41d70255
+- Use /var/adm/update-scripts in macros.selinux-policy. The rpm state
+  directory doesn't exist on SUSE systems (bsc#1213593)
+
+-------------------------------------------------------------------
+Tue Sep 19 07:57:02 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
+
+- Modified update.sh to require first parameter "full" to also
+  update container-selinux. For maintenance updates you usually
+  don't want it to be updated
+
+-------------------------------------------------------------------
+Fri Jul 28 14:49:04 UTC 2023 - filippo.bonazzi@suse.com
+
+- Update to version 20230728:
+  * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
+  * allow haveged to manage tmpfs directories (bsc#1213594)
+
+-------------------------------------------------------------------
+Thu Jun 22 12:14:15 UTC 2023 - jsegitz@suse.com
+
+- Update to version 20230622:
+  * Allow keyutils_dns_resolver_exec_t be an entrypoint
+  * Allow collectd_t read network state symlinks
+  * Revert "Allow collectd_t read proc_net link files"
+  * Allow nfsd_t to list exports_t dirs
+  * Allow cupsd dbus chat with xdm
+  * Allow haproxy read hardware state information
+  * Label /dev/userfaultfd with userfaultfd_t
+  * Allow blueman send general signals to unprivileged user domains
+  * Allow dkim-milter domain transition to sendmail

 -------------------------------------------------------------------
 Tue Apr 25 15:12:47 UTC 2023 - cathy.hu@suse.com
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -1,7 +1,7 @@
 #
 # spec file for package selinux-policy
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -33,7 +33,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20230523+git16.0849f54c
+Version:        20240604+git1.ee0114f1
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc
--- a/update.sh
+++ b/update.sh
@ -2,18 +2,20 @@

 date=$(date '+%Y%m%d')
 base_name_pattern='selinux-policy-*.tar.xz'
-
 echo Update to $date

 old_tar_file=$(ls -1 $base_name_pattern)

 osc service manualrun

-rm -rf container-selinux
-git clone --depth 1 https://github.com/containers/container-selinux.git
-rm -f container.*
-mv container-selinux/container.* .
-rm -rf container-selinux
+if [ "$1" = "full" ]; then
+  echo doing full update including container-selinux
+  rm -rf container-selinux
+  git clone --depth 1 https://github.com/containers/container-selinux.git
+  rm -f container.*
+  mv container-selinux/container.* .
+  rm -rf container-selinux
+fi

 # delete old files. Might need a better sanity check
 tar_cnt=$(ls -1 $base_name_pattern  | wc -l)
@ -24,4 +26,3 @@ if [ $tar_cnt -gt 1 ]; then
 fi

 osc status
-