Sync from SUSE:SLFO:Main selinux-policy revision b3055241f87f4b87ba0d78c6af6b4307

_service

@@ -4,8 +4,8 @@
     <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
     <param name="scm">git</param>
     <param name="changesgenerate">enable</param>
-    <param name="revision">alp-1.0</param>
-    <param name="match-tag">release-20230523</param>
+    <param name="revision">factory</param>
+    <param name="match-tag">release-20250627</param>
     <param name="versionrewrite-pattern">release-(.*)</param>
     <param name="versionrewrite-replacement">\1</param>
   </service>

_servicedata

@@ -1,6 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
-              <param name="changesrevision">ef49ab5497238ac89ddd636b07fe372d9b995f13</param></service><service name="tar_scm">
-                <param name="url">https://github.com/containers/container-selinux.git</param>
-              <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
+              <param name="changesrevision">15675827ab60cadbfa09c9c74505ad34032ffe33</param></service></servicedata>

booleans-minimum.conf

@@ -1,232 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-# 
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-selinuxuser_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-# 
-selinuxuser_execstack = false
-
-# Allow ftpd to read cifs directories.
-# 
-ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-# 
-ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
-gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-# 
-httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-# 
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-saslauthd_read_shadow  = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-# 
-zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql 
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-# 
-httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
-httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-# 
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-# 
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = false
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-# allow host key based authentication
-# 
-ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow spamd to write to users homedirs
-# 
-spamd_enable_home_dirs = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = true
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow all domains to talk to ttys
-# 
-daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-# 
-polyinstantiation_enabled = false
-
-# Allow all domains to dump core
-# 
-daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-# 
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-# 
-xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create 
-# 
-guest_exec_content = false
-xguest_exec_content = false
-
-# Allow postfix locat to write to mail spool
-# 
-postfix_local_write_mail_spool = false
-
-# Allow common users to read/write noexattrfile systems
-# 
-user_rw_noexattrfile = true
-
-# Allow qemu to connect fully to the network
-# 
-qemu_full_network = true
-
-# System uses init upstart program
-# 
-init_upstart = true
-
-# Allow mount to mount any file/dir
-# 
-mount_anyfile = true
-
-# Allow all domains to mmap files
-# 
-domain_can_mmap_files = true
-
-# Allow confined applications to use nscd shared memory
-#
-nscd_use_shm = true
-
-# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-#
-unconfined_chrome_sandbox_transition = true
-
-# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-#
-unconfined_mozilla_plugin_transition = true

booleans-mls.conf

@@ -1,232 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-# 
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-selinuxuser_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-# 
-selinuxuser_execstack = false
-
-# Allow ftpd to read cifs directories.
-# 
-ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-# 
-ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
-gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-# 
-httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-# 
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-saslauthd_read_shadow  = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-# 
-zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql 
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-# 
-httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
-httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-# 
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-# 
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = false
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-# allow host key based authentication
-# 
-ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow spamd to write to users homedirs
-# 
-spamd_enable_home_dirs = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = true
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow all domains to talk to ttys
-# 
-daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-# 
-polyinstantiation_enabled = false
-
-# Allow all domains to dump core
-# 
-daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-# 
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-# 
-xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create 
-# 
-guest_exec_content = false
-xguest_exec_content = false
-
-# Allow postfix locat to write to mail spool
-# 
-postfix_local_write_mail_spool = false
-
-# Allow common users to read/write noexattrfile systems
-# 
-user_rw_noexattrfile = true
-
-# Allow qemu to connect fully to the network
-# 
-qemu_full_network = true
-
-# System uses init upstart program
-# 
-init_upstart = true
-
-# Allow mount to mount any file/dir
-# 
-mount_anyfile = true
-
-# Allow all domains to mmap files
-# 
-domain_can_mmap_files = true
-
-# Allow confined applications to use nscd shared memory
-#
-nscd_use_shm = true
-
-# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-#
-unconfined_chrome_sandbox_transition = false
-
-# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-#
-unconfined_mozilla_plugin_transition = false

booleans-targeted.conf

@@ -1,232 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-# 
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-selinuxuser_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-# 
-selinuxuser_execstack = false
-
-# Allow ftpd to read cifs directories.
-# 
-ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-# 
-ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
-gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-# 
-httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-# 
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-saslauthd_read_shadow  = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-# 
-zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql 
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-# 
-httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
-httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-# 
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-# 
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = false
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-# allow host key based authentication
-# 
-ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow spamd to write to users homedirs
-# 
-spamd_enable_home_dirs = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = true
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow all domains to talk to ttys
-# 
-daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-# 
-polyinstantiation_enabled = false
-
-# Allow all domains to dump core
-# 
-daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-# 
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-# 
-xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create 
-# 
-guest_exec_content = false
-xguest_exec_content = false
-
-# Allow postfix locat to write to mail spool
-# 
-postfix_local_write_mail_spool = false
-
-# Allow common users to read/write noexattrfile systems
-# 
-user_rw_noexattrfile = true
-
-# Allow qemu to connect fully to the network
-# 
-qemu_full_network = true
-
-# System uses init upstart program
-# 
-init_upstart = true
-
-# Allow mount to mount any file/dir
-# 
-mount_anyfile = true
-
-# Allow all domains to mmap files
-# 
-domain_can_mmap_files = true
-
-# Allow confined applications to use nscd shared memory
-#
-nscd_use_shm = true
-
-# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-#
-unconfined_chrome_sandbox_transition = true
-
-# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-#
-unconfined_mozilla_plugin_transition = true

booleans.subs_dist

@@ -1,54 +0,0 @@
-allow_auditadm_exec_content auditadm_exec_content
-allow_console_login login_console_enabled
-allow_cvs_read_shadow cvs_read_shadow
-allow_daemons_dump_core daemons_dump_core
-allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
-allow_daemons_use_tty daemons_use_tty
-allow_domain_fd_use domain_fd_use
-allow_execheap selinuxuser_execheap
-allow_execmod selinuxuser_execmod
-allow_execstack selinuxuser_execstack
-allow_ftpd_anon_write ftpd_anon_write
-allow_ftpd_full_access ftpd_full_access
-allow_ftpd_use_cifs ftpd_use_cifs
-allow_ftpd_use_nfs ftpd_use_nfs
-allow_gssd_read_tmp gssd_read_tmp
-allow_guest_exec_content guest_exec_content
-allow_httpd_anon_write httpd_anon_write
-allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
-allow_httpd_mod_auth_pam httpd_mod_auth_pam
-allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
-allow_kerberos kerberos_enabled
-allow_mplayer_execstack mplayer_execstack
-allow_mount_anyfile mount_anyfile
-allow_nfsd_anon_write nfsd_anon_write
-allow_polyinstantiation polyinstantiation_enabled
-allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
-allow_rsync_anon_write rsync_anon_write
-allow_saslauthd_read_shadow saslauthd_read_shadow
-allow_secadm_exec_content secadm_exec_content
-allow_smbd_anon_write smbd_anon_write
-allow_ssh_keysign ssh_keysign
-allow_staff_exec_content staff_exec_content
-allow_sysadm_exec_content sysadm_exec_content
-allow_user_exec_content user_exec_content
-allow_user_mysql_connect selinuxuser_mysql_connect_enabled
-allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
-allow_write_xshm xserver_clients_write_xshm
-allow_xguest_exec_content xguest_exec_content
-allow_xserver_execmem xserver_execmem
-allow_ypbind nis_enabled
-allow_zebra_write_config zebra_write_config
-user_direct_dri selinuxuser_direct_dri_enabled
-user_ping selinuxuser_ping
-user_share_music selinuxuser_share_music
-user_tcp_server selinuxuser_tcp_server
-sepgsql_enable_pitr_implementation postgresql_can_rsync
-sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
-sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
-sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
-clamd_use_jit antivirus_use_jit
-amavis_use_jit antivirus_use_jit
-logwatch_can_sendmail logwatch_can_network_connect_mail
-puppet_manage_all_files puppetagent_manage_all_files
-virt_sandbox_use_nfs virt_use_nfs

container.fc

@@ -9,14 +9,19 @@
 /usr/local/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/local/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
-/usr/local/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubenswrapper.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubenswrapper.*	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/s?bin/kubensenter.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubensenter.*	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/containerd.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildah		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkitd.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 
-/usr/s?bin/lxc-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/lxd-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxc-.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/lxd-.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/lxc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/lxd			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/fuidshift		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -59,6 +64,7 @@
 /etc/crio(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /exports(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 
+/var/lib/shared(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/registry(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/lxc(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/lxd(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
@@ -86,6 +92,8 @@
 # Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
 /var/lib/buildkit/containerd-.*(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)
 
+HOME_DIR/\.local/share/ramalama(/.*)?		 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/artifacts(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -103,6 +111,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/containers/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/atomic(/.*)?	<<none>>
 /var/lib/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/containers/storage/artifacts(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/overlay-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -111,15 +120,21 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/containers/storage/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/ocid(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/ocid/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
+
+/var/cache/containers(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/cache/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 
-/var/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)
+
+/var/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+/opt/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 
 /var/lib/origin(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kubernetes/pods(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 
 /var/lib/kubelet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/kubelet/pod-resources(/.*)?	gen_context(system_u:object_r:kubelet_var_lib_t,s0)
 /var/lib/docker-latest(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/docker-latest/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/docker-latest/containers/.*/.*\.log	gen_context(system_u:object_r:container_log_t,s0)
@@ -130,27 +145,28 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 /var/lib/docker-latest/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 
 /var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
-/var/lib/kubelet/pods(/.*)?							gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/crio(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
+/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
 /var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)
 
-/var/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
-/var/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
+/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
 
 /srv/containers(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /var/srv/containers(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 
-/var/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
+/run/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
 
+/var/log/kube-apiserver(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/lxc(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/lxd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /etc/kubernetes(/.*)?		gen_context(system_u:object_r:kubernetes_file_t,s0)

container.if

@@ -512,6 +512,7 @@ interface(`container_filetrans_named_content',`
     files_pid_filetrans($1, container_var_run_t, dir, "containers")
     files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers")
 
+    logging_log_filetrans($1, container_log_t, dir, "kube-apiserver")
     logging_log_filetrans($1, container_log_t, dir, "lxc")
     files_var_lib_filetrans($1, container_var_lib_t, dir, "containers")
     files_var_lib_filetrans($1, container_file_t, dir, "origin")
@@ -522,6 +523,7 @@ interface(`container_filetrans_named_content',`
     files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers")
     files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd")
     files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit")
+    files_var_lib_filetrans($1, container_ro_file_t, dir, "shared")
 
     filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "config.env")
@@ -535,6 +537,7 @@ interface(`container_filetrans_named_content',`
     #  workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work)
     filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init")
+    filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "artifacts")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers")
@@ -560,6 +563,8 @@ interface(`container_filetrans_named_content',`
     # Third-party snapshotters
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci")
 
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "ramalama")
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "artifacts")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")
@@ -572,7 +577,7 @@ interface(`container_filetrans_named_content',`
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
     filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers")
     filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
-    files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
+    files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes")
 ')
 
 ########################################
@@ -997,7 +1002,6 @@ interface(`container_kubelet_domtrans',`
 interface(`container_kubelet_run',`
 	gen_require(`
 		type kubelet_t;
-		class dbus send_msg;
 	')
 
 	container_kubelet_domtrans($1)

container.te

@@ -1,7 +1,8 @@
-policy_module(container, 2.210.0)
+policy_module(container, 2.238.0)
 
 gen_require(`
 	class passwd rootok;
+	type system_conf_t;
 ')
 
 ########################################
@@ -17,6 +18,13 @@ gen_require(`
 ## </desc>
 gen_tunable(container_connect_any, false)
 
+## <desc>
+##  <p>
+##  Allow all container domains to read cert files and directories
+##  </p>
+## </desc>
+gen_tunable(container_read_certs, false)
+
 ## <desc>
 ##  <p>
 ##  Determine whether sshd can launch container engines
@@ -31,6 +39,20 @@ gen_tunable(sshd_launch_containers, false)
 ## </desc>
 gen_tunable(container_use_devices, false)
 
+## <desc>
+##  <p>
+##  Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
+##  </p>
+## </desc>
+gen_tunable(container_use_xserver_devices, false)
+
+## <desc>
+##  <p>
+##  Allow containers to use any dri device volume mounted into container
+##  </p>
+## </desc>
+gen_tunable(container_use_dri_devices, true)
+
 ## <desc>
 ## <p>
 ## Allow sandbox containers to manage cgroup (systemd)
@@ -81,7 +103,7 @@ ifdef(`enable_mls',`
 	range_transition container_runtime_t conmon_exec_t:process s0;
 ')
 
-type spc_t, container_domain;
+type spc_t;
 domain_type(spc_t)
 role system_r types spc_t;
 
@@ -129,6 +151,7 @@ type container_devpts_t alias docker_devpts_t;
 term_pty(container_devpts_t)
 
 typealias container_ro_file_t alias { container_share_t docker_share_t };
+typeattribute container_ro_file_t container_file_type, user_home_type;
 files_mountpoint(container_ro_file_t)
 userdom_user_home_content(container_ro_file_t)
 
@@ -169,6 +192,7 @@ allow container_runtime_domain self:tcp_socket create_stream_socket_perms;
 allow container_runtime_domain self:udp_socket create_socket_perms;
 allow container_runtime_domain self:capability2 block_suspend;
 allow container_runtime_domain container_port_t:tcp_socket name_bind;
+allow container_runtime_domain port_t:icmp_socket name_bind;
 allow container_runtime_domain self:filesystem associate;
 allow container_runtime_domain self:packet_socket create_socket_perms;
 allow container_runtime_domain self:socket create_socket_perms;
@@ -205,19 +229,24 @@ manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t
 manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t)
 userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container")
 userdom_manage_user_home_content(container_runtime_domain)
+userdom_map_user_home_files(container_runtime_t)
 
 manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t)
 manage_files_pattern(container_runtime_domain, container_config_t, container_config_t)
-files_etc_filetrans(container_runtime_domain, container_config_t, dir, "container")
+files_etc_filetrans(container_runtime_domain, container_config_t, dir, "containers")
 
 manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t)
 manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t)
 files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc")
+files_manage_generic_locks(container_runtime_domain)
 
 manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t)
 manage_files_pattern(container_runtime_domain, container_log_t, container_log_t)
 manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t)
+
+logging_read_syslog_pid(container_runtime_domain)
 logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file })
+
 allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto };
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log")
 allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint;
@@ -243,8 +272,23 @@ manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, containe
 manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_sock_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
 allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto };
 can_exec(container_runtime_domain, container_ro_file_t)
+
+manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
+
+manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
+
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init")
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay")
 filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2")
@@ -262,6 +306,7 @@ manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
 allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto };
 files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file })
+files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers")
 
 manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
@@ -270,17 +315,30 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
+allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;
 
 allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(container_runtime_domain, container_devpts_t)
 term_use_all_ttys(container_runtime_domain)
 term_use_all_inherited_terms(container_runtime_domain)
 
+mls_file_read_to_clearance(container_runtime_t)
+mls_file_relabel_to_clearance(container_runtime_t)
+mls_file_write_to_clearance(container_runtime_t)
+mls_process_read_to_clearance(container_runtime_t)
+mls_process_write_to_clearance(container_runtime_t)
+mls_socket_read_to_clearance(container_runtime_t)
+mls_socket_write_to_clearance(container_runtime_t)
+mls_sysvipc_read_to_clearance(container_runtime_t)
+mls_sysvipc_write_to_clearance(container_runtime_t)
+
 kernel_read_network_state(container_runtime_domain)
 kernel_read_all_sysctls(container_runtime_domain)
 kernel_rw_net_sysctls(container_runtime_domain)
 kernel_setsched(container_runtime_domain)
 kernel_rw_all_sysctls(container_runtime_domain)
+kernel_mounton_all_proc(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
 
 domain_obj_id_change_exemption(container_runtime_t)
 domain_subj_id_change_exemption(container_runtime_t)
@@ -390,7 +448,10 @@ optional_policy(`
 ')
 
 optional_policy(`
-	iptables_domtrans(container_runtime_domain)
+	gen_require(`
+		role unconfined_r;
+	')
+	iptables_run(container_runtime_domain, unconfined_r)
 
 	container_read_pid_files(iptables_t)
 	container_read_state(iptables_t)
@@ -458,33 +519,38 @@ dev_rw_loop_control(container_runtime_domain)
 dev_rw_lvm_control(container_runtime_domain)
 dev_read_mtrr(container_runtime_domain)
 
+userdom_map_user_home_files(container_runtime_t)
+
 files_getattr_isid_type_dirs(container_runtime_domain)
 files_manage_isid_type_dirs(container_runtime_domain)
 files_manage_isid_type_files(container_runtime_domain)
 files_manage_isid_type_symlinks(container_runtime_domain)
 files_manage_isid_type_chr_files(container_runtime_domain)
 files_manage_isid_type_blk_files(container_runtime_domain)
+files_manage_etc_dirs(container_runtime_domain)
+files_manage_etc_files(container_runtime_domain)
 files_exec_isid_files(container_runtime_domain)
 files_mounton_isid(container_runtime_domain)
 files_mounton_non_security(container_runtime_domain)
 files_mounton_isid_type_chr_file(container_runtime_domain)
 
-fs_mount_all_fs(container_runtime_domain)
-fs_unmount_all_fs(container_runtime_domain)
-fs_remount_all_fs(container_runtime_domain)
 files_mounton_isid(container_runtime_domain)
+fs_getattr_all_fs(container_runtime_domain)
+fs_list_hugetlbfs(container_runtime_domain)
 fs_manage_cgroup_dirs(container_runtime_domain)
 fs_manage_cgroup_files(container_runtime_domain)
-fs_rw_nsfs_files(container_runtime_domain)
-fs_relabelfrom_xattr_fs(container_runtime_domain)
-fs_relabelfrom_tmpfs(container_runtime_domain)
-fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_getattr_all_fs(container_runtime_domain)
-fs_rw_inherited_tmpfs_files(container_runtime_domain)
-fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_search_tmpfs(container_runtime_domain)
-fs_list_hugetlbfs(container_runtime_domain)
 fs_manage_hugetlbfs_files(container_runtime_domain)
+fs_mount_all_fs(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_read_tmpfs_symlinks(container_runtime_domain)
+fs_relabelfrom_tmpfs(container_runtime_domain)
+fs_relabelfrom_xattr_fs(container_runtime_domain)
+fs_remount_all_fs(container_runtime_domain)
+fs_rw_inherited_tmpfs_files(container_runtime_domain)
+fs_rw_nsfs_files(container_runtime_domain)
+fs_search_tmpfs(container_runtime_domain)
+fs_set_xattr_fs_quotas(container_runtime_domain)
+fs_unmount_all_fs(container_runtime_domain)
 
 
 term_use_generic_ptys(container_runtime_domain)
@@ -518,7 +584,6 @@ tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_symlinks(container_runtime_domain)
 	fs_remount_nfs(container_runtime_domain)
 	fs_mount_nfs(container_runtime_domain)
-	fs_unmount_nfs(container_runtime_domain)
 	fs_exec_nfs_files(container_runtime_domain)
 	kernel_rw_fs_sysctls(container_runtime_domain)
 	allow container_runtime_domain nfs_t:file execmod;
@@ -563,6 +628,10 @@ tunable_policy(`container_use_cephfs',`
 	allow container_domain cephfs_t:file execmod;
 ')
 
+tunable_policy(`container_read_certs',`
+	miscfiles_read_all_certs(container_domain)
+')
+
 gen_require(`
 	type ecryptfs_t;
 ')
@@ -580,21 +649,16 @@ fs_manage_fusefs_dirs(container_runtime_domain)
 fs_manage_fusefs_files(container_runtime_domain)
 fs_manage_fusefs_symlinks(container_runtime_domain)
 fs_mount_fusefs(container_runtime_domain)
-fs_unmount_fusefs(container_runtime_domain)
 fs_exec_fusefs_files(container_runtime_domain)
 storage_rw_fuse(container_runtime_domain)
 
-optional_policy(`
-    files_search_all(container_domain)
-    container_read_share_files(container_domain)
-    container_exec_share_files(container_domain)
-    allow container_domain container_ro_file_t:file execmod;
-    container_lib_filetrans(container_domain,container_file_t, sock_file)
-    container_use_ptys(container_domain)
-    container_spc_stream_connect(container_domain)
-    fs_dontaudit_remount_tmpfs(container_domain)
-    dev_dontaudit_mounton_sysfs(container_domain)
-')
+files_search_all(container_domain)
+container_read_share_files(container_domain)
+container_exec_share_files(container_domain)
+allow container_domain container_ro_file_t:file execmod;
+container_lib_filetrans(container_domain,container_file_t, sock_file)
+container_use_ptys(container_domain)
+container_spc_stream_connect(container_domain)
 
 optional_policy(`
 	apache_exec_modules(container_runtime_domain)
@@ -648,12 +712,12 @@ optional_policy(`
 		role unconfined_r;
 	')
 	role unconfined_r types container_user_domain;
+	role unconfined_r types spc_t;
 	unconfined_domain(container_runtime_t)
 	unconfined_run_to(container_runtime_t, container_runtime_exec_t)
-	role_transition unconfined_r container_runtime_exec_t system_r;
 	allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map };
 	allow container_runtime_domain unconfined_t:fifo_file setattr;
-	allow unconfined_domain_type container_domain:process {transition dyntransition };
+	allow unconfined_domain_type container_domain:process {transition dyntransition};
 	allow unconfined_t unlabeled_t:key manage_key_perms;
 	allow container_runtime_t unconfined_t:process transition;
 	allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint;
@@ -692,33 +756,44 @@ tunable_policy(`container_connect_any',`
 #
 # spc local policy
 #
-allow spc_t { container_var_lib_t container_ro_file_t }:file entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
 role system_r types spc_t;
+dontaudit spc_t self:memprotect mmap_zero;
 
 domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
 domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
 fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
 
-allow container_runtime_domain spc_t:process2 nnp_transition;
+allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
+allow spc_t container_file_type:file execmod;
+
 admin_pattern(spc_t, kubernetes_file_t)
 
 allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
 allow spc_t { container_ro_file_t container_file_t }:system module_load;
 
-allow container_runtime_domain spc_t:process { setsched signal_perms };
+allow container_runtime_domain spc_t:process { dyntransition setsched signal_perms };
 ps_process_pattern(container_runtime_domain, spc_t)
 allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom };
 allow spc_t unlabeled_t:key manage_key_perms;
 allow spc_t unlabeled_t:socket_class_set create_socket_perms;
+fs_fusefs_entrypoint(spc_t)
+corecmd_entrypoint_all_executables(spc_t)
 
 init_dbus_chat(spc_t)
 
 optional_policy(`
 	systemd_dbus_chat_machined(spc_t)
 	systemd_dbus_chat_logind(spc_t)
+	systemd_dbus_chat_timedated(spc_t)
+	systemd_dbus_chat_localed(spc_t)
 ')
 
+domain_transition_all(spc_t)
+
+anaconda_domtrans_install(spc_t)
+
 optional_policy(`
 	dbus_chat_system_bus(spc_t)
 	dbus_chat_session_bus(spc_t)
@@ -731,6 +806,11 @@ optional_policy(`
 	# This should eventually be in upstream policy.
 	# https://github.com/fedora-selinux/selinux-policy/pull/806
 	allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run };
+	allow daemon spc_t:dbus send_msg;
+')
+
+optional_policy(`
+	rtkit_scheduled(spc_t)
 ')
 
 optional_policy(`
@@ -744,7 +824,10 @@ optional_policy(`
 	gen_require(`
 		attribute virt_domain;
 		type virtd_t;
+		role unconfined_r;
 	')
+	role unconfined_r types virt_domain;
+	role unconfined_r types virtd_t;
 	container_spc_read_state(virt_domain)
 	container_spc_rw_pipes(virt_domain)
 	allow container_runtime_t virtd_t:process transition;
@@ -817,7 +900,7 @@ container_manage_files_template(container, container)
 typeattribute container_file_t container_file_type, user_home_type;
 typeattribute container_t container_domain, container_net_domain, container_user_domain;
 allow container_user_domain self:process getattr;
-allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
+allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint;
 allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
 allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
 allow container_domain container_runtime_t:unix_dgram_socket sendto;
@@ -836,6 +919,7 @@ dontaudit container_domain self:dir { write add_name };
 allow container_domain self:file rw_file_perms;
 allow container_domain self:lnk_file read_file_perms;
 allow container_domain self:fifo_file create_fifo_file_perms;
+allow container_domain self:fifo_file watch;
 allow container_domain self:filesystem associate;
 allow container_domain self:key manage_key_perms;
 allow container_domain self:netlink_route_socket r_netlink_socket_perms;
@@ -855,28 +939,33 @@ allow container_domain self:unix_dgram_socket create_socket_perms;
 allow container_domain self:unix_stream_socket create_stream_socket_perms;
 dontaudit container_domain self:capability2  block_suspend ;
 allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
-fs_rw_onload_sockets(container_domain)
-fs_fusefs_entrypoint(container_domain)
-
+fs_fusefs_entrypoint(spc_t)
 
 container_read_share_files(container_domain)
 container_exec_share_files(container_domain)
 container_use_ptys(container_domain)
 container_spc_stream_connect(container_domain)
-fs_dontaudit_remount_tmpfs(container_domain)
+
 dev_dontaudit_mounton_sysfs(container_domain)
 dev_dontaudit_mounton_sysfs(container_domain)
-fs_mount_tmpfs(container_domain)
+dev_dontaudit_mounton_sysfs(container_domain)
+dev_getattr_mtrr_dev(container_domain)
+dev_list_sysfs(container_domain)
+dev_mounton_sysfs(container_t)
+dev_read_mtrr(container_domain)
+dev_read_rand(container_domain)
+dev_read_sysfs(container_domain)
+dev_read_urand(container_domain)
+dev_rw_inherited_dri(container_domain)
+dev_rw_kvm(container_domain)
+dev_rwx_zero(container_domain)
+dev_write_rand(container_domain)
+dev_write_urand(container_domain)
+allow container_domain sysfs_t:dir watch;
 
 dontaudit container_domain container_runtime_tmpfs_t:dir read;
 allow container_domain container_runtime_tmpfs_t:dir mounton;
-
-dev_getattr_mtrr_dev(container_domain)
-dev_list_sysfs(container_domain)
-allow container_domain sysfs_t:dir watch;
-
-dev_rw_kvm(container_domain)
-dev_rwx_zero(container_domain)
+can_exec(container_domain, container_runtime_tmpfs_t)
 
 allow container_domain self:key manage_key_perms;
 dontaudit container_domain container_domain:key search;
@@ -892,10 +981,11 @@ allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
 allow container_domain self:passwd rootok;
 allow container_domain self:filesystem associate;
 allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
+allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
 
 kernel_getattr_proc(container_domain)
 kernel_list_all_proc(container_domain)
+kernel_mounton_all_proc(container_domain)
 kernel_read_all_sysctls(container_domain)
 kernel_dontaudit_write_kernel_sysctl(container_domain)
 kernel_read_network_state(container_domain)
@@ -909,16 +999,42 @@ kernel_dontaudit_write_usermodehelper_state(container_domain)
 kernel_read_irq_sysctls(container_domain)
 kernel_get_sysvipc_info(container_domain)
 
-fs_getattr_all_fs(container_domain)
-fs_rw_inherited_tmpfs_files(container_domain)
-fs_read_tmpfs_symlinks(container_domain)
-fs_search_tmpfs(container_domain)
-fs_list_hugetlbfs(container_domain)
-fs_manage_hugetlbfs_files(container_domain)
-fs_exec_hugetlbfs_files(container_domain)
 fs_dontaudit_getattr_all_dirs(container_domain)
 fs_dontaudit_getattr_all_files(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_exec_fusefs_files(container_domain)
+fs_exec_hugetlbfs_files(container_domain)
+fs_fusefs_entrypoint(container_domain)
+fs_getattr_all_fs(container_domain)
+fs_list_cgroup_dirs(container_domain)
+fs_list_hugetlbfs(container_domain)
+fs_manage_bpf_files(container_domain)
+fs_manage_fusefs_dirs(container_domain)
+fs_manage_fusefs_files(container_domain)
+fs_manage_fusefs_named_pipes(container_domain)
+fs_manage_fusefs_named_sockets(container_domain)
+fs_manage_fusefs_symlinks(container_domain)
+fs_manage_hugetlbfs_files(container_domain)
+fs_mount_fusefs(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_mount_tmpfs(container_domain)
+fs_unmount_tmpfs(container_domain)
+fs_mount_xattr_fs(container_domain)
+fs_unmount_xattr_fs(container_domain)
+fs_mounton_cgroup(container_domain)
+fs_mounton_fusefs(container_domain)
+fs_read_cgroup_files(container_domain)
 fs_read_nsfs_files(container_domain)
+fs_read_tmpfs_symlinks(container_domain)
+fs_remount_xattr_fs(container_domain)
+fs_rw_inherited_tmpfs_files(container_domain)
+fs_rw_onload_sockets(container_domain)
+fs_search_tmpfs(container_domain)
+fs_unmount_cgroup(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_unmount_nsfs(container_domain)
+fs_unmount_xattr_fs(container_domain)
 
 term_use_all_inherited_terms(container_domain)
 
@@ -942,18 +1058,6 @@ gen_require(`
 	type cgroup_t;
 ')
 
-dev_read_sysfs(container_domain)
-dev_read_mtrr(container_domain)
-dev_mounton_sysfs(container_t)
-
-fs_mounton_cgroup(container_t)
-fs_unmount_cgroup(container_t)
-
-dev_read_rand(container_domain)
-dev_write_rand(container_domain)
-dev_read_urand(container_domain)
-dev_write_urand(container_domain)
-
 files_read_kernel_modules(container_domain)
 
 allow container_file_t cgroup_t:filesystem associate;
@@ -999,7 +1103,7 @@ allow container_net_domain self:rawip_socket create_stream_socket_perms;
 allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
 allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;
 
-
+allow container_domain spc_t:unix_stream_socket { read write };
 kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
 kernel_unlabeled_entry_type(spc_t)
 allow container_runtime_domain unlabeled_t:key manage_key_perms;
@@ -1009,9 +1113,6 @@ gen_require(`
 ')
 dontaudit container_domain usermodehelper_t:file write;
 
-fs_read_cgroup_files(container_domain)
-fs_list_cgroup_dirs(container_domain)
-
 sysnet_read_config(container_domain)
 
 allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
@@ -1039,20 +1140,6 @@ tunable_policy(`container_manage_cgroup',`
 	fs_manage_cgroup_files(container_domain)
 ')
 
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_manage_fusefs_dirs(container_domain)
-fs_manage_fusefs_files(container_domain)
-fs_manage_fusefs_symlinks(container_domain)
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_exec_fusefs_files(container_domain)
-fs_mount_xattr_fs(container_domain)
-fs_unmount_xattr_fs(container_domain)
-fs_remount_xattr_fs(container_domain)
-fs_mount_fusefs(container_domain)
-fs_unmount_fusefs(container_domain)
-fs_mounton_fusefs(container_domain)
 storage_rw_fuse(container_domain)
 allow container_domain fusefs_t:file { mounton execmod };
 allow container_domain fusefs_t:filesystem remount;
@@ -1127,6 +1214,7 @@ dev_mount_sysfs_fs(container_userns_t)
 dev_mounton_sysfs(container_userns_t)
 
 fs_mount_tmpfs(container_userns_t)
+fs_unmount_tmpfs(container_userns_t)
 fs_relabelfrom_tmpfs(container_userns_t)
 fs_remount_cgroup(container_userns_t)
 
@@ -1171,6 +1259,7 @@ logging_read_all_logs(container_logreader_t)
 allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
 logging_read_audit_log(container_logreader_t)
 logging_list_logs(container_logreader_t)
+allow container_logreader_t container_log_t:file watch;
 
 # Container Logwriter
 container_domain_template(container_logwriter, container)
@@ -1180,6 +1269,7 @@ manage_files_pattern(container_logwriter_t, logfile, logfile)
 manage_dirs_pattern(container_logwriter_t, logfile, logfile)
 manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
 logging_manage_audit_log(container_logwriter_t)
+allow container_logwriter_t container_log_t:file watch;
 
 optional_policy(`
 	gen_require(`
@@ -1188,6 +1278,8 @@ optional_policy(`
 		attribute userdomain;
 	')
 
+	allow userdomain container_domain:process transition;
+
 	can_exec(userdomain, container_runtime_exec_t)
 	container_manage_files(userdomain)
 	container_manage_share_dirs(userdomain)
@@ -1280,6 +1372,7 @@ logging_send_syslog_msg(container_kvm_t)
 optional_policy(`
 	qemu_entry_type(container_kvm_t)
 	qemu_exec(container_kvm_t)
+	allow container_kvm_t qemu_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
 ')
 
 manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t)
@@ -1316,8 +1409,17 @@ optional_policy(`
 ')
 
 tunable_policy(`container_use_devices',`
-	allow container_domain device_node:chr_file rw_chr_file_perms;
-	allow container_domain device_node:blk_file rw_blk_file_perms;
+	allow container_domain device_node:chr_file {rw_chr_file_perms map};
+	allow container_domain device_node:blk_file {rw_blk_file_perms map};
+')
+
+tunable_policy(`container_use_xserver_devices',`
+	dev_getattr_xserver_misc_dev(container_t)
+	dev_rw_xserver_misc(container_t)
+')
+
+tunable_policy(`container_use_dri_devices',`
+	dev_rw_dri(container_domain)
 ')
 
 tunable_policy(`virt_sandbox_use_sys_admin',`
@@ -1336,19 +1438,44 @@ fs_mounton_cgroup(container_engine_t)
 fs_unmount_cgroup(container_engine_t)
 fs_manage_cgroup_dirs(container_engine_t)
 fs_manage_cgroup_files(container_engine_t)
-fs_mount_tmpfs(container_engine_t)
 fs_write_cgroup_files(container_engine_t)
-
-allow container_engine_t proc_t:file mounton;
-allow container_engine_t sysctl_t:file mounton;
-allow container_engine_t sysfs_t:filesystem remount;
-
+fs_remount_cgroup(container_engine_t)
+fs_mount_all_fs(container_engine_t)
+fs_remount_all_fs(container_engine_t)
+fs_unmount_all_fs(container_engine_t)
+kernel_mounton_all_sysctls(container_engine_t)
 kernel_mount_proc(container_engine_t)
-kernel_mounton_core_if(container_engine_t)
 kernel_mounton_proc(container_engine_t)
+kernel_mounton_core_if(container_engine_t)
 kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
-
 term_mount_pty_fs(container_engine_t)
+term_use_generic_ptys(container_engine_t)
+
+allow container_engine_t container_file_t:chr_file mounton;
+allow container_engine_t filesystem_type:{dir file} mounton;
+allow container_engine_t proc_kcore_t:file mounton;
+allow container_engine_t proc_t:filesystem remount;
+allow container_engine_t sysctl_t:{dir file} mounton;
+allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
+allow container_engine_t fusefs_t:file relabelto;
+allow container_engine_t kernel_t:system module_request;
+allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
+allow container_engine_t random_device_t:chr_file mounton;
+allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
+allow container_engine_t urandom_device_t:chr_file mounton;
+allow container_engine_t zero_device_t:chr_file mounton;
+allow container_engine_t container_file_t:sock_file mounton;
+allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms };
+allow container_engine_t devpts_t:chr_file setattr;
+
+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
+
+optional_policy(`
+	gen_require(`
+		type devtty_t;
+	')
+	allow container_engine_t devtty_t:chr_file mounton;
+')
 
 type kubelet_t, container_runtime_domain;
 domain_type(kubelet_t)
@@ -1361,12 +1488,24 @@ optional_policy(`
 	unconfined_domain(kubelet_t)
 ')
 
+manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
 
 type kubelet_exec_t;
 application_executable_file(kubelet_exec_t)
 can_exec(container_runtime_t, kubelet_exec_t)
 allow kubelet_t kubelet_exec_t:file entrypoint;
 
+type kubelet_var_lib_t;
+files_type(kubelet_var_lib_t)
+
+manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+
+files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources")
+filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources")
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
 ')
@@ -1384,7 +1523,6 @@ optional_policy(`
 	gen_require(`
 		type sysadm_t;
 		role sysadm_r;
-		attribute userdomain;
 		role unconfined_r;
 	')
 
@@ -1401,9 +1539,12 @@ allow container_device_t device_node:chr_file rw_chr_file_perms;
 # Standard container which needs to be allowed to use any device and
 # communicate with kubelet
 container_domain_template(container_device_plugin, container)
+typeattribute container_device_plugin_t container_net_domain;
 allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
 dev_rw_sysfs(container_device_plugin_t)
+kernel_read_debugfs(container_device_plugin_t)
 container_kubelet_stream_connect(container_device_plugin_t)
+stream_connect_pattern(container_device_plugin_t, container_var_lib_t,  kubelet_var_lib_t, kubelet_t)
 
 # Standard container which needs to be allowed to use any device and
 # modify kubelet configuration
@@ -1441,3 +1582,52 @@ tunable_policy(`sshd_launch_containers',`
 	container_runtime_domtrans(sshd_t)
 	dontaudit systemd_logind_t iptables_var_run_t:dir read;
 ')
+
+role container_user_r;
+userdom_restricted_user_template(container_user)
+userdom_manage_home_role(container_user_r, container_user_t)
+
+allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop };
+
+role container_user_r types container_domain;
+role container_user_r types container_user_domain;
+role container_user_r types container_net_domain;
+role container_user_r types container_file_type;
+container_runtime_run(container_user_t, container_user_r)
+unconfined_role_change_to(container_user_r)
+
+container_use_ptys(container_user_t)
+
+fs_manage_cgroup_dirs(container_user_t)
+fs_manage_cgroup_files(container_user_t)
+
+selinux_compute_access_vector(container_user_t)
+systemd_dbus_chat_hostnamed(container_user_t)
+systemd_start_systemd_services(container_user_t)
+
+allow container_runtime_t container_user_t:process transition;
+allow container_runtime_t container_user_t:process2 nnp_transition;
+allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;
+
+allow container_user_t container_file_t:chr_file manage_chr_file_perms;
+allow container_user_t container_file_t:file entrypoint;
+
+allow container_domain container_file_t:file entrypoint;
+allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
+allow container_domain container_var_lib_t:file entrypoint;
+allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
+
+allow install_t container_runtime_t:process2 { nnp_transition nosuid_transition };
+
+corecmd_entrypoint_all_executables(container_kvm_t)
+allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
+allow svirt_sandbox_domain mountpoint:file entrypoint;
+
+tunable_policy(`deny_ptrace',`',`
+	allow container_domain self:process ptrace;
+	allow spc_t self:process ptrace;
+')
+
+# netavark needs to write to /run/sysctl.d and needs the right label for systemd to read it.
+# https://issues.redhat.com/browse/RHEL-91380
+files_pid_filetrans(container_runtime_t, system_conf_t, dir, "sysctl.d")

customizable_types

@@ -1,13 +0,0 @@
-sandbox_file_t
-svirt_image_t
-svirt_home_t
-svirt_lxc_file_t
-virt_content_t
-httpd_user_htaccess_t
-httpd_user_script_exec_t
-httpd_user_rw_content_t
-httpd_user_ra_content_t
-httpd_user_content_t
-git_session_content_t
-home_bin_t
-user_tty_device_t

debug-build.sh

@@ -23,7 +23,7 @@ VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
 # Create tar file with name like selinux-policy-<current-version>.tar.xz 
 TAR_NAME=$REPO_NAME-$VERSION.tar.xz
 echo "Creating tar file: $TAR_NAME"
-tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
+tar --exclude-vcs -cJhf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
 
 # Some helpful prompts
 if test $? -eq 0; then 

file_contexts.subs_dist

@@ -1,17 +0,0 @@
-/run /var/run
-/run/lock /var/lock
-/var/run/lock /var/lock
-/lib /usr/lib
-/lib64 /usr/lib
-/usr/lib64 /usr/lib
-/usr/local /usr
-/usr/local/lib64 /usr/lib
-/usr/local/lib32 /usr/lib
-/etc/systemd/system /usr/lib/systemd/system
-/run/systemd/system /usr/lib/systemd/system
-/run/systemd/generator /usr/lib/systemd/system
-/var/lib/xguest/home /home
-/var/run/netconfig /etc
-/var/adm/netconfig/md5/etc /etc
-/var/adm/netconfig/md5/var /var
-/usr/etc /etc

macros.selinux-policy

@@ -28,7 +28,7 @@
 %_selinux_store_policy_path %{_selinux_store_path}/${_policytype}
 
 %_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
-%_file_context_file_pre /run/rpm-state/file_contexts.pre
+%_file_context_file_pre /var/adm/update-scripts/file_contexts.pre
 
 %_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
 %_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
@@ -60,7 +60,11 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
   %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
-  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+  if %{_sbindir}/selinuxenabled; then \
+    if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \
+      %{_sbindir}/load_policy || : \
+    fi \
+  fi \
 fi \
 %{nil}
 
@@ -76,7 +80,11 @@ fi \
 if [ $1 -eq 0 ]; then \
   if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
     %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
-    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+    if %{_sbindir}/selinuxenabled; then \
+      if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \
+        %{_sbindir}/load_policy || : \
+      fi \
+    fi \
   fi \
 fi \
 %{nil}
@@ -92,7 +100,7 @@ if %{_sbindir}/selinuxenabled; then \
     _policytype="targeted" \
   fi \
   if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-    mkdir -p /run/rpm-state \
+    mkdir -p $(dirname %{_file_context_file_pre}) \
     [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
   fi \
 fi \
@@ -110,8 +118,12 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
    if [ -f %{_file_context_file_pre} ]; then \
-     %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
-     rm -f %{_file_context_file_pre} \
+     if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \
+       %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
+       rm -f %{_file_context_file_pre} \
+     else \
+       touch /etc/selinux/.autorelabel \
+     fi \
    fi \
 fi \
 %{nil}

modules-minimum-base.conf

@@ -1,414 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-# 
-seunshare = module
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = module
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-# 
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-# 
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-# 
-# 
-ubac = base
-
-# Layer: kernel
-# Module: unconfined
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-# 
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-# 
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-# 
-secadm = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-# 
-sysadm_secadm = module
-
-# Module: staff
-#
-# admin account 
-# 
-staff = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-# 
-sysadm = module
-
-# Layer: role
-# Module: unconfineduser
-#
-# The unconfined user domain.
-# 
-unconfineduser = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-# 
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-# 
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-# 
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-# 
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-# 
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-# 
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = module
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-# 
-unconfined = module
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-# 
-rpm = module
-
-# Layer: contrib
-# Module: packagekit
-#
-# Temporary permissive module for packagekit
-#
-packagekit = module
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-# 
-nscd = module

modules-minimum-disable.lst

@@ -1 +0,0 @@
-abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs 

modules-minimum.lst

@@ -0,0 +1,52 @@
+apache
+application
+auditadm
+authlogin
+base
+bootloader
+clock
+dbus
+dmesg
+fstools
+getty
+hostname
+inetd
+init
+ipsec
+iptables
+kerberos
+libraries
+locallogin
+logadm
+logging
+lvm
+miscfiles
+modutils
+mount
+mta
+netlabel
+netutils
+nis
+postgresql
+rpm
+secadm
+selinuxutil
+setrans
+seunshare
+snapper
+ssh
+staff
+su
+sudo
+sysadm
+sysadm_secadm
+sysnetwork
+systemd
+udev
+unconfined
+unconfineduser
+unlabelednet
+unprivuser
+userdomain
+usermanage
+xserver

modules-mls-base.conf

@@ -1,380 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-# 
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-# 
-seunshare = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-# 
-corecommands = base
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-# 
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-# 
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-# 
-# 
-ubac = base
-
-# Layer: kernel
-# Module: unlabelednet
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-# 
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-# 
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-# 
-secadm = module
-
-# Layer:role
-# Module: staff
-#
-# admin account 
-# 
-staff = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-# 
-sysadm_secadm = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-# 
-sysadm = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-# 
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-# 
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-# 
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = module
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-# 
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-# 
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-# 
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = module

modules-targeted-base.conf

@@ -1,421 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-# 
-seunshare = module
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = module
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-# 
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-# 
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-# 
-# 
-ubac = base
-
-# Layer: kernel
-# Module: unconfined
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-# 
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-# 
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-# 
-secadm = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-# 
-sysadm_secadm = module
-
-# Module: staff
-#
-# admin account 
-# 
-staff = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-# 
-sysadm = module
-
-# Layer: role
-# Module: unconfineduser
-#
-# The unconfined user domain.
-# 
-unconfineduser = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-# 
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-# 
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-# 
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-# 
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-# 
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-# 
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = module
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-# 
-unconfined = module
-
-# Layer: contrib
-# Module: packagekit
-#
-# Temporary permissive module for packagekit
-#
-packagekit = module
-
-# Layer: contrib
-# Module: rtorrent
-#
-# Policy for rtorrent
-#
-rtorrent = module
-
-# Layer: contrib
-# Module: wicked
-#
-# Policy for wicked
-#
-wicked = module
-
-# Layer: system
-# Module: rebootmgr
-#
-# Policy for rebootmgr
-#
-rebootmgr = module

securetty_types-minimum

@@ -1,4 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t

securetty_types-mls

@@ -1,6 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t
-auditadm_tty_device_t
-secureadm_tty_device_t

securetty_types-targeted

@@ -1,4 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t

selinux-policy-rpmlintrc

@@ -1,9 +0,0 @@
-addFilter("W: non-conffile-in-etc.*")
-addFilter("W: zero-length /etc/selinux/.*")
-addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512")
-addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512")
-addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512")
-addFilter("W: files-duplicate")
-addFilter("E: files-duplicated-waste")
-addFilter("W: zero-length")
-

selinux-policy.rpmlintrc

@@ -0,0 +1,14 @@
+# SELinux policy packaging places a lot of files under /etc. This is by
+# necessity at the moment, might get improved in the future.
+addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* W: non-conffile-in-etc.*")
+
+# Zero length files
+addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* zero-length /etc/selinux/.*")
+addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* zero-length /var/lib/selinux/.*")
+
+# Hidden sha512 file
+addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* hidden-file-or-dir /etc/selinux/(targeted|minimum|mls|sandbox)/.policy.sha512")
+
+# No check section needed
+addFilter("W: no-%check-section")
+

selinux-policy.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package selinux-policy
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,10 @@
 %define monolithic n
 %define BUILD_TARGETED 1
 %define BUILD_MINIMUM 1
-%define BUILD_MLS 1
+# At the moment we don't build the MLS policy. We didn't do any testing for this and have no
+# confidence that it works. Feel free to branch the package and enable it, but be aware that
+# you're on your own
+%define BUILD_MLS 0
 
 %define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils)
 %define CHECKPOLICYVER %POLICYCOREUTILSVER
@@ -33,67 +36,48 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20230523+git14.ef49ab54
+Version:        20250627+git66.15675827a
 Release:        0
 Source0:        %{name}-%{version}.tar.xz
 Source1:        container.fc
 Source2:        container.te
 Source3:        container.if
-Source4:        selinux-policy-rpmlintrc
+Source4:        selinux-policy.rpmlintrc
 Source5:        README.Update
 Source6:        update.sh
 Source7:        debug-build.sh
 
-Source10:       modules-targeted-base.conf
-Source11:       modules-targeted-contrib.conf
-Source12:       modules-mls-base.conf
-Source13:       modules-mls-contrib.conf
-Source14:       modules-minimum-base.conf
-Source15:       modules-minimum-contrib.conf
-Source18:       modules-minimum-disable.lst
-
-Source20:       booleans-targeted.conf
-Source21:       booleans-mls.conf
-Source22:       booleans-minimum.conf
-Source23:       booleans.subs_dist
-
-Source30:       setrans-targeted.conf
-Source31:       setrans-mls.conf
-Source32:       setrans-minimum.conf
-
-Source40:       securetty_types-targeted
-Source41:       securetty_types-mls
-Source42:       securetty_types-minimum
-
-Source50:       users-targeted
-Source51:       users-mls
-Source52:       users-minimum
+Source18:       modules-minimum.lst
 
 Source60:       selinux-policy.conf
 
 Source91:       Makefile.devel
-Source92:       customizable_types
-#Source93:       config.tgz
-Source94:       file_contexts.subs_dist
 Source95:       macros.selinux-policy
 
-URL:            https://github.com/fedora-selinux/selinux-policy.git
+URL:            https://github.com/openSUSE/selinux-policy
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
+%if 0%{?suse_version} < 1600
+%define python_for_executables python311
+BuildRequires:  %{python_for_executables}
+BuildRequires:  %{python_for_executables}-policycoreutils
+%else
+BuildRequires:  %primary_python
+BuildRequires:  %{python_module policycoreutils}
+%endif
 BuildRequires:  checkpolicy
+BuildRequires:  fdupes
 BuildRequires:  gawk
 BuildRequires:  libxml2-tools
 BuildRequires:  m4
 BuildRequires:  policycoreutils
 BuildRequires:  policycoreutils-devel
-BuildRequires:  python3
-BuildRequires:  python3-policycoreutils
 # we need selinuxenabled
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(pre):  pam-config
-Requires(post): pam-config
-Requires(post): selinux-tools
-Requires(post): /usr/bin/sha512sum
+Requires(posttrans): pam-config
+Requires(posttrans): selinux-tools
+Requires(posttrans): /usr/bin/sha512sum
 Recommends:     audit
 Recommends:     selinux-tools
 # for audit2allow
@@ -107,17 +91,11 @@ Recommends:     selinux-autorelabel
 %define makeCmds() \
 %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
 %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
-cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
-cp -f selinux_config/users-%1 ./policy/users \
-#cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \
+install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \
+install -p -m0644 ./dist/%1/users ./policy/users \
 
 %define makeModulesConf() \
-cp -f selinux_config/modules-%1-%2.conf  ./policy/modules-base.conf \
-cp -f selinux_config/modules-%1-%2.conf  ./policy/modules.conf \
-if [ %3 == "contrib" ];then \
-        cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
-        cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
-fi; \
+install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \
 
 %define installCmds() \
 %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
@@ -128,14 +106,13 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="
 %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
 %{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
-install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
-install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
-install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
-install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
+install -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
+install -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
+install -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
-cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
+install -p -m0644 ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \
 rm -f %{buildroot}%{_datadir}/selinux/%1/*pp*  \
 %{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
@@ -198,8 +175,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %dir %{_datadir}/selinux/%1 \
 %dir %{_datadir}/selinux/packages/%1 \
 %{_datadir}/selinux/%1/base.lst \
-%{_datadir}/selinux/%1/modules-base.lst \
-%{_datadir}/selinux/%1/modules-contrib.lst \
+%{_datadir}/selinux/%1/modules.lst \
 %{_datadir}/selinux/%1/nonbasemodules.lst \
 %dir %{_sharedstatedir}/selinux/%1 \
 %{_sharedstatedir}/selinux/%1/active/commit_num \
@@ -219,42 +195,40 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 . %{_sysconfdir}/selinux/config; \
 FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
 if selinuxenabled; then \
-  if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
+  if [ $? = 0 ] && [ "${SELINUXTYPE}" = %1 ] && [ -f ${FILE_CONTEXT}.pre ]; then \
     %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
     rm -f ${FILE_CONTEXT}.pre; \
   fi; \
-  if /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null;then \
-    continue; \
-  fi; \
+  /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null; \
 fi;
 
 %define preInstall() \
-if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
-     . %{_sysconfdir}/selinux/config; \
-     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
-     if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
-        [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
-     fi; \
-     touch %{_sysconfdir}/selinux/%1/.rebuild; \
-     if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
-        POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
-        sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
-        checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
-        if [ "$sha512" == "$checksha512" ] ; then \
-                rm %{_sysconfdir}/selinux/%1/.rebuild; \
-        fi; \
-   fi; \
+if [ "$1" -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
+  . %{_sysconfdir}/selinux/config; \
+  FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
+  if [ "${SELINUXTYPE}" = %1 ] && [ -f ${FILE_CONTEXT} ]; then \
+    [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
+  fi; \
+  touch %{_sysconfdir}/selinux/%1/.rebuild; \
+  if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
+    POLICY_FILE=$(ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1); \
+    sha512=$(sha512sum "$POLICY_FILE" | cut -d ' ' -f 1); \
+    checksha512=$(cat %{_sysconfdir}/selinux/%1/.policy.sha512); \
+    if [ "$sha512" = "$checksha512" ] ; then \
+      rm %{_sysconfdir}/selinux/%1/.rebuild; \
+    fi; \
+  fi; \
 fi;
 
 %define postInstall() \
 . %{_sysconfdir}/selinux/config; \
 if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
   rm %{_sysconfdir}/selinux/%2/.rebuild; \
-  /usr/sbin/semodule -B -n -s %2; \
+  /usr/sbin/semodule -B -n -s %2 2> /dev/null; \
 fi; \
 if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \
-  touch /etc/selinux/.autorelabel \
-else    \
+  touch /etc/selinux/.autorelabel ; \
+else \
   if [ "${SELINUXTYPE}" = "%2" ]; then \
     if selinuxenabled; then \
       load_policy; \
@@ -267,34 +241,29 @@ else    \
     if [ %1 -eq 1 ]; then \
       /sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
     else \
-      %relabel %2 \
+      %relabel %2 ; \
     fi; \
   else \
     # run fixfiles on next boot \
-    touch /.autorelabel \
+    touch /.autorelabel ; \
   fi; \
 fi;
 
 %define modulesList() \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
-if [ -e ./policy/modules-contrib.conf ];then \
-        awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
-fi;
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
 
 %define nonBaseModulesList() \
-contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
-base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
-for i in $contrib_modules $base_modules; do \
-    if [ $i != "sandbox" ];then \
-        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
-    fi; \
+modules=$(cat %{buildroot}%{_datadir}/selinux/%1/modules.lst); \
+for i in $modules; do \
+  if [ "$i" != "sandbox" ]; then \
+    echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst ; \
+  fi; \
 done;
 
 %description
-SELinux Reference Policy. A complete SELinux policy that can be used
-as the system policy for a variety of systems and used as the basis for
-creating other policies.
+A complete SELinux policy that can be used as the system policy for a variety
+of systems and used as the basis for creating other policies.
 
 %files
 %defattr(-,root,root,-)
@@ -320,18 +289,18 @@ SELinux sandbox policy used for the policycoreutils-sandbox package
 %post sandbox
 rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
 rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
-%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
+%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null
 if %{_sbindir}/selinuxenabled ; then
-    %{_sbindir}/load_policy
+  %{_sbindir}/load_policy
 fi;
 exit 0
 
 %preun sandbox
-if [ $1 -eq 0 ] ; then
-    %{_sbindir}/semodule -n -d sandbox 2>/dev/null
-    if %{_sbindir}/selinuxenabled ; then
-        %{_sbindir}/load_policy
-    fi;
+if [ "$1" -eq 0 ] ; then
+  %{_sbindir}/semodule -n -d sandbox 2>/dev/null
+  if %{_sbindir}/selinuxenabled ; then
+    %{_sbindir}/load_policy
+  fi;
 fi;
 exit 0
 
@@ -367,15 +336,10 @@ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
 
 mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/
 
-mkdir selinux_config
-for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
- cp $i selinux_config
-done
-
 make clean
 %if %{BUILD_TARGETED}
 %makeCmds targeted mcs allow
-%makeModulesConf targeted base contrib
+%makeModulesConf targeted
 %installCmds targeted mcs allow
 # recreate sandbox.pp
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
@@ -387,19 +351,19 @@ mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
 
 %if %{BUILD_MINIMUM}
 %makeCmds minimum mcs allow
-%makeModulesConf targeted base contrib
+%makeModulesConf targeted
 %installCmds minimum mcs allow
-install -m0644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-minimum-disable.lst
 # Sandbox is only targeted
 rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
+install -p -m 644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst
 %modulesList minimum
 %nonBaseModulesList minimum
 %endif
 
 %if %{BUILD_MLS}
 %makeCmds mls mls deny
-%makeModulesConf mls base contrib
+%makeModulesConf mls
 %installCmds mls mls deny
 %modulesList mls
 %nonBaseModulesList mls
@@ -412,7 +376,7 @@ make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot}
 make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
 mkdir %{buildroot}%{_datadir}/selinux/devel/
 mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
-install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
+install -m 644 %{SOURCE91} %{buildroot}%{_datadir}/selinux/devel/Makefile
 install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
 install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
 %{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
@@ -421,62 +385,87 @@ mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel
 mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
 rm %{buildroot}%{_mandir}/man8/container_selinux.8*
 rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if
+%fdupes -s %{buildroot}%{_mandir}
 
 %post
 if [ ! -s %{_sysconfdir}/selinux/config ]; then
-    # new install, use old sysconfig file if that exists,
-    # else create new one.
-    if [ -f  %{_sysconfdir}/sysconfig/selinux-policy ]; then
-	mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
-    else
-	echo "
+  # new install, use old sysconfig file if that exists,
+  # else create new one.
+  if [ -f  %{_sysconfdir}/sysconfig/selinux-policy ]; then
+    mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
+  else
+    echo "
 # This file controls the state of SELinux on the system.
 # SELinux can be completly disabled with the \"selinux=0\" kernel
 # commandline option.
 #
-# SELINUX= can take one of these three values:
-#     enforcing - SELinux security policy is enforced.
+# SELINUX= can take one of these two values:
+#     enforcing  - SELinux security policy is enforced.
 #     permissive - SELinux prints warnings instead of enforcing.
-SELINUX=permissive
+# Previously SELinux could be disabled by changing the value to
+# 'disabled'. This is deprecated and should not be used anymore.
+# If you want to disable linux add 'selinux=0' to the kernel
+# command line. For details see
+# https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable
+SELINUX=enforcing
 # SELINUXTYPE= can take one of these three values:
 #     targeted - Targeted processes are protected,
 #     minimum - Modification of targeted policy. Only selected processes are protected.
-#     mls - Multi Level Security protection.
 SELINUXTYPE=targeted
 
 " > %{_sysconfdir}/selinux/config
-    fi
-    ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux-policy
-    %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
+  fi
+  ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux-policy
+  %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
 fi
 %tmpfiles_create %_tmpfilesdir/selinux-policy.conf
-if [ $1 -eq 1 ]; then
+if [ "$1" -eq 1 ]; then
   pam-config -a --selinux
 fi
+%if 0%{?is_opensuse}
+# 2025-04-07 cahu:
+# Extremely ugly Workaround for t-u module removal issue
+# (see bsc#1221342 bsc#1238062 bsc#1230643 bsc#1230938)
+# This removes empty module folders in /var/lib/selinux that
+# are created by microOS' create-dirs-from-rpmdb on rollback when the
+# current policy has dropped the module that was still contained in an older
+# snapshot. That means the removed module will also NOT be contained
+# in previous snapshots. Also this can cause warnings during install due to rpmdb
+# still containing the path that was deleted, which should go away in the subsequent
+# installations.
+# Can be dropped once PED-12491 is implemented.
+if [ -n "${TRANSACTIONAL_UPDATE}" ]; then
+  for p in targeted minimum mls; do
+    if [ -d %{_sharedstatedir}/selinux/$p/active/modules/100 ]; then
+      find %{_sharedstatedir}/selinux/$p/active/modules/100 -type d -empty -delete -print
+    fi
+  done
+fi
+%endif
 exit 0
 
 %define post_un() \
 # disable selinux if we uninstall a policy and it's the used one \
-if [ $1 -eq 0 ]; then \
+if [ "$1" -eq 0 ]; then \
   if [ -s %{_sysconfdir}/selinux/config ]; then \
-      source %{_sysconfdir}/selinux/config &> /dev/null || true \
-  fi \
+    . %{_sysconfdir}/selinux/config > /dev/null 2>&1 || true ; \
+  fi; \
   if [ "$SELINUXTYPE" = "$2" ]; then \
-    %{_sbindir}/setenforce 0 2> /dev/null \
+    %{_sbindir}/setenforce 0 2> /dev/null ; \
     if [ -s %{_sysconfdir}/selinux/config ]; then \
-      sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \
-    fi \
-  fi \
-  pam-config -d --selinux \
-fi \
+      sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config ; \
+    fi; \
+  fi; \
+  pam-config -d --selinux ; \
+fi; \
 exit 0
 
 %postun
-if [ $1 = 0 ]; then
-     %{_sbindir}/setenforce 0 2> /dev/null
-     if [ -s %{_sysconfdir}/selinux/config ]; then
-          sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
-     fi
+if [ "$1" = 0 ]; then
+  %{_sbindir}/setenforce 0 2> /dev/null
+  if [ -s %{_sysconfdir}/selinux/config ]; then
+    sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
+  fi
 fi
 exit 0
 
@@ -487,14 +476,13 @@ Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       /usr/bin/make
 Requires:       checkpolicy >= %{CHECKPOLICYVER}
 Requires:       m4
+Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
 
 %description devel
-SELinux policy development and man page package
+SELinux policy development package
 
 %files devel
 %defattr(-,root,root,-)
-%doc %{_datadir}/man/ru/man8/*
-%doc %{_datadir}/man/man8/*
 %dir %{_datadir}/selinux/devel
 %dir %{_datadir}/selinux/devel/html/
 %doc %{_datadir}/selinux/devel/html/*
@@ -502,6 +490,11 @@ SELinux policy development and man page package
 %{_datadir}/selinux/devel/include/*
 %{_datadir}/selinux/devel/Makefile
 %{_datadir}/selinux/devel/example.*
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
+
+%post devel
+%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
+exit 0
 
 %package doc
 Summary:        SELinux policy documentation
@@ -510,11 +503,13 @@ Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       /usr/bin/xdg-open
 
 %description doc
-SELinux policy documentation package
+SELinux policy documentation and man page package
 
 %files doc
 %defattr(-,root,root,-)
 %doc %{_datadir}/doc/%{name}
+%doc %{_datadir}/man/ru/man8/*
+%doc %{_datadir}/man/man8/*
 %{_datadir}/selinux/devel/policy.*
 
 %if %{BUILD_TARGETED}
@@ -527,12 +522,12 @@ Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 
 %description targeted
-SELinux Reference policy targeted base module.
+SELinux policy targeted base module.
 
 %pre targeted
 %preInstall targeted
 
-%post targeted
+%posttrans targeted
 %postInstall $1 targeted
 exit 0
 
@@ -540,7 +535,7 @@ exit 0
 %post_un $1 targeted
 
 %triggerin -- libpcre2-8-0
-%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
+%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null
 exit 0
 
 %files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
@@ -562,41 +557,42 @@ Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 
 %description minimum
-SELinux Reference policy minimum base module.
+SELinux policy minimum base module.
 
 %pre minimum
 %preInstall minimum
-if [ $1 -ne 1 ]; then
-    %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
+if [ "$1" -ne 1 ]; then
+  %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
 fi
 
 %post minimum
-contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
-basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
-mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled 2>/dev/null
-if [ $1 -eq 1 ]; then
-    for p in $contribpackages; do
-	touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
-    done
-    for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do
-	rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
-    done
-    %{_sbindir}/semanage import -S minimum -f - << __eof
+modules=$(cat %{_datadir}/selinux/minimum/modules.lst)
+basemodules=$(cat %{_datadir}/selinux/minimum/base.lst)
+enabledmodules=$(cat %{_datadir}/selinux/minimum/modules-enabled.lst)
+mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled
+if [ "$1" -eq 1 ]; then
+  for p in $modules; do
+    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
+  done
+  for p in $basemodules $enabledmodules; do
+    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
+  done
+  %{_sbindir}/semanage import -S minimum -f - << __eof
 login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
 login -m  -s unconfined_u -r s0-s0:c0.c1023 root
 __eof
-    /sbin/restorecon -R /root /var/log /var/run 2> /dev/null
-    %{_sbindir}/semodule -B -s minimum
+  /sbin/restorecon -R /root /var/log /var/run 2> /dev/null
+  %{_sbindir}/semodule -B -s minimum 2> /dev/null
 else
-    instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
-    for p in $contribpackages; do
-	touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
-    done
-    for p in $instpackages snapper dbus kerberos nscd rtkit; do
-	rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
-    done
-    %{_sbindir}/semodule -B -s minimum
-    %relabel minimum
+  instpackages=$(cat %{_datadir}/selinux/minimum/instmodules.lst)
+  for p in $modules; do
+    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
+  done
+  for p in $instpackages snapper dbus kerberos nscd rtkit; do
+    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
+  done
+  %{_sbindir}/semodule -B -s minimum 2> /dev/null
+  %relabel minimum
 fi
 exit 0
 
@@ -606,7 +602,7 @@ exit 0
 %files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
-%{_datadir}/selinux/minimum/modules-minimum-disable.lst
+%{_datadir}/selinux/minimum/modules-enabled.lst
 %fileList minimum
 %endif
 
@@ -623,12 +619,12 @@ Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 
 %description mls
-SELinux Reference policy mls base module.
+SELinux policy mls base module.
 
 %pre mls
 %preInstall mls
 
-%post mls
+%posttrans mls
 %postInstall $1 mls
 
 %postun mls

setrans-minimum.conf

@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023.  Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=SystemLow
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh

setrans-mls.conf

@@ -1,52 +0,0 @@
-#
-# Multi-Level Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be labeled with one of 16 levels and be categorized with 0-1023 
-# categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Users can modify this table to translate the MLS labels for different purpose.
-#
-# Assumptions: using below MLS labels.
-#  SystemLow
-#  SystemHigh
-#  Unclassified 
-#  Secret with compartments A and B.
-# 
-# SystemLow and SystemHigh
-s0=SystemLow
-s15:c0.c1023=SystemHigh
-s0-s15:c0.c1023=SystemLow-SystemHigh
-
-# Unclassified level
-s1=Unclassified
-
-# Secret level with compartments
-s2=Secret
-s2:c0=A
-s2:c1=B
-
-# ranges for Unclassified
-s0-s1=SystemLow-Unclassified
-s1-s2=Unclassified-Secret
-s1-s15:c0.c1023=Unclassified-SystemHigh
-
-# ranges for Secret with compartments
-s0-s2=SystemLow-Secret
-s0-s2:c0=SystemLow-Secret:A
-s0-s2:c1=SystemLow-Secret:B
-s0-s2:c0,c1=SystemLow-Secret:AB
-s1-s2:c0=Unclassified-Secret:A
-s1-s2:c1=Unclassified-Secret:B
-s1-s2:c0,c1=Unclassified-Secret:AB
-s2-s2:c0=Secret-Secret:A
-s2-s2:c1=Secret-Secret:B
-s2-s2:c0,c1=Secret-Secret:AB
-s2-s15:c0.c1023=Secret-SystemHigh
-s2:c0-s2:c0,c1=Secret:A-Secret:AB
-s2:c0-s15:c0.c1023=Secret:A-SystemHigh
-s2:c1-s2:c0,c1=Secret:B-Secret:AB
-s2:c1-s15:c0.c1023=Secret:B-SystemHigh
-s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

setrans-targeted.conf

@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023.  Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=SystemLow
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh

update.sh

@@ -2,18 +2,20 @@
 
 date=$(date '+%Y%m%d')
 base_name_pattern='selinux-policy-*.tar.xz'
-
 echo Update to $date
 
 old_tar_file=$(ls -1 $base_name_pattern)
 
 osc service manualrun
 
-rm -rf container-selinux
-git clone --depth 1 https://github.com/containers/container-selinux.git
-rm -f container.*
-mv container-selinux/container.* .
-rm -rf container-selinux
+if [ "$1" = "full" ]; then
+  echo doing full update including container-selinux
+  rm -rf container-selinux
+  git clone --depth 1 https://github.com/containers/container-selinux.git
+  rm -f container.*
+  mv container-selinux/container.* .
+  rm -rf container-selinux
+fi
 
 # delete old files. Might need a better sanity check
 tar_cnt=$(ls -1 $base_name_pattern  | wc -l)
@@ -24,4 +26,3 @@ if [ $tar_cnt -gt 1 ]; then
 fi
 
 osc status
-

users-minimum

@@ -1,39 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

users-mls

@@ -1,40 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(guest_u, user, guest_r, s0, s0)
-gen_user(xguest_u, user, xguest_r, s0, s0)

users-targeted

@@ -1,41 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(guest_u, user, guest_r, s0, s0)
-gen_user(xguest_u, user, xguest_r, s0, s0)