+## Allow containers to use any dri device volume mounted into container +##
+##
## Allow sandbox containers to manage cgroup (systemd)
@@ -136,6 +143,7 @@ type container_devpts_t alias docker_devpts_t;
term_pty(container_devpts_t)
typealias container_ro_file_t alias { container_share_t docker_share_t };
+typeattribute container_ro_file_t container_file_type, user_home_type;
files_mountpoint(container_ro_file_t)
userdom_user_home_content(container_ro_file_t)
@@ -568,7 +576,6 @@ tunable_policy(`virt_use_nfs',`
fs_manage_nfs_symlinks(container_runtime_domain)
fs_remount_nfs(container_runtime_domain)
fs_mount_nfs(container_runtime_domain)
- fs_unmount_nfs(container_runtime_domain)
fs_exec_nfs_files(container_runtime_domain)
kernel_rw_fs_sysctls(container_runtime_domain)
allow container_runtime_domain nfs_t:file execmod;
@@ -634,21 +641,16 @@ fs_manage_fusefs_dirs(container_runtime_domain)
fs_manage_fusefs_files(container_runtime_domain)
fs_manage_fusefs_symlinks(container_runtime_domain)
fs_mount_fusefs(container_runtime_domain)
-fs_unmount_fusefs(container_runtime_domain)
fs_exec_fusefs_files(container_runtime_domain)
storage_rw_fuse(container_runtime_domain)
-optional_policy(`
- files_search_all(container_domain)
- container_read_share_files(container_domain)
- container_exec_share_files(container_domain)
- allow container_domain container_ro_file_t:file execmod;
- container_lib_filetrans(container_domain,container_file_t, sock_file)
- container_use_ptys(container_domain)
- container_spc_stream_connect(container_domain)
- fs_dontaudit_remount_tmpfs(container_domain)
- dev_dontaudit_mounton_sysfs(container_domain)
-')
+files_search_all(container_domain)
+container_read_share_files(container_domain)
+container_exec_share_files(container_domain)
+allow container_domain container_ro_file_t:file execmod;
+container_lib_filetrans(container_domain,container_file_t, sock_file)
+container_use_ptys(container_domain)
+container_spc_stream_connect(container_domain)
optional_policy(`
apache_exec_modules(container_runtime_domain)
@@ -746,7 +748,7 @@ tunable_policy(`container_connect_any',`
#
# spc local policy
#
-allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
role system_r types spc_t;
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
@@ -755,6 +757,7 @@ domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
+allow spc_t container_file_type:file execmod;
admin_pattern(spc_t, kubernetes_file_t)
@@ -776,6 +779,10 @@ optional_policy(`
systemd_dbus_chat_logind(spc_t)
')
+domain_transition_all(spc_t)
+
+anaconda_domtrans_install(spc_t)
+
optional_policy(`
dbus_chat_system_bus(spc_t)
dbus_chat_session_bus(spc_t)
@@ -878,7 +885,7 @@ container_manage_files_template(container, container)
typeattribute container_file_t container_file_type, user_home_type;
typeattribute container_t container_domain, container_net_domain, container_user_domain;
allow container_user_domain self:process getattr;
-allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
+allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint;
allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
allow container_domain container_runtime_t:unix_dgram_socket sendto;
@@ -897,6 +904,7 @@ dontaudit container_domain self:dir { write add_name };
allow container_domain self:file rw_file_perms;
allow container_domain self:lnk_file read_file_perms;
allow container_domain self:fifo_file create_fifo_file_perms;
+allow container_domain self:fifo_file watch;
allow container_domain self:filesystem associate;
allow container_domain self:key manage_key_perms;
allow container_domain self:netlink_route_socket r_netlink_socket_perms;
@@ -916,28 +924,33 @@ allow container_domain self:unix_dgram_socket create_socket_perms;
allow container_domain self:unix_stream_socket create_stream_socket_perms;
dontaudit container_domain self:capability2 block_suspend ;
allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
-fs_rw_onload_sockets(container_domain)
-fs_fusefs_entrypoint(container_domain)
fs_fusefs_entrypoint(spc_t)
container_read_share_files(container_domain)
container_exec_share_files(container_domain)
container_use_ptys(container_domain)
container_spc_stream_connect(container_domain)
-fs_dontaudit_remount_tmpfs(container_domain)
+
dev_dontaudit_mounton_sysfs(container_domain)
dev_dontaudit_mounton_sysfs(container_domain)
-fs_mount_tmpfs(container_domain)
+dev_dontaudit_mounton_sysfs(container_domain)
+dev_getattr_mtrr_dev(container_domain)
+dev_list_sysfs(container_domain)
+dev_mounton_sysfs(container_t)
+dev_read_mtrr(container_domain)
+dev_read_rand(container_domain)
+dev_read_sysfs(container_domain)
+dev_read_urand(container_domain)
+dev_rw_inherited_dri(container_domain)
+dev_rw_kvm(container_domain)
+dev_rwx_zero(container_domain)
+dev_write_rand(container_domain)
+dev_write_urand(container_domain)
+allow container_domain sysfs_t:dir watch;
dontaudit container_domain container_runtime_tmpfs_t:dir read;
allow container_domain container_runtime_tmpfs_t:dir mounton;
-
-dev_getattr_mtrr_dev(container_domain)
-dev_list_sysfs(container_domain)
-allow container_domain sysfs_t:dir watch;
-
-dev_rw_kvm(container_domain)
-dev_rwx_zero(container_domain)
+can_exec(container_domain, container_runtime_tmpfs_t)
allow container_domain self:key manage_key_perms;
dontaudit container_domain container_domain:key search;
@@ -953,7 +966,7 @@ allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
allow container_domain self:passwd rootok;
allow container_domain self:filesystem associate;
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
+allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
kernel_getattr_proc(container_domain)
kernel_list_all_proc(container_domain)
@@ -970,16 +983,42 @@ kernel_dontaudit_write_usermodehelper_state(container_domain)
kernel_read_irq_sysctls(container_domain)
kernel_get_sysvipc_info(container_domain)
-fs_getattr_all_fs(container_domain)
-fs_rw_inherited_tmpfs_files(container_domain)
-fs_read_tmpfs_symlinks(container_domain)
-fs_search_tmpfs(container_domain)
-fs_list_hugetlbfs(container_domain)
-fs_manage_hugetlbfs_files(container_domain)
-fs_exec_hugetlbfs_files(container_domain)
fs_dontaudit_getattr_all_dirs(container_domain)
fs_dontaudit_getattr_all_files(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+fs_exec_fusefs_files(container_domain)
+fs_exec_hugetlbfs_files(container_domain)
+fs_fusefs_entrypoint(container_domain)
+fs_getattr_all_fs(container_domain)
+fs_list_cgroup_dirs(container_domain)
+fs_list_hugetlbfs(container_domain)
+fs_manage_bpf_files(container_domain)
+fs_manage_fusefs_dirs(container_domain)
+fs_manage_fusefs_files(container_domain)
+fs_manage_fusefs_named_pipes(container_domain)
+fs_manage_fusefs_named_sockets(container_domain)
+fs_manage_fusefs_symlinks(container_domain)
+fs_manage_hugetlbfs_files(container_domain)
+fs_mount_fusefs(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_mount_tmpfs(container_domain)
+fs_unmount_tmpfs(container_domain)
+fs_mount_xattr_fs(container_domain)
+fs_unmount_xattr_fs(container_domain)
+fs_mounton_cgroup(container_domain)
+fs_mounton_fusefs(container_domain)
+fs_read_cgroup_files(container_domain)
fs_read_nsfs_files(container_domain)
+fs_read_tmpfs_symlinks(container_domain)
+fs_remount_xattr_fs(container_domain)
+fs_rw_inherited_tmpfs_files(container_domain)
+fs_rw_onload_sockets(container_domain)
+fs_search_tmpfs(container_domain)
+fs_unmount_cgroup(container_domain)
+fs_unmount_fusefs(container_domain)
+fs_unmount_nsfs(container_domain)
+fs_unmount_xattr_fs(container_domain)
term_use_all_inherited_terms(container_domain)
@@ -1003,18 +1042,6 @@ gen_require(`
type cgroup_t;
')
-dev_read_sysfs(container_domain)
-dev_read_mtrr(container_domain)
-dev_mounton_sysfs(container_t)
-
-fs_mounton_cgroup(container_t)
-fs_unmount_cgroup(container_t)
-
-dev_read_rand(container_domain)
-dev_write_rand(container_domain)
-dev_read_urand(container_domain)
-dev_write_urand(container_domain)
-
files_read_kernel_modules(container_domain)
allow container_file_t cgroup_t:filesystem associate;
@@ -1069,9 +1096,6 @@ gen_require(`
')
dontaudit container_domain usermodehelper_t:file write;
-fs_read_cgroup_files(container_domain)
-fs_list_cgroup_dirs(container_domain)
-
sysnet_read_config(container_domain)
allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
@@ -1099,20 +1123,6 @@ tunable_policy(`container_manage_cgroup',`
fs_manage_cgroup_files(container_domain)
')
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_manage_fusefs_dirs(container_domain)
-fs_manage_fusefs_files(container_domain)
-fs_manage_fusefs_symlinks(container_domain)
-fs_manage_fusefs_named_sockets(container_domain)
-fs_manage_fusefs_named_pipes(container_domain)
-fs_exec_fusefs_files(container_domain)
-fs_mount_xattr_fs(container_domain)
-fs_unmount_xattr_fs(container_domain)
-fs_remount_xattr_fs(container_domain)
-fs_mount_fusefs(container_domain)
-fs_unmount_fusefs(container_domain)
-fs_mounton_fusefs(container_domain)
storage_rw_fuse(container_domain)
allow container_domain fusefs_t:file { mounton execmod };
allow container_domain fusefs_t:filesystem remount;
@@ -1187,6 +1197,7 @@ dev_mount_sysfs_fs(container_userns_t)
dev_mounton_sysfs(container_userns_t)
fs_mount_tmpfs(container_userns_t)
+fs_unmount_tmpfs(container_userns_t)
fs_relabelfrom_tmpfs(container_userns_t)
fs_remount_cgroup(container_userns_t)
@@ -1383,6 +1394,10 @@ tunable_policy(`container_use_devices',`
allow container_domain device_node:blk_file {rw_blk_file_perms map};
')
+tunable_policy(`container_use_dri_devices',`
+ dev_rw_dri(container_domain)
+')
+
tunable_policy(`virt_sandbox_use_sys_admin',`
allow container_init_t self:capability sys_admin;
allow container_init_t self:cap_userns sys_admin;
@@ -1399,19 +1414,24 @@ fs_mounton_cgroup(container_engine_t)
fs_unmount_cgroup(container_engine_t)
fs_manage_cgroup_dirs(container_engine_t)
fs_manage_cgroup_files(container_engine_t)
-fs_mount_tmpfs(container_engine_t)
fs_write_cgroup_files(container_engine_t)
-
-allow container_engine_t proc_t:file mounton;
-allow container_engine_t sysctl_t:file mounton;
-allow container_engine_t sysfs_t:filesystem remount;
-
+fs_remount_cgroup(container_engine_t)
+fs_mount_all_fs(container_engine_t)
+fs_remount_all_fs(container_engine_t)
+fs_unmount_all_fs(container_engine_t)
+kernel_mounton_all_sysctls(container_engine_t)
kernel_mount_proc(container_engine_t)
-kernel_mounton_core_if(container_engine_t)
kernel_mounton_proc(container_engine_t)
+kernel_mounton_core_if(container_engine_t)
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
-
term_mount_pty_fs(container_engine_t)
+term_use_generic_ptys(container_engine_t)
+
+allow container_engine_t container_file_t:chr_file mounton;
+allow container_engine_t filesystem_type:{dir file} mounton;
+allow container_engine_t proc_kcore_t:file mounton;
+allow container_engine_t proc_t:filesystem remount;
+allow container_engine_t sysctl_t:{dir file} mounton;
type kubelet_t, container_runtime_domain;
domain_type(kubelet_t)
@@ -1516,6 +1536,9 @@ role container_user_r types container_user_domain;
role container_user_r types container_net_domain;
role container_user_r types container_file_type;
container_runtime_run(container_user_t, container_user_r)
+unconfined_role_change_to(container_user_r)
+
+container_use_ptys(container_user_t)
fs_manage_cgroup_dirs(container_user_t)
fs_manage_cgroup_files(container_user_t)
@@ -1524,6 +1547,12 @@ selinux_compute_access_vector(container_user_t)
systemd_dbus_chat_hostnamed(container_user_t)
systemd_start_systemd_services(container_user_t)
+allow container_runtime_t container_user_t:process transition;
+allow container_runtime_t container_user_t:process2 nnp_transition;
+allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;
+
+allow container_user_t container_file_t:chr_file manage_chr_file_perms;
+allow container_user_t container_file_t:file entrypoint;
allow container_domain container_file_t:file entrypoint;
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
@@ -1533,3 +1562,8 @@ allow container_domain fusefs_t:file { append create entrypoint execmod execute
corecmd_entrypoint_all_executables(container_kvm_t)
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain mountpoint:file entrypoint;
+
+tunable_policy(`deny_ptrace',`',`
+ allow container_domain self:process ptrace;
+ allow spc_t self:process ptrace;
+')
diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist
index beaff36..97bd0be 100644
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@@ -1,5 +1,5 @@
-/run /var/run
-/run/lock /var/lock
+/var/run /run
+/var/lock /run/lock
/var/run/lock /var/lock
/lib /usr/lib
/lib64 /usr/lib
diff --git a/selinux-policy-20240321.tar.xz b/selinux-policy-20240321.tar.xz
deleted file mode 100644
index e61a0a9..0000000
--- a/selinux-policy-20240321.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ed0bad67b8e0c601abcebefc191e3c0b97b05d6090d63e83e61f9fcda36f4903
-size 767332
diff --git a/selinux-policy-20240411.tar.xz b/selinux-policy-20240411.tar.xz
new file mode 100644
index 0000000..7127a19
--- /dev/null
+++ b/selinux-policy-20240411.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3570c8520464f6d7719a016ea1d7b65c1a276102d75fbdaf7be4e7decaa1307d
+size 768484
diff --git a/selinux-policy.changes b/selinux-policy.changes
index a48fb5d..f5d31f3 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,74 @@
+-------------------------------------------------------------------
+Thu Apr 11 15:13:31 UTC 2024 - cathy.hu@suse.com
+
+- Update to version 20240411:
+ * Remove duplicate in sysnetwork.fc
+ * Rename /var/run/wicked* to /run/wicked*
+ * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
+ * policy: support pidfs
+ * Confine selinux-autorelabel-generator.sh
+ * Allow logwatch_mail_t read/write to init over a unix stream socket
+ * Allow logwatch read logind sessions files
+ * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
+ * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
+ * Allow NetworkManager the sys_ptrace capability in user namespace
+ * dontaudit execmem for modemmanager
+ * Allow dhcpcd use unix_stream_socket
+ * Allow dhcpc read /run/netns files
+ * Update mmap_rw_file_perms to include the lock permission
+ * Allow plymouthd log during shutdown
+ * Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
+ * Allow journalctl_t read filesystem sysctls
+ * Allow cgred_t to get attributes of cgroup filesystems
+ * Allow wdmd read hardware state information
+ * Allow wdmd list the contents of the sysfs directories
+ * Allow linuxptp configure phc2sys and chronyd over a unix domain socket
+ * Allow sulogin relabel tty1
+ * Dontaudit sulogin the checkpoint_restore capability
+ * Modify sudo_role_template() to allow getpgid
+ * Allow userdomain get attributes of files on an nsfs filesystem
+ * Allow opafm create NFS files and directories
+ * Allow virtqemud create and unlink files in /etc/libvirt/
+ * Allow virtqemud domain transition on swtpm execution
+ * Add the swtpm.if interface file for interactions with other domains
+ * Allow samba to have dac_override capability
+ * systemd: allow sys_admin capability for systemd_notify_t
+ * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
+ * Allow thumb_t to watch and watch_reads mount_var_run_t
+ * Allow krb5kdc_t map krb5kdc_principal_t files
+ * Allow unprivileged confined user dbus chat with setroubleshoot
+ * Allow login_userdomain map files in /var
+ * Allow wireguard work with firewall-cmd
+ * Differentiate between staff and sysadm when executing crontab with sudo
+ * Add crontab_admin_domtrans interface
+ * Allow abrt_t nnp domain transition to abrt_handle_event_t
+ * Allow xdm_t to watch and watch_reads mount_var_run_t
+ * Dontaudit subscription manager setfscreate and read file contexts
+ * Don't audit crontab_domain write attempts to user home
+ * Transition from sudodomains to crontab_t when executing crontab_exec_t
+ * Add crontab_domtrans interface
+ * Fix label of pseudoterminals created from sudodomain
+ * Allow utempter_t use ptmx
+ * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
+ * Allow admin user read/write on fixed_disk_device_t
+ * Only allow confined user domains to login locally without unconfined_login
+ * Add userdom_spec_domtrans_confined_admin_users interface
+ * Only allow admindomain to execute shell via ssh with ssh_sysadm_login
+ * Add userdom_spec_domtrans_admin_users interface
+ * Move ssh dyntrans to unconfined inside unconfined_login tunable policy
+ * Update ssh_role_template() for user ssh-agent type
+ * Allow init to inherit system DBus file descriptors
+ * Allow init to inherit fds from syslogd
+ * Allow any domain to inherit fds from rpm-ostree
+ * Update afterburn policy
+ * Allow init_t nnp domain transition to abrtd_t
+ * Rename all /var/lock file context entries to /run/lock
+ * Rename all /var/run file context entries to /run
+- Add script varrun-convert.sh for locally existing modules
+ to be able to cope with the /var/run -> /run change
+- Update embedded container-selinux to commit
+ a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e
+
-------------------------------------------------------------------
Thu Mar 21 10:44:09 UTC 2024 - jsegitz@suse.com
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 594e181..154e7f5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -33,7 +33,7 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20240321
+Version: 20240411
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
@@ -61,6 +61,9 @@ Source30: setrans-targeted.conf
Source31: setrans-mls.conf
Source32: setrans-minimum.conf
+# Script to convert /var/run file context entries to /run
+Source37: varrun-convert.sh
+
Source40: securetty_types-targeted
Source41: securetty_types-mls
Source42: securetty_types-minimum
@@ -212,6 +215,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
+%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
%nil
@@ -248,6 +252,7 @@ fi;
%define postInstall() \
. %{_sysconfdir}/selinux/config; \
+%{_libexecdir}/selinux/varrun-convert.sh %2; \
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%2/.rebuild; \
/usr/sbin/semodule -B -n -s %2; \
@@ -305,6 +310,7 @@ creating other policies.
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%{_tmpfilesdir}/selinux-policy.conf
%{_rpmconfigdir}/macros.d/macros.selinux-policy
+%{_libexecdir}/selinux/varrun-convert.sh
%package sandbox
Summary: SELinux policy sandbox
@@ -372,6 +378,9 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
cp $i selinux_config
done
+mkdir -p %{buildroot}%{_libexecdir}/selinux
+install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
+
make clean
%if %{BUILD_TARGETED}
%makeCmds targeted mcs allow
diff --git a/varrun-convert.sh b/varrun-convert.sh
new file mode 100644
index 0000000..b41b5ca
--- /dev/null
+++ b/varrun-convert.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+### varrun-convert.sh
+### convert legacy filecontext entries containing /var/run to /run
+### and load an extra selinux module with the new content
+### the script takes a policy name as an argument
+
+# Set DEBUG=yes before running the script to get more verbose output
+# on the terminal and to the $LOG file
+if [ "${DEBUG}" = "yes" ]; then
+ set -x
+fi
+
+# Auxiliary and log files will be created in OUTPUTDIR
+OUTPUTDIR="/run/selinux-policy"
+LOG="$OUTPUTDIR/log"
+mkdir -p ${OUTPUTDIR}
+
+if [ -z ${1} ]; then
+ [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
+ exit
+fi
+
+SEMODULEOPT="-s ${1}"
+[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
+
+# Take current file_contexts and unify whitespace separators
+FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
+FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
+if [ ! -f ${FILE_CONTEXTS} ]; then
+ [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
+ exit
+fi
+
+if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
+ [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
+ exit 0
+fi
+
+EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
+EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
+EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
+
+# Print only /var/run entries
+grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
+
+# Unify whitespace separators
+sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
+sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
+
+# Deduplicate already existing /var/run=/run entries
+while read line
+do
+ subline="${line#/var}"
+ if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
+ echo "$line"
+ fi
+done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
+
+# Change /var/run to /run
+sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
+
+# Exception handling: packages with already duplicate entries
+sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
+sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
+sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
+
+# Change format to cil
+sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
+
+# Handle entries with <