diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
index b4af268b45..60c73e3e85 100644
--- a/policy/modules/admin/brctl.if
+++ b/policy/modules/admin/brctl.if
@@ -19,6 +19,26 @@ interface(`brctl_domtrans',`
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
+########################################
+##
+## Allow a specified domain to execute, execute without transition,
+## get attributes, map, open, and read the brctl_exec_t file type.
+##
+##
+##
+## Domain being granted permissions on brctl_exec_t file type.
+##
+##
+#
+interface(`brctl_exec_permissions',`
+ gen_require(`
+ type brctl_exec_t;
+ ')
+
+ allow $1 brctl_exec_t:file exec_file_perms;
+')
+
+
########################################
##
## Execute brctl in the brctl domain, and
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ecf2afded9..2b176a8f12 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6978,6 +6978,27 @@ interface(`files_rw_runtime_files',`
rw_files_pattern($1, var_run_t, var_run_t)
')
+########################################
+##
+## Allow a specified domain to create, lock, open, read, and write
+## files labeled with var_run_t. This is a generic interface that can be
+## applied to any domain passed as a parameter.
+##
+##
+##
+## Domain being granted file operation permissions on var_run_t file type.
+##
+##
+#
+interface(`var_run_file_operations',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:file manage_file_perms;
+')
+
+
########################################
##
## Delete generic runtime symlinks.
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 62c6b22ea3..0d50949783 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -742,6 +742,14 @@ userdom_search_user_runtime_root(container_engine_t)
userdom_manage_user_runtime_root_dirs(container_engine_t)
files_map_etc_files(container_engine_t)
fs_read_cgroup_lnk_file(container_engine_t)
+files_manage_quota_aos(container_engine_t)
+files_manage_overlay_aos(container_engine_t)
+
+corenet_tcp_connect_all_unreserved_ports(container_engine_t)
+
+kernel_read_vm_overcommit_sysctl(container_engine_t)
+
+kernel_search_vm_sysctl(container_engine_t)
ifdef(`init_systemd',`
# needed by runc, which is also invoked by other engines
diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
index b6bec8c13e..84bcbc3d20 100644
--- a/policy/modules/system/aos.if
+++ b/policy/modules/system/aos.if
@@ -164,9 +164,28 @@ interface(`files_manage_quota_aos',`
allow $1 aos_var_run_t:dir manage_dir_perms;
allow $1 aos_var_run_t:file { manage_file_perms quotaon exec_file_perms };
- allow $1 aos_var_run_t:filesystem { quotaget quotamod };
+ allow $1 aos_var_run_t:filesystem { quotaget quotamod remount getattr };
')
+########################################
+##
+## Manage overlay files in /var/aos directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_overlay_aos',`
+ gen_require(`
+ type aos_var_run_t;
+ ')
+
+ allow $1 aos_var_run_t:lnk_file { read };
+')
+
+
########################################
##
## Allow relabeled /var/aos directory.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index aa657ee031..b9b0b357d5 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -103,7 +103,9 @@ sysnet_dns_name_resolve(iptables_t)
userdom_use_inherited_user_terminals(iptables_t)
-
+dev_rw_xen(iptables_t)
+xen_append_log(iptables_t)
+var_run_file_operations(iptables_t)
optional_policy(`
# iptables may try to rw /ptmx in a container
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 5b33368878..d836703ccd 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -369,6 +369,10 @@ seutil_use_runinit_fds(ifconfig_t)
sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
+dev_rw_xen(ifconfig_t)
+
+var_run_file_operations(ifconfig_t)
+
# For "ip netns identify $$"
userdom_read_all_users_state(ifconfig_t)
userdom_use_user_terminals(ifconfig_t)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index ef1d96e1ff..120358b4c3 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -562,6 +562,16 @@ userdom_dontaudit_search_user_home_content(xm_t)
dev_rw_xen(xm_t)
+brctl_exec_permissions(xm_t)
+
+files_map_etc_files(xm_t)
+
+write_logging_runtime_dirs(xm_t)
+
+files_manage_var_run_dirs(xm_t)
+
+var_run_file_operations(xm_t)
+
tunable_policy(`xen_use_fusefs',`
fs_manage_fusefs_dirs(xm_t)
fs_manage_fusefs_files(xm_t)