From 046101aba13b4263c2c8dfa5a11ae7172412fa0e Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 24 May 2022 09:33:24 -0400
Subject: [PATCH 001/257] systemd: ensure connecting to resolved allows
 searching init runtime

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index f48cc54134..34459831e7 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2341,7 +2341,7 @@ interface(`systemd_stream_connect_resolved',`
 		type systemd_resolved_runtime_t;
 	')
 
-	files_search_runtime($1)
+	init_search_runtime($1)
 	stream_connect_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t, systemd_resolved_t)
 ')
 

From ecfd4674fff9ccfdc8de91294fdf1da250aa7f4c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 24 May 2022 15:51:26 -0400
Subject: [PATCH 002/257] ssh: allow sshd to run setfiles when
 polyinstantiation is enabled

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/ssh.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 321651a86f..89a5bd3dd5 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -288,6 +288,8 @@ tunable_policy(`ssh_sysadm_login',`
 tunable_policy(`allow_polyinstantiation',`
 	allow sshd_t self:capability dac_override;
 	files_relabel_generic_tmp_dirs(sshd_t)
+
+	seutil_exec_setfiles(sshd_t)
 ')
 
 optional_policy(`

From dd11169413270c436bdfb32748bf593dd4b23254 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 25 May 2022 11:09:35 -0400
Subject: [PATCH 003/257] sudo: allow sudo domains to access caller's
 /proc/pid/stat

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/sudo.if | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 165a074b28..2ce54f4b69 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -74,7 +74,10 @@ template(`sudo_role_template',`
 	allow $1_sudo_t self:key manage_key_perms;
 	dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
 
-        dontaudit $1_sudo_t $3:socket_class_set { read write };
+	# allow accessing /proc/pid/stat of the calling domain
+	ps_process_pattern($1_sudo_t, $2)
+
+	dontaudit $1_sudo_t $3:socket_class_set { read write };
 
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_sudo_t, $2)
@@ -155,6 +158,9 @@ template(`sudo_role_template',`
 	tunable_policy(`sudo_allow_user_exec_domains',`
 		allow $1_sudo_t $3:key search;
 
+		# allow accessing /proc/pid/stat
+		ps_process_pattern($1_sudo_t, $3)
+
 		# Transmit SIGWINCH to children
 		allow $1_sudo_t $3:process signal;
 

From ed726458603c8d71faa1ab6417c507e947d8b488 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 26 May 2022 13:52:58 -0400
Subject: [PATCH 004/257] container: add file contexts for docker home config

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.fc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 1cf920890e..7b7c8da4ef 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -1,6 +1,7 @@
 HOME_DIR/\.cache/containers(/.*)?		gen_context(system_u:object_r:container_cache_home_t,s0)
 HOME_DIR/\.config/containers(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 HOME_DIR/\.config/cni(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
+HOME_DIR/\.config/docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 HOME_DIR/\.local/share/containers(/.*)?		gen_context(system_u:object_r:container_data_home_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -18,6 +19,8 @@ HOME_DIR/\.local/share/docker/init(/.*)?		gen_context(system_u:object_r:containe
 HOME_DIR/\.local/share/docker/fuse-overlayfs(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/docker/volumes(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 
+HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
+
 /usr/bin/crun	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 /usr/bin/runc	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 

From a3ad809817d4d5e15b99f64613893cd78c3e1886 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 30 May 2022 15:25:02 -0400
Subject: [PATCH 005/257] files, init: allow systemd to remount etc filesystems

This is for units with various properties that would cause the resulting
process to have a private mount namespace with a read-only or otherwise
private /etc directory.

type=AVC msg=audit(1653769660.425:27): avc:  denied  { remount } for  pid=2017 comm="(resolved)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=filesystem permissive=1

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/files.if | 18 ++++++++++++++++++
 policy/modules/system/init.te  |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 96793286d1..e00ed7b4e1 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3040,6 +3040,24 @@ interface(`files_mounton_etc_dirs',`
 	allow $1 etc_t:dir mounton;
 ')
 
+########################################
+## <summary>
+##	Remount etc filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_remount_etc',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:filesystem remount;
+')
+
 ########################################
 ## <summary>
 ##	Watch /etc directories
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d665498e4d..ba9090db4f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -417,6 +417,7 @@ ifdef(`init_systemd',`
 	files_manage_urandom_seed(init_t)
 	files_read_boot_files(initrc_t)
 	files_remount_boot(init_t)
+	files_remount_etc(init_t)
 	files_relabel_all_lock_dirs(init_t)
 	files_search_all(init_t)
 	files_unmount_all_file_type_fs(init_t)

From d49ddce319aae089077546265ef0b9b18378c6bc Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 30 May 2022 15:40:12 -0400
Subject: [PATCH 006/257] systemd: allow systemd-logind to read localization

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b6290e6106..1798247ad1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -871,6 +871,8 @@ init_stop_all_units(systemd_logind_t)
 init_start_system(systemd_logind_t)
 init_stop_system(systemd_logind_t)
 
+miscfiles_read_localization(systemd_logind_t)
+
 locallogin_read_state(systemd_logind_t)
 
 seutil_libselinux_linked(systemd_logind_t)

From c2e873661ae32fc44e9d36259e97a5c6e70b2f4c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 30 May 2022 15:46:38 -0400
Subject: [PATCH 007/257] init: fix possible typo

initrc_t was allowed access to read boot files instead of init_t. I
found this while investigating new denials in systemd 251. It seems pid
1 is what really wants to read boot_t files when running
dracut-initramfs-restore.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ba9090db4f..e9f3e01c05 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -415,7 +415,7 @@ ifdef(`init_systemd',`
 	files_relabel_generic_tmp_dirs(init_t)
 	files_mounton_tmp(init_t)
 	files_manage_urandom_seed(init_t)
-	files_read_boot_files(initrc_t)
+	files_read_boot_files(init_t)
 	files_remount_boot(init_t)
 	files_remount_etc(init_t)
 	files_relabel_all_lock_dirs(init_t)

From 53ed120ece5c4908c2111453be595331328f9590 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Tue, 6 Sep 2022 08:41:09 -0500
Subject: [PATCH 008/257] Clone `xguest_connect_network` for guest role

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
---
 policy/modules/roles/guest.te | 55 +++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
index c105e6a6a2..6147f3d6aa 100644
--- a/policy/modules/roles/guest.te
+++ b/policy/modules/roles/guest.te
@@ -11,6 +11,14 @@ userdom_restricted_user_template(guest)
 
 kernel_read_system_state(guest_t)
 
+## <desc>
+##      <p>
+##      Determine whether guest can
+##      configure network manager.
+##      </p>
+## </desc>
+gen_tunable(guest_connect_network, false)
+
 ########################################
 #
 # Local policy
@@ -20,4 +28,51 @@ optional_policy(`
 	dbus_role_template(guest, guest_r, guest_t)
 ')
 
+optional_policy(`
+        tunable_policy(`guest_connect_network',`
+                kernel_read_network_state(guest_t)
+
+                networkmanager_dbus_chat(guest_t)
+                networkmanager_read_lib_files(guest_t)
+
+                corenet_all_recvfrom_netlabel(guest_t)
+                corenet_tcp_sendrecv_generic_if(guest_t)
+                corenet_raw_sendrecv_generic_if(guest_t)
+                corenet_tcp_sendrecv_generic_node(guest_t)
+                corenet_raw_sendrecv_generic_node(guest_t)
+
+                corenet_sendrecv_pulseaudio_client_packets(guest_t)
+                corenet_tcp_connect_pulseaudio_port(guest_t)
+
+                corenet_sendrecv_http_client_packets(guest_t)
+                corenet_tcp_connect_http_port(guest_t)
+
+                corenet_sendrecv_http_cache_client_packets(guest_t)
+                corenet_tcp_connect_http_cache_port(guest_t)
+
+                corenet_sendrecv_squid_client_packets(guest_t)
+                corenet_tcp_connect_squid_port(guest_t)
+
+                corenet_sendrecv_ftp_client_packets(guest_t)
+                corenet_tcp_connect_ftp_port(guest_t)
+
+                corenet_sendrecv_ipp_client_packets(guest_t)
+                corenet_tcp_connect_ipp_port(guest_t)
+
+                corenet_sendrecv_generic_client_packets(guest_t)
+                corenet_tcp_connect_generic_port(guest_t)
+
+                corenet_sendrecv_soundd_client_packets(guest_t)
+                corenet_tcp_connect_soundd_port(guest_t)
+
+                corenet_sendrecv_speech_client_packets(guest_t)
+                corenet_tcp_connect_speech_port(guest_t)
+
+                corenet_sendrecv_transproxy_client_packets(guest_t)
+                corenet_tcp_connect_transproxy_port(guest_t)
+
+                corenet_dontaudit_tcp_bind_generic_port(guest_t)
+        ')
+')
+
 #gen_user(guest_u, user, guest_r, s0, s0)

From af398700e43f239061a9e7802946c2f6ef6d538d Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Tue, 6 Sep 2022 10:04:40 -0400
Subject: [PATCH 009/257] tpm2-abrmd: allow to send syslog messages

node=localhost type=AVC msg=audit(1662410789.964:19770): avc:  denied  { create } for  pid=1370 comm="tpm2-abrmd" scontext=system_u:system_r:tpm2_abrmd_t:s0 tcontext=system_u:system_r:tpm2_abrmd_t:s0 tclass=unix_dgram_socket permissive=1
node=localhost type=AVC msg=audit(1662410789.964:19771): avc:  denied  { write } for  pid=1370 comm="tpm2-abrmd" scontext=system_u:system_r:tpm2_abrmd_t:s0 tcontext=system_u:system_r:tpm2_abrmd_t:s0 tclass=unix_dgram_socket permissive=1
node=localhost type=AVC msg=audit(1662410789.964:19771): avc:  denied  { search } for  pid=1370 comm="tpm2-abrmd" name="journal" dev="tmpfs" ino=12582 scontext=system_u:system_r:tpm2_abrmd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1662410789.964:19771): avc:  denied  { write } for  pid=1370 comm="tpm2-abrmd" name="socket" dev="tmpfs" ino=12585 scontext=system_u:system_r:tpm2_abrmd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
node=localhost type=AVC msg=audit(1662410789.964:19771): avc:  denied  { sendto } for  pid=1370 comm="tpm2-abrmd" path="/run/systemd/journal/socket" scontext=system_u:system_r:tpm2_abrmd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/tpm2.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/tpm2.te b/policy/modules/services/tpm2.te
index 5526c7fd4f..aa728de6d1 100644
--- a/policy/modules/services/tpm2.te
+++ b/policy/modules/services/tpm2.te
@@ -30,6 +30,8 @@ dev_rw_tpm(tpm2_abrmd_t)
 kernel_read_crypto_sysctls(tpm2_abrmd_t)
 kernel_read_system_state(tpm2_abrmd_t)
 
+logging_send_syslog_msg(tpm2_abrmd_t)
+
 optional_policy(`
 	dbus_system_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
 ')

From 8da25f9448c417049cb2e24fd29442e1b2337afe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 9 Sep 2022 14:07:58 +0200
Subject: [PATCH 010/257] Replace deprecated egrep usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

egrep has been deprecated since 2007 and with version 3.8 calling this
commands issues a warning.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index ccd3ad96b1..962bcafb2d 100644
--- a/Makefile
+++ b/Makefile
@@ -69,7 +69,7 @@ SECHECK ?= $(BINDIR)/sechecker
 
 # interpreters and aux tools
 AWK ?= gawk
-GREP ?= egrep
+GREP ?= grep -E
 INSTALL ?= install
 M4 ?= m4 -E -E
 PYTHON ?= python3 -bb -t -t -E -W error
@@ -324,7 +324,7 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
 off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
 
 # filesystems to be used in labeling targets
-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+filesystems = $(shell mount | grep -v "context=" | $(GREP) -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
 fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
 
 ########################################

From 88a9214ab7abb8767c4de75cd4d36baa2d3956c7 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Sun, 4 Sep 2022 22:28:01 +0800
Subject: [PATCH 011/257] systemd: allow systemd user to watch /etc directories

Fixes:
avc:  denied  { watch } for  pid=329 comm="systemd" path="/etc"
dev="vda" ino=176 scontext=root:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:etc_t tclass=dir permissive=0

systemd[329]: Failed to create timezone change event source: Permission denied

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 2370c729b3..09c711c1b3 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -90,6 +90,7 @@ template(`systemd_role_template',`
 	dev_read_urand($1_systemd_t)
 
 	files_search_home($1_systemd_t)
+	files_watch_etc_dirs($1_systemd_t)
 
 	fs_getattr_xattr_fs($1_systemd_t)
 	fs_manage_cgroup_files($1_systemd_t)

From 130b6807292905b9956fb31ccaf6fa4e8f69b894 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 30 May 2022 15:47:45 -0400
Subject: [PATCH 012/257] corecmd: label dracut lib as bin_t

This is needed by dracut-initramfs-restore.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 1257de8200..0c05c693d7 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -177,6 +177,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/dhcpcd/dhcpcd-hooks(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dhcpcd/dhcpcd-run-hooks --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dovecot/.+			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/dracut(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)

From b641e648df44f3cdb76b50a547d8e2986ed90f99 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 30 May 2022 17:06:55 -0400
Subject: [PATCH 013/257] sudo: various fixes

These changes resolve these AVCs:

type=AVC msg=audit(1653939111.332:1226): avc:  denied  { getpgid } for  pid=2346 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1

type=AVC msg=audit(1653939111.332:1227): avc:  denied  { signal } for  pid=2346 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_t:s0 tclass=process permissive=1

type=AVC msg=audit(1653939111.333:1228): avc:  denied  { getpgid } for  pid=2346 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process permissive=1

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/sudo.if | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 2ce54f4b69..4840c740c6 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -74,6 +74,9 @@ template(`sudo_role_template',`
 	allow $1_sudo_t self:key manage_key_perms;
 	dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
 
+	# allow getting the process group of the parent process
+	allow $1_sudo_t $2:process getpgid;
+
 	# allow accessing /proc/pid/stat of the calling domain
 	ps_process_pattern($1_sudo_t, $2)
 
@@ -125,6 +128,7 @@ template(`sudo_role_template',`
 	auth_use_pam($1_sudo_t)
 	auth_runtime_filetrans_pam_runtime($1_sudo_t, dir, "sudo")
 
+	init_getpgid($1_sudo_t)
 	init_rw_utmp($1_sudo_t)
 
 	logging_send_audit_msgs($1_sudo_t)
@@ -148,6 +152,8 @@ template(`sudo_role_template',`
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_user_home_content($1_sudo_t)
 	userdom_dontaudit_search_user_home_dirs($1_sudo_t)
+	# allow forwarding signals to the child process
+	userdom_signal_all_users($1_sudo_t)
 
 	tunable_policy(`allow_polyinstantiation',`
 		allow $1_sudo_t self:capability sys_admin;

From ff904f91954792318ae6ce1c27f2610ba112c3d1 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 1 Jun 2022 23:21:53 -0400
Subject: [PATCH 014/257] udev: various fixes for udevadm

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/udev.te | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index df6ef27891..6b5948a747 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -390,18 +390,28 @@ read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 read_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 allow udevadm_t udev_runtime_t:dir watch;
 
+dev_getattr_sysfs(udevadm_t)
 dev_rw_sysfs(udevadm_t)
+dev_getattr_all_chr_files(udevadm_t)
+dev_getattr_generic_chr_files(udevadm_t)
 dev_read_urand(udevadm_t)
 
+domain_use_interactive_fds(udevadm_t)
+
 files_read_etc_files(udevadm_t)
 files_read_usr_files(udevadm_t)
 
+fs_getattr_xattr_fs(udevadm_t)
+
 init_list_runtime(udevadm_t)
 init_read_state(udevadm_t)
 
+kernel_dontaudit_getattr_proc(udevadm_t)
 kernel_read_kernel_sysctls(udevadm_t)
 kernel_read_system_state(udevadm_t)
 
 seutil_read_file_contexts(udevadm_t)
 
-fs_getattr_xattr_fs(udevadm_t)
+storage_getattr_fixed_disk_dev(udevadm_t)
+
+userdom_use_user_terminals(udevadm_t)

From 966468c62646314423da5ab9e54fc21451514452 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 1 Jun 2022 23:42:13 -0400
Subject: [PATCH 015/257] bootloader, init: various fixes for systemd-boot

These rules were found to be needed for systemd-boot-update.service to
run properly on a systemd system with a dracut initrd and with
systemd-boot as the bootloader.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/bootloader.te | 7 +++++++
 policy/modules/system/init.te      | 5 +++++
 2 files changed, 12 insertions(+)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index ca199b490d..ccd0e2ffe0 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -217,6 +217,13 @@ ifdef(`distro_redhat',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	# these rules are required by systemd-boot-update
+	fs_getattr_cgroup(bootloader_t)
+	init_read_state(bootloader_t)
+	init_rw_inherited_stream_socket(bootloader_t)
+')
+
 optional_policy(`
 	fstools_exec(bootloader_t)
 ')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e9f3e01c05..80f5918739 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -542,6 +542,11 @@ ifdef(`init_systemd',`
 		files_mounton_non_security(init_t)
 	')
 
+	optional_policy(`
+		# to run systemd-boot-update
+		bootloader_domtrans(init_t)
+	')
+
 	optional_policy(`
 		clock_read_adjtime(init_t)
 	')

From 324f3fd3f8ac8a949c8219d9ad85fd59dd0615bf Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 5 Jun 2022 10:32:33 -0400
Subject: [PATCH 016/257] systemd: allow systemd-generator to read etc runtime
 files

systemd-generator reads /etc/profile.env

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1798247ad1..47b00d3480 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -488,6 +488,7 @@ files_read_boot_files(systemd_generator_t)
 files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
 files_dontaudit_getattr_all_dirs(systemd_generator_t)
+files_dontaudit_read_etc_runtime_files(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
 fs_getattr_all_fs(systemd_generator_t)

From 1b15d31a1d25b7a98a732ee2263108433daec808 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 5 Jun 2022 10:36:12 -0400
Subject: [PATCH 017/257] systemd: add interface to read userdb runtime files

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 34459831e7..768b184c84 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1410,6 +1410,24 @@ interface(`systemd_manage_userdb_runtime_dirs', `
 	manage_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
 ')
 
+########################################
+## <summary>
+##  Read systemd userdb runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_read_userdb_runtime_files', `
+	gen_require(`
+		type systemd_userdbd_runtime_t;
+	')
+
+	read_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##  Manage socket files under /run/systemd/userdb .

From 80cbe18d7219a3ed573bbfeb008085e598a55168 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 5 Jun 2022 10:36:56 -0400
Subject: [PATCH 018/257] logging: various fixes for auditctl

Allow auditctl to read /proc/filesystems and connect to systemd-userdb.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/logging.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 261a68905a..38030fdd25 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -121,6 +121,7 @@ files_read_etc_files(auditctl_t)
 kernel_dontaudit_getattr_proc(auditctl_t)
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
+kernel_read_system_state(auditctl_t)
 kernel_setsched(auditctl_t)
 
 domain_read_all_domains_state(auditctl_t)
@@ -139,6 +140,8 @@ miscfiles_read_localization(auditctl_t)
 
 ifdef(`init_systemd',`
 	init_rw_stream_sockets(auditctl_t)
+
+	systemd_stream_connect_userdb(auditctl_t)
 ')
 
 optional_policy(`

From 21c7e6c2e1c96535ec774f1ccccced6ee3aa9aec Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 5 Jun 2022 10:39:01 -0400
Subject: [PATCH 019/257] screen: add interface to dontaudit runtime sock file

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/apps/screen.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index 1045e9f354..fadb0df945 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -120,3 +120,21 @@ interface(`screen_execute_sock_file',`
 	allow $1 screen_runtime_t:sock_file execute;
 	allow $1 screen_tmp_t:dir search;
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of the screen runtime named socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+interface(`screen_dontaudit_getattr_sock_file',`
+	gen_require(`
+		type screen_runtime_t;
+	')
+
+	dontaudit $1 screen_runtime_t:sock_file getattr;
+')

From f97165f0a0bcc2cda778f27ace6dcf94d87e536d Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 5 Jun 2022 10:39:47 -0400
Subject: [PATCH 020/257] systemd: dontaudit systemd-tmpfiles getattr on screen
 sock file

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 47b00d3480..bf4f1aff78 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1698,6 +1698,10 @@ optional_policy(`
 	dpkg_script_rw_inherited_pipes(systemd_tmpfiles_t)
 ')
 
+optional_policy(`
+	screen_dontaudit_getattr_sock_file(systemd_tmpfiles_t)
+')
+
 optional_policy(`
 	xfs_create_tmp_dirs(systemd_tmpfiles_t)
 ')

From 0d9ae5a3c7334040bd99f0ca59ea6130974e0f2c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 5 Jun 2022 10:45:12 -0400
Subject: [PATCH 021/257] systemd: dontaudit systemd-tmpfiles getattr on all
 dirs

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index bf4f1aff78..c21ef7b9f4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1602,7 +1602,7 @@ dev_setattr_all_sysfs(systemd_tmpfiles_t)
 dev_write_sysfs(systemd_tmpfiles_t)
 
 files_create_lock_dirs(systemd_tmpfiles_t)
-files_dontaudit_getattr_lost_found_dirs(systemd_tmpfiles_t)
+files_dontaudit_getattr_all_dirs(systemd_tmpfiles_t)
 files_manage_all_runtime_dirs(systemd_tmpfiles_t)
 files_delete_usr_files(systemd_tmpfiles_t)
 files_list_home(systemd_tmpfiles_t)

From f1a56efaa8a7b0241ecd905614ff0992c7308190 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 17 Jun 2022 17:00:24 -0400
Subject: [PATCH 022/257] fstools: fixes for fsadm with nfs

If the system has nfs-utils installed, the ZFS event daemon uses
exportfs to get information about any NFS exports.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/fstools.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 4664a01ae6..a4137ad452 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -205,6 +205,12 @@ optional_policy(`
 	nis_use_ypbind(fsadm_t)
 ')
 
+optional_policy(`
+	kernel_rw_rpc_sysctls(fsadm_t)
+	rpc_manage_nfs_state_data(fsadm_t)
+	rpc_read_exports(fsadm_t)
+')
+
 optional_policy(`
 	# Xen causes losetup to run with a presumably accidentally inherited
 	# file handle for /run/xen-hotplug/block

From e3b1213d71280332119d5ada6bd2e0822da6e30b Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 17 Jun 2022 21:38:56 -0400
Subject: [PATCH 023/257] various: fixes for nfs

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/filesystem.if | 36 +++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te     |  2 ++
 policy/modules/services/rpc.fc      |  2 ++
 policy/modules/services/rpc.if      | 38 +++++++++++++++++++++++++++++
 policy/modules/services/rpc.te      |  3 +++
 policy/modules/services/rpcbind.te  |  3 ++-
 policy/modules/system/fstools.te    |  2 ++
 policy/modules/system/init.te       | 10 ++++++++
 policy/modules/system/mount.te      |  2 +-
 policy/modules/system/systemd.te    |  6 +++++
 10 files changed, 102 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8418a63cfb..27cc4acef9 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4055,6 +4055,24 @@ interface(`fs_read_nsfs_files',`
 	allow $1 nsfs_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Watch NFS server files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_nfsd_files',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:file watch;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of an nsfs filesystem.
@@ -4702,6 +4720,24 @@ interface(`fs_rw_rpc_named_pipes',`
 	allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
 ')
 
+########################################
+## <summary>
+##	Watch RPC pipe filesystem directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_rpc_pipefs_dirs',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Mount a tmpfs filesystem.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 30e34bec59..7e55efe0c9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -453,6 +453,8 @@ optional_policy(`
 
 	rpc_manage_nfs_ro_content(kernel_t)
 	rpc_manage_nfs_rw_content(kernel_t)
+	rpc_search_nfs_state_data(kernel_t)
+	rpc_use_nfsd_fds(kernel_t)
 	rpc_tcp_rw_nfs_sockets(kernel_t)
 	rpc_udp_rw_nfs_sockets(kernel_t)
 
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 88d2acaf0b..75c2f0617d 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -4,6 +4,7 @@
 /etc/rc\.d/init\.d/nfslock	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/rpcidmapd	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 
+/usr/bin/nfsdcld	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/bin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/bin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/bin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
@@ -17,6 +18,7 @@
 /usr/lib/systemd/system/rpc.*\.service --   gen_context(system_u:object_r:rpcd_unit_t,s0)
 
 /usr/sbin/blkmapd	--	gen_context(system_u:object_r:blkmapd_exec_t,s0)
+/usr/sbin/nfsdcld	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 676aaa63b4..6ff7f58b1c 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -181,6 +181,25 @@ interface(`rpc_initrc_domtrans_rpcd',`
 	init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
 ')
 
+#######################################
+## <summary>
+##	Inherit and use file descriptors from
+##	nfsd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_use_nfsd_fds',`
+	gen_require(`
+		type nfsd_t;
+	')
+
+	allow $1 nfsd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Read nfs exported content.
@@ -301,6 +320,25 @@ interface(`rpc_search_nfs_state_data',`
 	allow $1 var_lib_nfs_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Create nfs lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_create_nfs_state_data_dirs',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_search_var_lib($1)
+	create_dirs_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read nfs lib files.
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index f0b69b08c6..4d1e1a3eb1 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -260,6 +260,7 @@ fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
 fs_read_rpc_symlinks(rpcd_t)
 fs_rw_rpc_sockets(rpcd_t)
+fs_watch_rpc_pipefs_dirs(rpcd_t)
 fs_get_all_fs_quotas(rpcd_t)
 fs_set_xattr_fs_quotas(rpcd_t)
 fs_getattr_all_fs(rpcd_t)
@@ -325,12 +326,14 @@ dev_rw_lvm_control(nfsd_t)
 
 files_getattr_tmp_dirs(nfsd_t)
 files_manage_mounttab(nfsd_t)
+files_search_all_mountpoints(nfsd_t)
 
 fs_mount_nfsd_fs(nfsd_t)
 fs_getattr_all_fs(nfsd_t)
 fs_getattr_all_dirs(nfsd_t)
 fs_list_nfsd_fs(nfsd_t)
 fs_watch_nfsd_dirs(nfsd_t)
+fs_watch_nfsd_files(nfsd_t)
 fs_rw_nfsd_fs(nfsd_t)
 
 storage_dontaudit_read_fixed_disk(nfsd_t)
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index fa6aafedad..137c21ece6 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -32,9 +32,10 @@ allow rpcbind_t self:fifo_file rw_fifo_file_perms;
 allow rpcbind_t self:unix_stream_socket { accept listen };
 allow rpcbind_t self:tcp_socket { accept listen };
 
+manage_dirs_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
 manage_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
 manage_sock_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
-files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file })
+files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { dir file sock_file })
 
 manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
 manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a4137ad452..fabff4ca0a 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -206,6 +206,8 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fs_search_nfsd_fs(fsadm_t)
+	fs_rw_nfsd_fs(fsadm_t)
 	kernel_rw_rpc_sysctls(fsadm_t)
 	rpc_manage_nfs_state_data(fsadm_t)
 	rpc_read_exports(fsadm_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 80f5918739..dd6c723287 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -566,6 +566,16 @@ ifdef(`init_systemd',`
 		dbus_connect_system_bus(init_t)
 	')
 
+	optional_policy(`
+		# var-lib-nfs-rpc_pipefs.mount creates /var/lib/nfs/rpc_pipefs
+		# if it does not exist
+		rpc_create_nfs_state_data_dirs(init_t)
+		rpc_manage_nfs_state_data(init_t)
+
+		fs_rw_nfsd_fs(initrc_t)
+		fs_rw_rpc_named_pipes(initrc_t)
+	')
+
 	optional_policy(`
 		# for systemd --user:
 		unconfined_search_keys(init_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 56b431985d..11dc870cfe 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -53,7 +53,7 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 manage_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
 manage_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
 rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
-files_runtime_filetrans(mount_t, mount_runtime_t, dir, "mount")
+files_runtime_filetrans(mount_t, mount_runtime_t, { dir file })
 
 kernel_read_system_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c21ef7b9f4..e89322d44d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -547,6 +547,12 @@ optional_policy(`
 	miscfiles_read_localization(systemd_generator_t)
 ')
 
+optional_policy(`
+	fs_search_nfsd_fs(systemd_generator_t)
+	fs_rw_nfsd_fs(systemd_generator_t)
+	rpc_read_exports(systemd_generator_t)
+')
+
 #######################################
 #
 # systemd-homed policy

From 595143e53d49d26d4f1d1b46e38bc7c4cc05d29b Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 18 Jun 2022 00:06:06 -0400
Subject: [PATCH 024/257] init: dontaudit initrc creating /dev/console during
 initrd

Observed during bootup with a dracut initrd. Some init script invokes
cpio which ends up creating /dev/console in the initrd, but by this
point SELinux hasn't been set to enforcing yet so just dontaudit this
access.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dd6c723287..58d1927507 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -690,6 +690,7 @@ manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
 manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+dontaudit initrc_t initrc_state_t:chr_file { create_chr_file_perms setattr };
 
 allow initrc_t initrc_runtime_t:file manage_file_perms;
 files_runtime_filetrans(initrc_t, initrc_runtime_t, file)

From 94cd9c9e666490036baf08c5e4105780ccbee2bc Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 31 Jul 2022 23:58:37 -0400
Subject: [PATCH 025/257] storage: include chr_files in fixed_disk_dev
 interfaces

/dev/zfs is a fixed_disk_device_t chr_file.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/storage.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 2898214e48..9c581a9107 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -18,6 +18,7 @@ interface(`storage_getattr_fixed_disk_dev',`
 
 	dev_list_all_dev_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file getattr;
+	allow $1 fixed_disk_device_t:chr_file getattr;
 ')
 
 ########################################
@@ -58,6 +59,7 @@ interface(`storage_setattr_fixed_disk_dev',`
 
 	dev_list_all_dev_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file setattr;
+	allow $1 fixed_disk_device_t:chr_file setattr;
 ')
 
 ########################################
@@ -77,6 +79,7 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
 	')
 
 	dontaudit $1 fixed_disk_device_t:blk_file setattr;
+	dontaudit $1 fixed_disk_device_t:chr_file setattr;
 ')
 
 ########################################

From 5d5b81df26a05bb991e177d3c3d558ce09429c9e Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 1 Aug 2022 00:05:14 -0400
Subject: [PATCH 026/257] systemd: allow systemd-userdbd to search default
 contexts

This silences this AVC:

type=PROCTITLE msg=audit(1659326362.164:10566): proctitle=73797374656D642D75736572776F726B0078787878787878787878787878787878
type=PATH msg=audit(1659326362.164:10566): item=0 name="/etc/selinux/config" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1659326362.164:10566): cwd="/"
type=SYSCALL msg=audit(1659326362.164:10566): arch=c000003e syscall=21 success=no exit=-13 a0=68f7181b05db a1=0 a2=10 a3=0 items=1 ppid=10011 pid=74316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-userwor" exe="/lib/systemd/systemd-userwork" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
type=AVC msg=audit(1659326362.164:10566): avc:  denied  { search } for  pid=74316 comm="systemd-userwor" name="selinux" dev="zfs" ino=37509 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e89322d44d..c5b6522136 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1855,6 +1855,8 @@ init_read_state(systemd_userdbd_t)
 
 kernel_read_kernel_sysctls(systemd_userdbd_t)
 
+seutil_search_default_contexts(systemd_userdbd_t)
+
 systemd_log_parse_environment(systemd_userdbd_t)
 
 #########################################

From b8d21e6c195ac5f93dc9bbd21e00ca840a7158a0 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 1 Aug 2022 00:09:42 -0400
Subject: [PATCH 027/257] logging, systemd: allow auditctl to list userdb
 runtime dirs

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/logging.te |  1 +
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 38030fdd25..31232e89c4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -141,6 +141,7 @@ miscfiles_read_localization(auditctl_t)
 ifdef(`init_systemd',`
 	init_rw_stream_sockets(auditctl_t)
 
+	systemd_list_userdb_runtime_dirs(auditctl_t)
 	systemd_stream_connect_userdb(auditctl_t)
 ')
 
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 768b184c84..c195b08275 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1392,6 +1392,24 @@ interface(`systemd_signull_logind',`
 	allow $1 systemd_logind_t:process signull;
 ')
 
+########################################
+## <summary>
+##  List the contents of systemd userdb runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_list_userdb_runtime_dirs', `
+	gen_require(`
+		type systemd_userdbd_runtime_t;
+	')
+
+	list_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##  Manage systemd userdb runtime directories.

From 3ff2ae3cadc7c78b30aa375de7d44de1a06c0d8d Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 1 Aug 2022 00:25:39 -0400
Subject: [PATCH 028/257] bootloader, userdom: minor fixes for systemd-boot

Dontaudits on user home files for bootctl opening in less and wanting to
write to the less history file.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/bootloader.te  |  5 ++++-
 policy/modules/system/userdomain.if | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index ccd0e2ffe0..58180fa9b7 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -42,6 +42,7 @@ dev_node(bootloader_tmp_t)
 #
 
 allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
+dontaudit bootloader_t self:capability sys_resource;
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
@@ -96,6 +97,7 @@ fs_read_tmpfs_symlinks(bootloader_t)
 fs_getattr_efivarfs(bootloader_t)
 fs_manage_dos_files(bootloader_t)
 fs_mmap_read_dos_files(bootloader_t)
+fs_search_cgroup_dirs(bootloader_t)
 
 mls_file_read_all_levels(bootloader_t)
 mls_file_write_all_levels(bootloader_t)
@@ -167,7 +169,8 @@ seutil_dontaudit_search_config(bootloader_t)
 udev_read_runtime_files(bootloader_t)
 
 userdom_use_user_terminals(bootloader_t)
-userdom_dontaudit_search_user_home_dirs(bootloader_t)
+userdom_dontaudit_manage_user_home_dirs(bootloader_t)
+userdom_dontaudit_write_user_home_content_files(bootloader_t)
 
 ifdef(`distro_debian',`
 	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index dcf510185e..9fcb3a09a6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1915,6 +1915,25 @@ interface(`userdom_manage_user_home_dirs',`
 	allow $1 user_home_dir_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to manage user
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	dontaudit $1 user_home_dir_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Relabel to user home directories.

From e75a6c4f22d42a976c91fe27a6abc5cd63e389fe Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 28 Aug 2022 17:28:10 -0400
Subject: [PATCH 029/257] systemd: allow systemd-resolved to read generic certs

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c5b6522136..fa2fa8ba48 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1450,6 +1450,8 @@ fs_search_cgroup_dirs(systemd_resolved_t)
 
 init_dgram_send(systemd_resolved_t)
 
+miscfiles_read_generic_certs(systemd_resolved_t)
+
 seutil_libselinux_linked(systemd_resolved_t)
 seutil_read_file_contexts(systemd_resolved_t)
 

From b1fb8cbdfe7879797e5650b1f7b88d72ad1b52a6 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 28 Aug 2022 19:56:46 -0400
Subject: [PATCH 030/257] sysadm: allow sysadm to rw ipmi devices

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/roles/sysadm.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 651c19cf24..33c964e900 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -39,6 +39,7 @@ corenet_ib_access_unlabeled_pkeys(sysadm_t)
 corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
 
 dev_read_kmsg(sysadm_t)
+dev_rw_ipmi_dev(sysadm_t)
 
 logging_watch_all_logs(sysadm_t)
 logging_watch_audit_log(sysadm_t)

From 0b94ddf3f14b1dbf794019e38d08202d5138cb80 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 28 Aug 2022 15:47:19 -0400
Subject: [PATCH 031/257] zfs: initial policy module

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/zfs.fc |  14 ++++
 policy/modules/services/zfs.if | 144 +++++++++++++++++++++++++++++++++
 policy/modules/services/zfs.te | 120 +++++++++++++++++++++++++++
 3 files changed, 278 insertions(+)
 create mode 100644 policy/modules/services/zfs.fc
 create mode 100644 policy/modules/services/zfs.if
 create mode 100644 policy/modules/services/zfs.te

diff --git a/policy/modules/services/zfs.fc b/policy/modules/services/zfs.fc
new file mode 100644
index 0000000000..61c639fc29
--- /dev/null
+++ b/policy/modules/services/zfs.fc
@@ -0,0 +1,14 @@
+/usr/bin/zed	--	gen_context(system_u:object_r:zed_exec_t,s0)
+/usr/bin/zfs	--	gen_context(system_u:object_r:zfs_exec_t,s0)
+/usr/bin/zfs-auto-snapshot	--	gen_context(system_u:object_r:zfs_exec_t,s0)
+/usr/bin/zpool	--	gen_context(system_u:object_r:zfs_exec_t,s0)
+
+/usr/sbin/zed	--	gen_context(system_u:object_r:zed_exec_t,s0)
+/usr/sbin/zfs	--	gen_context(system_u:object_r:zfs_exec_t,s0)
+/usr/sbin/zpool	--	gen_context(system_u:object_r:zfs_exec_t,s0)
+
+/etc/zfs(/.*)?		gen_context(system_u:object_r:zfs_config_t,s0)
+/etc/zfs/zpool\.cache	--	gen_context(system_u:object_r:zfs_zpool_cache_t,s0)
+
+/run/zed\.pid	--	gen_context(system_u:object_r:zfs_runtime_t,s0)
+/run/zed\.state	--	gen_context(system_u:object_r:zfs_runtime_t,s0)
diff --git a/policy/modules/services/zfs.if b/policy/modules/services/zfs.if
new file mode 100644
index 0000000000..517a6aba63
--- /dev/null
+++ b/policy/modules/services/zfs.if
@@ -0,0 +1,144 @@
+## <summary>Tools for the Zettabyte File System.</summary>
+
+########################################
+## <summary>
+##	Execute ZFS tools in the
+##	ZFS domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`zfs_domtrans',`
+	gen_require(`
+		type zfs_t, zfs_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, zfs_exec_t, zfs_t)
+')
+
+########################################
+## <summary>
+##	Execute ZFS tools in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zfs_exec',`
+	gen_require(`
+		type zfs_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, zfs_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute ZFS tools in the ZFS domain, and
+##	allow the specified role the ZFS domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zfs_run',`
+	gen_require(`
+		type zfs_t;
+	')
+
+	zfs_domtrans($1)
+	role $2 types zfs_t;
+')
+
+########################################
+## <summary>
+##	Search ZFS config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zfs_search_config',`
+	gen_require(`
+		type zfs_config_t;
+	')
+
+	files_search_etc($1)
+	search_dirs_pattern($1, zfs_config_t, zfs_config_t)
+')
+
+########################################
+## <summary>
+##	Read and write zpool cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zfs_rw_zpool_cache',`
+	gen_require(`
+		type zfs_zpool_cache_t;
+	')
+
+	zfs_search_config($1)
+	allow $1 zfs_zpool_cache_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate a ZFS environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zfs_admin',`
+	gen_require(`
+		type zfs_t, zed_t;
+		type zfs_config_t, zfs_zpool_cache_t;
+		type zfs_runtime_t;
+	')
+
+	zfs_run($1, $2)
+
+	allow $1 zfs_t:process { ptrace signal_perms };
+	ps_process_pattern($1, zfs_t)
+
+	allow $1 zed_t:process { ptrace signal_perms };
+	ps_process_pattern($1, zed_t)
+
+	files_search_etc($1)
+	admin_pattern($1, zfs_config_t)
+	admin_pattern($1, zfs_zpool_cache_t)
+
+	files_search_runtime($1)
+	admin_pattern($1, zfs_runtime_t)
+')
diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
new file mode 100644
index 0000000000..05e0d3e5f4
--- /dev/null
+++ b/policy/modules/services/zfs.te
@@ -0,0 +1,120 @@
+policy_module(zfs)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role zfs_roles;
+
+type zed_t;
+type zed_exec_t;
+init_daemon_domain(zed_t, zed_exec_t)
+role zfs_roles types zed_t;
+
+type zfs_t;
+type zfs_exec_t;
+init_system_domain(zfs_t, zfs_exec_t)
+role zfs_roles types zfs_t;
+
+type zfs_config_t;
+files_config_file(zfs_config_t)
+
+type zfs_zpool_cache_t;
+files_config_file(zfs_zpool_cache_t)
+
+type zfs_runtime_t;
+files_runtime_file(zfs_runtime_t)
+
+########################################
+#
+# zed local policy
+#
+
+allow zed_t self:process signal;
+allow zed_t self:capability sys_admin;
+allow zed_t self:fifo_file rw_fifo_file_perms;
+allow zed_t self:unix_dgram_socket create_socket_perms;
+allow zed_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+domtrans_pattern(zed_t, zfs_exec_t, zfs_t)
+
+list_dirs_pattern(zed_t, zfs_config_t, zfs_config_t)
+read_files_pattern(zed_t, zfs_config_t, zfs_config_t)
+read_lnk_files_pattern(zed_t, zfs_config_t, zfs_config_t)
+
+manage_files_pattern(zed_t, zfs_runtime_t, zfs_runtime_t)
+files_runtime_filetrans(zed_t, zfs_runtime_t, file)
+
+# to execute scripts in /usr/libexec/zfs
+corecmd_exec_bin(zed_t)
+corecmd_exec_shell(zed_t)
+
+dev_read_sysfs(zed_t)
+
+files_search_etc(zed_t)
+
+kernel_read_vm_overcommit_sysctl(zed_t)
+
+storage_raw_rw_fixed_disk(zed_t)
+
+auth_use_nsswitch(zed_t)
+
+logging_send_syslog_msg(zed_t)
+
+miscfiles_read_localization(zed_t)
+
+udev_search_runtime(zed_t)
+
+########################################
+#
+# zfs local policy
+#
+
+allow zfs_t self:process getsched;
+allow zfs_t self:capability sys_admin;
+allow zfs_t self:fifo_file rw_fifo_file_perms;
+
+list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)
+read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
+read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
+
+# to execute scripts in /usr/libexec/zfs
+corecmd_exec_bin(zfs_t)
+corecmd_exec_shell(zfs_t)
+
+dev_read_sysfs(zfs_t)
+
+domain_use_interactive_fds(zfs_t)
+
+files_getattr_all_dirs(zfs_t)
+files_mounton_all_mountpoints(zfs_t)
+files_search_etc(zfs_t)
+
+fs_getattr_xattr_fs(zfs_t)
+fs_mount_xattr_fs(zfs_t)
+fs_unmount_xattr_fs(zfs_t)
+fs_remount_xattr_fs(zfs_t)
+fs_relabelfrom_xattr_fs(zfs_t)
+fs_ioctl_cgroup_dirs(zfs_t)
+fs_rw_nfsd_fs(zfs_t)
+
+kernel_read_fs_sysctls(zfs_t)
+kernel_read_kernel_sysctls(zfs_t)
+
+storage_raw_rw_fixed_disk(zfs_t)
+
+miscfiles_read_localization(zfs_t)
+
+auth_use_nsswitch(zfs_t)
+
+mount_exec(zfs_t)
+
+userdom_use_user_terminals(zfs_t)
+
+optional_policy(`
+	kernel_rw_rpc_sysctls(zfs_t)
+
+	rpc_manage_nfs_state_data(zfs_t)
+	rpc_read_exports(zfs_t)
+')

From efb786924355fdf861e8c6c0bab3bb5d8f0eeb23 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 28 Aug 2022 15:47:27 -0400
Subject: [PATCH 032/257] fstools, mount: remove legacy zfs rules

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/fstools.fc | 1 -
 policy/modules/system/fstools.te | 2 --
 2 files changed, 3 deletions(-)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index d871294e82..8fbd5ce440 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -49,7 +49,6 @@
 /usr/bin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/bin/zfs-auto-snapshot	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index fabff4ca0a..75da8a0a01 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -158,8 +158,6 @@ logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
 
-# for zfs/zpool
-mount_exec(fsadm_t)
 # for /run/mount/utab
 mount_getattr_runtime_files(fsadm_t)
 

From 4b88cb0a25c8fc1854b4b7b5edd3387dfef6b855 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 28 Aug 2022 17:38:49 -0400
Subject: [PATCH 033/257] files, mount: remove legacy ZFS file contexts

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/files.fc | 2 --
 policy/modules/system/mount.fc | 4 ----
 2 files changed, 6 deletions(-)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 826722f4ee..f6ff6b0790 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -72,8 +72,6 @@ ifdef(`distro_suse',`
 /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
 
-/etc/zfs/zpool\.cache	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-
 ifdef(`distro_gentoo', `
 /etc/profile\.env	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/csh\.env		--	gen_context(system_u:object_r:etc_runtime_t,s0)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 1646054e0c..f18820508b 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -2,12 +2,8 @@
 /usr/bin/fusermount3		--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/bin/mount(\.[^/]+)?	--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/bin/umount(\.[^/]+)?	--	gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/bin/zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/bin/zpool			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
 /usr/sbin/mount(\.[^/]+)?	--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/sbin/umount(\.[^/]+)?	--	gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/sbin/zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/sbin/zpool			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
 /run/mount(/.*)?			gen_context(system_u:object_r:mount_runtime_t,s0)

From 24c3747b67f4288a7d39e0be1f9a52e5a61b3caa Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 28 Aug 2022 16:10:14 -0400
Subject: [PATCH 034/257] sysadm: allow admin access to zfs

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 33c964e900..98c470af2c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1215,6 +1215,10 @@ optional_policy(`
 	zebra_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	zfs_admin(sysadm_t, sysadm_r)
+')
+
 ifndef(`distro_redhat',`
 	optional_policy(`
 		auth_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)

From 047ee54a5c6e71e3bd1652cd2168fc6b5a57e8af Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 28 Aug 2022 18:13:57 -0400
Subject: [PATCH 035/257] kernel: allow kthreads to read and write the zpool
 cache

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/kernel.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7e55efe0c9..5fbb78b443 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -493,6 +493,10 @@ optional_policy(`
 	unconfined_domain_noaudit(kernel_t)
 ')
 
+optional_policy(`
+	zfs_rw_zpool_cache(kernel_t)
+')
+
 ########################################
 #
 # Unlabeled process local policy

From ae89460231fd54ff32b7f5dee4b5cd91a7e77ca0 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 28 Aug 2022 20:19:28 -0400
Subject: [PATCH 036/257] systemd, zfs: allow systemd-generator to read zfs
 config

Needed by zfs-mount-generator.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/zfs.if   | 20 ++++++++++++++++++++
 policy/modules/system/systemd.te |  5 +++++
 2 files changed, 25 insertions(+)

diff --git a/policy/modules/services/zfs.if b/policy/modules/services/zfs.if
index 517a6aba63..ce9f43e66d 100644
--- a/policy/modules/services/zfs.if
+++ b/policy/modules/services/zfs.if
@@ -84,6 +84,26 @@ interface(`zfs_search_config',`
 	search_dirs_pattern($1, zfs_config_t, zfs_config_t)
 ')
 
+########################################
+## <summary>
+##	Read ZFS config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zfs_read_config',`
+	gen_require(`
+		type zfs_config_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, zfs_config_t, zfs_config_t)
+	read_lnk_files_pattern($1, zfs_config_t, zfs_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write zpool cache files.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index fa2fa8ba48..a2a44f7c3b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -553,6 +553,11 @@ optional_policy(`
 	rpc_read_exports(systemd_generator_t)
 ')
 
+optional_policy(`
+	# needed by zfs-mount-generator
+	zfs_read_config(systemd_generator_t)
+')
+
 #######################################
 #
 # systemd-homed policy

From 4e873c70dcf403718ce835e32f61dff788f2a6e4 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 1 Sep 2022 17:53:20 -0400
Subject: [PATCH 037/257] udev: allow reading ZFS config

Needed by vdev_id:

avc:  denied  { search } for  pid=2670 comm="vdev_id" name="zfs" dev="zfs" ino=93601 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:zfs_config_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/udev.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 6b5948a747..1aa77f2fff 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -371,6 +371,10 @@ optional_policy(`
 	xserver_read_xdm_runtime_files(udev_t)
 ')
 
+optional_policy(`
+	zfs_read_config(udev_t)
+')
+
 ########################################
 #
 # udevadm Local policy

From 3265c15c30029db523bb082b3e81cd56ab41fb8e Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Wed, 14 Sep 2022 10:58:02 -0400
Subject: [PATCH 038/257] init: Add tunable for systemd to create all its
 mountpoints.

For non-security mounting, only dir and file access is added, as these
are the only ones allowed in the mounton call.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/kernel/files.if  | 58 +++++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.if | 36 ++++++++++++++++++++
 policy/modules/system/init.if   | 48 +++++++++++++++++++++++++++
 policy/modules/system/init.te   | 23 +++++++++++++
 4 files changed, 165 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5e3f9b7b89..30a9c9b2d1 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -608,6 +608,24 @@ interface(`files_manage_non_security_dirs',`
 	allow $1 non_security_file_type:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Create non-security directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	create_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Relabel from/to non-security directories.
@@ -790,6 +808,46 @@ interface(`files_read_non_security_files',`
 	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
 ')
 
+########################################
+## <summary>
+##	Write all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_write_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	write_files_pattern($1, non_security_file_type, non_security_file_type)
+	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+##	Create all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	create_files_pattern($1, non_security_file_type, non_security_file_type)
+	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Read all directories on the filesystem, except
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 4cd35959a7..966e49b658 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1655,6 +1655,42 @@ interface(`kernel_dontaudit_list_all_proc',`
 	dontaudit $1 proc_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Write systemd mountpoint files except proc entries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_write_non_proc_init_mountpoint_files',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	init_write_mountpoint_files($1, -proc_type)
+')
+
+########################################
+## <summary>
+##	Create systemd mountpoint files except proc entries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_create_non_proc_init_mountpoint_files',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	init_create_mountpoint_files($1, -proc_type)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to search
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 0c36819899..017129a7fd 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -942,6 +942,54 @@ interface(`init_setsched',`
 	allow $1 init_t:process setsched;
 ')
 
+########################################
+## <summary>
+##	Write systemd mountpoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`init_write_mountpoint_files',`
+	gen_require(`
+		attribute init_mountpoint_type;
+	')
+
+	allow $1 { init_mountpoint_type $2 }:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Create systemd mountpoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`init_create_mountpoint_files',`
+	gen_require(`
+		attribute init_mountpoint_type;
+	')
+
+	allow $1 { init_mountpoint_type $2 }:file create_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to init with a unix socket.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d665498e4d..fdbddbdf4c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,13 @@ gen_require(`
 ## </desc>
 gen_tunable(init_upstart, false)
 
+## <desc>
+## <p>
+## Enable systemd to create mountpoints.
+## </p>
+## </desc>
+gen_tunable(init_create_mountpoints, false)
+
 ## <desc>
 ## <p>
 ## Allow all daemons the ability to read/write terminals
@@ -537,6 +544,22 @@ ifdef(`init_systemd',`
 
 	userdom_relabel_user_runtime_root_dirs(init_t)
 
+	tunable_policy(`init_create_mountpoints',`
+		allow init_t init_mountpoint_type:dir { create_dir_perms add_entry_dir_perms };
+                allow init_t init_mountpoint_type:fifo_file create_fifo_file_perms;
+		allow init_t init_mountpoint_type:sock_file create_sock_file_perms;
+		allow init_t init_mountpoint_type:lnk_file create_lnk_file_perms;
+
+		kernel_write_non_proc_init_mountpoint_files(init_t)
+		kernel_create_non_proc_init_mountpoint_files(init_t)
+	')
+
+	tunable_policy(`init_create_mountpoints && init_mounton_non_security',`
+		files_create_non_security_dirs(init_t)
+		files_create_non_security_files(init_t)
+		files_write_non_security_files(init_t)
+	')
+
 	tunable_policy(`init_mounton_non_security',`
 		files_mounton_non_security(init_t)
 	')

From 7c3d94dd28b63775602dff7a8cd9ceb65e329597 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Wed, 14 Sep 2022 14:17:45 -0400
Subject: [PATCH 039/257] Run Ci tests in parallel.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 .github/workflows/tests.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 74c3d16f8c..bb762d1e27 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -45,8 +45,6 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
-    needs: lint
-
     strategy:
       fail-fast: false
 
@@ -79,7 +77,7 @@ jobs:
           - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
           - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
           - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
-  
+
     steps:
     - uses: actions/checkout@v2
 

From 6ff1259688e8dad630e815ec2e384be1c2fedbf1 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Wed, 14 Sep 2022 11:15:00 -0400
Subject: [PATCH 040/257] domain: move kernel_read_crypto_sysctls to a common
 location

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/admin/aide.te              | 2 --
 policy/modules/admin/cloudinit.te         | 1 -
 policy/modules/admin/puppet.te            | 2 --
 policy/modules/admin/rpm.te               | 2 --
 policy/modules/admin/usbguard.te          | 1 -
 policy/modules/admin/usermanage.te        | 1 -
 policy/modules/apps/chromium.te           | 2 --
 policy/modules/apps/cryfs.te              | 2 --
 policy/modules/apps/gnome.te              | 1 -
 policy/modules/apps/gpg.te                | 2 --
 policy/modules/apps/irc.te                | 2 --
 policy/modules/apps/mplayer.te            | 1 -
 policy/modules/apps/qemu.te               | 2 --
 policy/modules/kernel/domain.te           | 2 ++
 policy/modules/services/accountsd.te      | 1 -
 policy/modules/services/apache.te         | 1 -
 policy/modules/services/bird.te           | 2 --
 policy/modules/services/bitlbee.te        | 1 -
 policy/modules/services/boinc.te          | 1 -
 policy/modules/services/chronyd.te        | 1 -
 policy/modules/services/clamav.te         | 2 --
 policy/modules/services/colord.te         | 1 -
 policy/modules/services/cron.te           | 1 -
 policy/modules/services/dbus.te           | 2 --
 policy/modules/services/devicekit.te      | 1 -
 policy/modules/services/dirmngr.te        | 2 --
 policy/modules/services/entropyd.te       | 1 -
 policy/modules/services/exim.te           | 1 -
 policy/modules/services/firewalld.te      | 1 -
 policy/modules/services/isns.te           | 2 --
 policy/modules/services/lpd.te            | 1 -
 policy/modules/services/mailman.te        | 1 -
 policy/modules/services/mon.te            | 3 ---
 policy/modules/services/mta.te            | 1 -
 policy/modules/services/networkmanager.te | 1 -
 policy/modules/services/ntp.te            | 1 -
 policy/modules/services/pacemaker.te      | 1 -
 policy/modules/services/policykit.te      | 1 -
 policy/modules/services/spamassassin.te   | 1 -
 policy/modules/services/ssh.if            | 1 -
 policy/modules/services/ssh.te            | 2 --
 policy/modules/services/tpm2.te           | 2 --
 policy/modules/services/virt.te           | 2 --
 policy/modules/services/xserver.te        | 2 --
 policy/modules/system/authlogin.te        | 1 -
 policy/modules/system/iscsi.te            | 1 -
 policy/modules/system/locallogin.te       | 1 -
 policy/modules/system/logging.te          | 1 -
 policy/modules/system/lvm.te              | 2 --
 policy/modules/system/modutils.te         | 1 -
 policy/modules/system/systemd.te          | 7 -------
 policy/modules/system/udev.te             | 1 -
 52 files changed, 2 insertions(+), 77 deletions(-)

diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 29acc50d4d..c99cb2625d 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -44,8 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file)
 files_read_all_files(aide_t)
 files_read_all_symlinks(aide_t)
 
-kernel_read_crypto_sysctls(aide_t)
-
 logging_send_audit_msgs(aide_t)
 logging_send_syslog_msg(aide_t)
 
diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te
index f531cc5d0a..0a82d4436e 100644
--- a/policy/modules/admin/cloudinit.te
+++ b/policy/modules/admin/cloudinit.te
@@ -74,7 +74,6 @@ init_read_state(cloud_init_t)
 init_stream_connect(cloud_init_t)
 
 kernel_read_system_state(cloud_init_t)
-kernel_read_crypto_sysctls(cloud_init_t)
 kernel_read_kernel_sysctls(cloud_init_t)
 
 libs_dontaudit_manage_lib_dirs(cloud_init_t)
diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te
index f2b080f9ab..c7e574ce15 100644
--- a/policy/modules/admin/puppet.te
+++ b/policy/modules/admin/puppet.te
@@ -97,7 +97,6 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
 
 kernel_dontaudit_search_sysctl(puppet_t)
 kernel_dontaudit_search_kernel_sysctl(puppet_t)
-kernel_read_crypto_sysctls(puppet_t)
 kernel_read_kernel_sysctls(puppet_t)
 kernel_read_net_sysctls(puppet_t)
 kernel_read_network_state(puppet_t)
@@ -289,7 +288,6 @@ files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
 kernel_read_network_state(puppetmaster_t)
 kernel_read_system_state(puppetmaster_t)
-kernel_read_crypto_sysctls(puppetmaster_t)
 kernel_read_kernel_sysctls(puppetmaster_t)
 
 corecmd_exec_bin(puppetmaster_t)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index c16d6c973f..81b6ad3d2d 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -119,7 +119,6 @@ files_runtime_filetrans(rpm_t, rpm_runtime_t, { dir file })
 
 can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t })
 
-kernel_read_crypto_sysctls(rpm_t)
 kernel_read_network_state(rpm_t)
 kernel_read_system_state(rpm_t)
 kernel_read_kernel_sysctls(rpm_t)
@@ -271,7 +270,6 @@ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_fi
 
 can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t })
 
-kernel_read_crypto_sysctls(rpm_script_t)
 kernel_read_kernel_sysctls(rpm_script_t)
 kernel_read_system_state(rpm_script_t)
 kernel_read_network_state(rpm_script_t)
diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te
index 4e8be85431..26d9028b8e 100644
--- a/policy/modules/admin/usbguard.te
+++ b/policy/modules/admin/usbguard.te
@@ -65,7 +65,6 @@ setattr_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)
 
 dev_rw_sysfs(usbguard_t)
 
-kernel_read_crypto_sysctls(usbguard_t)
 kernel_read_kernel_sysctls(usbguard_t)
 kernel_dontaudit_getattr_proc(usbguard_t)
 
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 17c8f080cb..2c9be9d0cc 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -308,7 +308,6 @@ allow passwd_t self:msg { send receive };
 allow passwd_t crack_db_t:dir list_dir_perms;
 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
 
-kernel_read_crypto_sysctls(passwd_t)
 kernel_read_kernel_sysctls(passwd_t)
 kernel_dontaudit_getattr_proc(passwd_t)
 
diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index 18e98ef1fc..2f85172f29 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -151,7 +151,6 @@ kernel_associate_proc(chromium_t)
 
 kernel_get_sysvipc_info(chromium_t)
 kernel_list_proc(chromium_t)
-kernel_read_crypto_sysctls(chromium_t)
 kernel_read_fs_sysctls(chromium_t)
 kernel_read_kernel_sysctls(chromium_t)
 kernel_read_net_sysctls(chromium_t)
@@ -233,7 +232,6 @@ tunable_policy(`chromium_rw_usb_dev',`
 tunable_policy(`chromium_read_system_info',`
 	kernel_read_kernel_sysctls(chromium_t)
 	# Memory optimizations & optimizations based on OS/version
-	kernel_read_crypto_sysctls(chromium_t)
 	kernel_read_system_state(chromium_t)
 
 	# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
diff --git a/policy/modules/apps/cryfs.te b/policy/modules/apps/cryfs.te
index ad43e472af..7b34fe7f4f 100644
--- a/policy/modules/apps/cryfs.te
+++ b/policy/modules/apps/cryfs.te
@@ -41,8 +41,6 @@ files_read_etc_files(cryfs_t)
 fs_getattr_xattr_fs(cryfs_t)
 fs_mount_fusefs(cryfs_t)
 
-# For /proc/sys/crypto/fips_enabled
-kernel_read_crypto_sysctls(cryfs_t)
 # gocryptfs reads /proc/sys/fs/pipe-max-size
 kernel_read_fs_sysctls(cryfs_t)
 # gocryptfs reads /proc/sys/net/core/somaxconn
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 98bc0e7a57..0db451e40e 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -170,7 +170,6 @@ manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t)
 manage_files_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t)
 xdg_data_filetrans(gkeyringd_domain, gnome_xdg_data_t, dir)
 
-kernel_read_crypto_sysctls(gkeyringd_domain)
 kernel_read_kernel_sysctls(gkeyringd_domain)
 kernel_read_system_state(gkeyringd_domain)
 
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index d265013fb7..e3d13b84f9 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -103,7 +103,6 @@ gpg_stream_connect_agent(gpg_t)
 domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
 domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
 
-kernel_read_crypto_sysctls(gpg_t)
 kernel_read_sysctl(gpg_t)
 # read /proc/cpuinfo
 kernel_read_system_state(gpg_t)
@@ -244,7 +243,6 @@ filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file)
 domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
 
 kernel_dontaudit_search_sysctl(gpg_agent_t)
-kernel_read_crypto_sysctls(gpg_agent_t)
 kernel_read_system_state(gpg_agent_t)
 
 auth_use_nsswitch(gpg_agent_t)
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 4b58e7ec1a..25f44c36a7 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -68,8 +68,6 @@ manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
 
-# For /proc/sys/crypto/fips_enabled
-kernel_read_crypto_sysctls(irc_t)
 kernel_read_system_state(irc_t)
 
 corenet_all_recvfrom_netlabel(irc_t)
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index ed6fa94436..a943fe9b6d 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -151,7 +151,6 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo
 kernel_dontaudit_list_unlabeled(mplayer_t)
 kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
 kernel_dontaudit_read_unlabeled_files(mplayer_t)
-kernel_read_crypto_sysctls(mplayer_t)
 kernel_read_system_state(mplayer_t)
 kernel_read_kernel_sysctls(mplayer_t)
 
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index f3ed645102..232b3101ad 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -33,8 +33,6 @@ init_unit_file(qemu_unit_t)
 # Local policy
 #
 
-kernel_read_crypto_sysctls(qemu_t)
-
 dev_read_sysfs(qemu_t)
 
 allow qemu_t qemu_runtime_t:sock_file create_sock_file_perms;
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 0d2730ebca..25e296421f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -93,6 +93,8 @@ neverallow ~{ domain unlabeled_t } *:process *;
 allow domain self:dir list_dir_perms;
 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
 allow domain self:file rw_file_perms;
+
+kernel_read_crypto_sysctls(domain)
 kernel_read_proc_symlinks(domain)
 # Every domain gets the key ring, so we should default
 # to no one allowed to look at it; afs kernel support creates
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 6f3e7ca0b9..6a04d88062 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -30,7 +30,6 @@ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
 manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
 files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir)
 
-kernel_read_crypto_sysctls(accountsd_t)
 kernel_read_kernel_sysctls(accountsd_t)
 kernel_read_system_state(accountsd_t)
 
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 193a16dc5e..e2c50da234 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -461,7 +461,6 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 
 kernel_read_kernel_sysctls(httpd_t)
-kernel_read_crypto_sysctls(httpd_t)
 kernel_read_vm_sysctls(httpd_t)
 kernel_read_vm_overcommit_sysctl(httpd_t)
 kernel_read_network_state(httpd_t)
diff --git a/policy/modules/services/bird.te b/policy/modules/services/bird.te
index dd5ea2b4e6..68ae92f94c 100644
--- a/policy/modules/services/bird.te
+++ b/policy/modules/services/bird.te
@@ -42,8 +42,6 @@ allow bird_t bird_runtime_t:sock_file manage_sock_file_perms;
 allow bird_t bird_runtime_t:dir manage_dir_perms;
 files_runtime_filetrans(bird_t, bird_runtime_t, { sock_file dir })
 
-kernel_read_crypto_sysctls(bird_t)
-
 corenet_all_recvfrom_netlabel(bird_t)
 corenet_tcp_sendrecv_generic_if(bird_t)
 corenet_tcp_bind_generic_node(bird_t)
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
index c3f7ae51eb..2d133906f1 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -61,7 +61,6 @@ files_runtime_filetrans(bitlbee_t, bitlbee_runtime_t, { dir file sock_file })
 
 kernel_read_kernel_sysctls(bitlbee_t)
 kernel_read_system_state(bitlbee_t)
-kernel_read_crypto_sysctls(bitlbee_t)
 
 corenet_all_recvfrom_netlabel(bitlbee_t)
 corenet_tcp_sendrecv_generic_if(bitlbee_t)
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
index 6335d0c323..cae4a35b96 100644
--- a/policy/modules/services/boinc.te
+++ b/policy/modules/services/boinc.te
@@ -87,7 +87,6 @@ domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 
 kernel_read_system_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
-kernel_read_crypto_sysctls(boinc_t)
 kernel_read_kernel_sysctls(boinc_t)
 
 corenet_all_recvfrom_netlabel(boinc_t)
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index aca9a63fdf..c984f2bb48 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -81,7 +81,6 @@ manage_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
 manage_sock_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
 files_runtime_filetrans(chronyd_t, chronyd_runtime_t, { dir file sock_file })
 
-kernel_read_crypto_sysctls(chronyd_t)
 kernel_read_system_state(chronyd_t)
 kernel_read_network_state(chronyd_t)
 
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index b2ea270c74..c171fd7dcc 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -108,7 +108,6 @@ read_lnk_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
 list_dirs_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
 
 kernel_dontaudit_list_proc(clamd_t)
-kernel_read_crypto_sysctls(clamd_t)
 kernel_read_sysctl(clamd_t)
 kernel_read_kernel_sysctls(clamd_t)
 kernel_read_system_state(clamd_t)
@@ -200,7 +199,6 @@ stream_connect_pattern(freshclam_t, clamd_runtime_t, clamd_runtime_t, clamd_t)
 read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
 
 kernel_dontaudit_list_proc(freshclam_t)
-kernel_read_crypto_sysctls(freshclam_t)
 kernel_read_kernel_sysctls(freshclam_t)
 kernel_read_network_state(freshclam_t)
 kernel_read_system_state(freshclam_t)
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 8499fd5509..65966340c6 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -46,7 +46,6 @@ manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
 allow colord_t colord_var_lib_t:dir watch;
 
-kernel_read_crypto_sysctls(colord_t)
 kernel_read_device_sysctls(colord_t)
 kernel_read_network_state(colord_t)
 kernel_read_system_state(colord_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 2d5e7ccea3..5af9f7ec11 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -483,7 +483,6 @@ allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
 kernel_getattr_core_if(system_cronjob_t)
 kernel_getattr_message_if(system_cronjob_t)
 
-kernel_read_crypto_sysctls(system_cronjob_t)
 kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index c398988186..bc7e4d2118 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -117,7 +117,6 @@ files_runtime_filetrans(system_dbusd_t, system_dbusd_runtime_t, { dir file })
 
 can_exec(system_dbusd_t, dbusd_exec_t)
 
-kernel_read_crypto_sysctls(system_dbusd_t)
 kernel_read_system_state(system_dbusd_t)
 kernel_read_kernel_sysctls(system_dbusd_t)
 
@@ -302,7 +301,6 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru
 manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
 userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
 
-kernel_read_crypto_sysctls(session_bus_type)
 kernel_read_system_state(session_bus_type)
 kernel_read_kernel_sysctls(session_bus_type)
 
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index e9a44da15a..9ec5933c6e 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -87,7 +87,6 @@ files_runtime_filetrans(devicekit_disk_t, devicekit_runtime_t, { dir file })
 kernel_getattr_message_if(devicekit_disk_t)
 kernel_list_unlabeled(devicekit_disk_t)
 kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
-kernel_read_crypto_sysctls(devicekit_disk_t)
 kernel_read_fs_sysctls(devicekit_disk_t)
 kernel_read_network_state(devicekit_disk_t)
 kernel_read_software_raid_state(devicekit_disk_t)
diff --git a/policy/modules/services/dirmngr.te b/policy/modules/services/dirmngr.te
index f34b8f4bae..0f7faf558a 100644
--- a/policy/modules/services/dirmngr.te
+++ b/policy/modules/services/dirmngr.te
@@ -64,8 +64,6 @@ manage_files_pattern(dirmngr_t, dirmngr_runtime_t, dirmngr_runtime_t)
 manage_sock_files_pattern(dirmngr_t, dirmngr_runtime_t, dirmngr_runtime_t)
 files_runtime_filetrans(dirmngr_t, dirmngr_runtime_t, { dir file })
 
-kernel_read_crypto_sysctls(dirmngr_t)
-
 dev_read_rand(dirmngr_t)
 dev_read_urand(dirmngr_t)
 
diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te
index b87d0b56ea..62129852c1 100644
--- a/policy/modules/services/entropyd.te
+++ b/policy/modules/services/entropyd.te
@@ -42,7 +42,6 @@ files_runtime_filetrans(entropyd_t, entropyd_runtime_t, file)
 
 kernel_read_system_state(entropyd_t)
 kernel_rw_kernel_sysctl(entropyd_t)
-kernel_read_crypto_sysctls(entropyd_t)
 
 dev_read_sysfs(entropyd_t)
 dev_read_urand(entropyd_t)
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 65217d7ea4..1aab4002c8 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -102,7 +102,6 @@ files_tmp_filetrans(exim_t, exim_tmp_t, { dir file })
 
 manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
 
-kernel_read_crypto_sysctls(exim_t)
 kernel_read_kernel_sysctls(exim_t)
 kernel_read_network_state(exim_t)
 kernel_dontaudit_read_system_state(exim_t)
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index 32e1689819..2dbcba1458 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -62,7 +62,6 @@ manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
 mmap_read_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
 fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, { dir file })
 
-kernel_read_crypto_sysctls(firewalld_t)
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
 kernel_request_load_module(firewalld_t)
diff --git a/policy/modules/services/isns.te b/policy/modules/services/isns.te
index 2b18f97d34..582f1d5026 100644
--- a/policy/modules/services/isns.te
+++ b/policy/modules/services/isns.te
@@ -38,8 +38,6 @@ manage_sock_files_pattern(isnsd_t, isnsd_runtime_t, isnsd_runtime_t)
 manage_files_pattern(isnsd_t, isnsd_runtime_t, isnsd_runtime_t)
 files_runtime_filetrans(isnsd_t, isnsd_runtime_t, { file sock_file })
 
-kernel_read_crypto_sysctls(isnsd_t)
-
 corenet_all_recvfrom_netlabel(isnsd_t)
 corenet_tcp_sendrecv_generic_if(isnsd_t)
 corenet_tcp_sendrecv_generic_node(isnsd_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index a49852e855..160a2611a6 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -207,7 +207,6 @@ allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_p
 
 can_exec(lpr_t, lpr_exec_t)
 
-kernel_read_crypto_sysctls(lpr_t)
 kernel_read_kernel_sysctls(lpr_t)
 
 corenet_all_recvfrom_netlabel(lpr_t)
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index 5ca6a7e2c2..97a000d272 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -125,7 +125,6 @@ allow mailman_cgi_t mailman_runtime_t:sock_file manage_sock_file_perms;
 fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
 allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
 
-kernel_read_crypto_sysctls(mailman_cgi_t)
 kernel_read_net_sysctls(mailman_cgi_t)
 kernel_read_system_state(mailman_cgi_t)
 kernel_read_vm_overcommit_sysctl(mailman_cgi_t)
diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index 19c1000b70..b9a3498715 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -58,9 +58,6 @@ manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
 manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
 files_runtime_filetrans(mon_t, mon_runtime_t, file)
 
-# to read fips_enabled
-kernel_read_crypto_sysctls(mon_t)
-
 kernel_read_kernel_sysctls(mon_t)
 kernel_read_network_state(mon_t)
 kernel_read_system_state(mon_t)
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 930530ce44..5eecac3896 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -74,7 +74,6 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
 
 can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
 
-kernel_read_crypto_sysctls(user_mail_domain)
 kernel_read_system_state(user_mail_domain)
 kernel_read_kernel_sysctls(user_mail_domain)
 kernel_read_network_state(user_mail_domain)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 43960a8636..6568e314c2 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -93,7 +93,6 @@ files_runtime_filetrans(NetworkManager_t, NetworkManager_runtime_t, { dir file s
 
 can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
 
-kernel_read_crypto_sysctls(NetworkManager_t)
 kernel_read_system_state(NetworkManager_t)
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c3c4808546..16494ba614 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -95,7 +95,6 @@ can_exec(ntpd_t, ntpd_exec_t)
 kernel_read_kernel_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
 kernel_read_network_state(ntpd_t)
-kernel_read_crypto_sysctls(ntpd_t)
 kernel_request_load_module(ntpd_t)
 
 corenet_all_recvfrom_netlabel(ntpd_t)
diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
index 39b6b540a5..508c769a48 100644
--- a/policy/modules/services/pacemaker.te
+++ b/policy/modules/services/pacemaker.te
@@ -172,7 +172,6 @@ fs_read_cgroup_files(pcs_snmp_agent_t)
 
 kernel_read_kernel_sysctls(pcs_snmp_agent_t)
 kernel_read_system_state(pcs_snmp_agent_t)
-kernel_read_crypto_sysctls(pcs_snmp_agent_t)
 
 init_search_runtime(pcs_snmp_agent_t)
 init_read_state(pcs_snmp_agent_t)
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 197dc13c56..85aeb3bd4d 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -87,7 +87,6 @@ can_exec(policykit_t, policykit_exec_t)
 domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t)
 domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t)
 
-kernel_read_crypto_sysctls(policykit_t)
 kernel_read_kernel_sysctls(policykit_t)
 kernel_read_system_state(policykit_t)
 
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 4162995f5a..a5598c2347 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -517,7 +517,6 @@ manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 
-kernel_read_crypto_sysctls(spamd_update_t)
 kernel_search_fs_sysctls(spamd_update_t)
 kernel_read_system_state(spamd_update_t)
 
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 606bf43f22..44cf1b8730 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -222,7 +222,6 @@ template(`ssh_server_template', `
 
 	kernel_read_kernel_sysctls($1_t)
 	kernel_read_network_state($1_t)
-	kernel_read_crypto_sysctls($1_t)
 
 	corenet_all_recvfrom_netlabel($1_t)
 	corenet_tcp_sendrecv_generic_if($1_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 89a5bd3dd5..a93f2447d9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -248,7 +248,6 @@ files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
 corecmd_exec_bin(sshd_t)
 
 kernel_link_key(sshd_t)
-kernel_read_crypto_sysctls(sshd_t)
 kernel_search_key(sshd_t)
 
 term_use_all_ptys(sshd_t)
@@ -341,7 +340,6 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
 files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
 
 kernel_read_kernel_sysctls(ssh_keygen_t)
-kernel_read_crypto_sysctls(ssh_keygen_t)
 kernel_dontaudit_getattr_proc(ssh_keygen_t)
 kernel_dontaudit_read_system_state(ssh_keygen_t)
 
diff --git a/policy/modules/services/tpm2.te b/policy/modules/services/tpm2.te
index aa728de6d1..48173de1ba 100644
--- a/policy/modules/services/tpm2.te
+++ b/policy/modules/services/tpm2.te
@@ -27,7 +27,6 @@ allow tpm2_abrmd_t self:fifo_file rw_inherited_fifo_file_perms;
 
 dev_rw_tpm(tpm2_abrmd_t)
 
-kernel_read_crypto_sysctls(tpm2_abrmd_t)
 kernel_read_system_state(tpm2_abrmd_t)
 
 logging_send_syslog_msg(tpm2_abrmd_t)
@@ -48,7 +47,6 @@ dev_rw_tpm(tpm2_t)
 
 files_read_etc_files(tpm2_t)
 
-kernel_read_crypto_sysctls(tpm2_t)
 kernel_read_system_state(tpm2_t)
 
 miscfiles_read_generic_certs(tpm2_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 362dda3a46..851c23c656 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -575,7 +575,6 @@ stream_connect_pattern(virtd_t, virt_runtime_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
-kernel_read_crypto_sysctls(virtd_t)
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
@@ -843,7 +842,6 @@ virt_manage_images(virsh_t)
 virt_manage_config(virsh_t)
 virt_stream_connect(virsh_t)
 
-kernel_read_crypto_sysctls(virsh_t)
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index a4e7b7e7c8..8a3c658a8d 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -377,7 +377,6 @@ manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
 manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
 logging_log_filetrans(xdm_t, xserver_log_t, file)
 
-kernel_read_crypto_sysctls(xdm_t)
 kernel_read_system_state(xdm_t)
 kernel_read_kernel_sysctls(xdm_t)
 kernel_read_net_sysctls(xdm_t)
@@ -684,7 +683,6 @@ allow xserver_t xauth_home_t:file read_file_perms;
 manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
 logging_log_filetrans(xserver_t, xserver_log_t, file)
 
-kernel_read_crypto_sysctls(xserver_t)
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
 kernel_read_modprobe_sysctls(xserver_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index a684f9875a..ab15b40d67 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -114,7 +114,6 @@ dontaudit chkpwd_t self:process getcap;
 allow chkpwd_t shadow_t:file read_file_perms;
 files_list_etc(chkpwd_t)
 
-kernel_read_crypto_sysctls(chkpwd_t)
 kernel_dontaudit_search_kernel_sysctl(chkpwd_t)
 kernel_dontaudit_read_kernel_sysctl(chkpwd_t)
 kernel_dontaudit_getattr_proc(chkpwd_t)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index 6f67d9731b..171bfe85af 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -66,7 +66,6 @@ files_runtime_filetrans(iscsid_t, iscsi_runtime_t, file)
 
 can_exec(iscsid_t, iscsid_exec_t)
 
-kernel_read_crypto_sysctls(iscsid_t)
 kernel_read_network_state(iscsid_t)
 kernel_read_system_state(iscsid_t)
 kernel_request_load_module(iscsid_t)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 8121292fdc..7728de8040 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -244,7 +244,6 @@ allow sulogin_t self:msgq create_msgq_perms;
 allow sulogin_t self:msg { send receive };
 
 kernel_read_system_state(sulogin_t)
-kernel_read_crypto_sysctls(sulogin_t)
 kernel_stream_connect(sulogin_t)
 kernel_use_fds(sulogin_t)
 # because file systems are not mounted:
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 31232e89c4..c9b8511f48 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -442,7 +442,6 @@ allow syslogd_t syslogd_runtime_t:file map;
 manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
 files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
 
-kernel_read_crypto_sysctls(syslogd_t)
 kernel_read_system_state(syslogd_t)
 kernel_read_network_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index b0d1c02b7f..c840594574 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -121,8 +121,6 @@ kernel_dontaudit_search_unlabeled(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
-# for systemd-cryptsetup
-kernel_read_crypto_sysctls(lvm_t)
 kernel_search_debugfs(lvm_t)
 # multipath
 kernel_read_vm_overcommit_sysctl(lvm_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 57e2379884..3da4d53548 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -54,7 +54,6 @@ can_exec(kmod_t, kmod_exec_t)
 
 kernel_load_module(kmod_t)
 kernel_request_load_module(kmod_t)
-kernel_read_crypto_sysctls(kmod_t)
 kernel_read_system_state(kmod_t)
 kernel_read_network_state(kmod_t)
 kernel_write_proc_files(kmod_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0264c62194..341efbf4b0 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -434,7 +434,6 @@ kernel_read_kernel_sysctls(systemd_coredump_t)
 kernel_read_system_state(systemd_coredump_t)
 kernel_rw_pipes(systemd_coredump_t)
 kernel_use_fds(systemd_coredump_t)
-kernel_read_crypto_sysctls(systemd_coredump_t)
 
 corecmd_exec_bin(systemd_coredump_t)
 corecmd_read_all_executables(systemd_coredump_t)
@@ -594,7 +593,6 @@ fs_get_xattr_fs_quotas(systemd_homed_t)
 fs_getattr_all_fs(systemd_homed_t)
 
 kernel_read_kernel_sysctls(systemd_homed_t)
-kernel_read_crypto_sysctls(systemd_homed_t)
 kernel_read_system_state(systemd_homed_t)
 
 systemd_log_parse_environment(systemd_homed_t)
@@ -666,7 +664,6 @@ kernel_get_sysvipc_info(systemd_homework_t)
 kernel_request_load_module(systemd_homework_t)
 
 kernel_read_kernel_sysctls(systemd_homework_t)
-kernel_read_crypto_sysctls(systemd_homework_t)
 kernel_read_system_state(systemd_homework_t)
 
 # loopback:
@@ -740,8 +737,6 @@ selinux_use_status_page(systemd_hw_t)
 init_read_state(systemd_hw_t)
 init_search_runtime(systemd_hw_t)
 
-kernel_read_crypto_sysctls(systemd_hw_t)
-
 seutil_read_config(systemd_hw_t)
 seutil_read_file_contexts(systemd_hw_t)
 
@@ -774,7 +769,6 @@ optional_policy(`
 dontaudit systemd_log_parse_env_type self:capability net_admin;
 
 kernel_read_system_state(systemd_log_parse_env_type)
-kernel_read_crypto_sysctls(systemd_log_parse_env_type)
 
 dev_write_kmsg(systemd_log_parse_env_type)
 
@@ -1430,7 +1424,6 @@ init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
 
 dev_read_sysfs(systemd_resolved_t)
 
-kernel_read_crypto_sysctls(systemd_resolved_t)
 kernel_read_kernel_sysctls(systemd_resolved_t)
 kernel_read_net_sysctls(systemd_resolved_t)
 kernel_dontaudit_getattr_proc(systemd_resolved_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 1aa77f2fff..7d38af4964 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -102,7 +102,6 @@ kernel_search_key(udev_t)
 kernel_get_sysvipc_info(udev_t)
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
-kernel_read_crypto_sysctls(udev_t)
 kernel_read_network_state(udev_t)
 kernel_read_software_raid_state(udev_t)
 kernel_dontaudit_search_unlabeled(udev_t)

From 0cace1e7a39bd0030a2a8f24f15d98ecf07ca0dc Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Tue, 23 Aug 2022 17:31:30 -0400
Subject: [PATCH 041/257] fapolicyd: Initial SELinux policy

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/admin/fapolicyd.fc |  15 +++
 policy/modules/admin/fapolicyd.if | 157 +++++++++++++++++++++++++++
 policy/modules/admin/fapolicyd.te | 170 ++++++++++++++++++++++++++++++
 policy/modules/kernel/files.if    |  36 +++++++
 policy/modules/roles/sysadm.te    |   4 +
 5 files changed, 382 insertions(+)
 create mode 100644 policy/modules/admin/fapolicyd.fc
 create mode 100644 policy/modules/admin/fapolicyd.if
 create mode 100644 policy/modules/admin/fapolicyd.te

diff --git a/policy/modules/admin/fapolicyd.fc b/policy/modules/admin/fapolicyd.fc
new file mode 100644
index 0000000000..7f15fc5772
--- /dev/null
+++ b/policy/modules/admin/fapolicyd.fc
@@ -0,0 +1,15 @@
+/etc/fapolicyd(/.*)?				gen_context(system_u:object_r:fapolicyd_config_t,s0)
+/etc/fapolicyd/compiled\.rules	--	gen_context(system_u:object_r:fapolicyd_compiled_rules_t,mls_systemhigh)
+
+/usr/lib/systemd/system/[^/]*fapolicyd.*   --	gen_context(system_u:object_r:fapolicyd_unit_t,s0)
+
+/usr/sbin/fapolicyd				--	gen_context(system_u:object_r:fapolicyd_exec_t,s0)
+/usr/sbin/fapolicyd-cli			--	gen_context(system_u:object_r:fapolicyc_exec_t,s0)
+/usr/sbin/fagenrules			--	gen_context(system_u:object_r:fagenrules_exec_t,s0)
+
+/var/lib/fapolicyd(/.*)?			gen_context(system_u:object_r:fapolicyd_var_lib_t,s0)
+
+/var/log/fapolicyd-access\.log	--	gen_context(system_u:object_r:fapolicyd_log_t,s0)
+
+/var/run/fapolicyd(/.*)?			gen_context(system_u:object_r:fapolicyd_runtime_t,s0)
+/var/run/fapolicyd\.pid			--	gen_context(system_u:object_r:fapolicyd_runtime_t,s0)
diff --git a/policy/modules/admin/fapolicyd.if b/policy/modules/admin/fapolicyd.if
new file mode 100644
index 0000000000..aaa4c14eb5
--- /dev/null
+++ b/policy/modules/admin/fapolicyd.if
@@ -0,0 +1,157 @@
+## <summary>
+## The fapolicyd software framework controls the execution of applications based
+## on a user-defined policy. This is one of the most efficient ways to prevent
+## running untrusted and possibly malicious applications on the system.
+## </summary>
+
+########################################
+## <summary>
+##	Read fapolicyd config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fapolicyd_mmap_read_config_files',`
+	gen_require(`
+		type fapolicyd_config_t;
+	')
+
+	mmap_read_files_pattern($1, fapolicyd_config_t, fapolicyd_config_t)
+')
+
+######################################
+## <summary>
+##	Execute fagenrules in the fagenrules_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`fapolicyd_domtrans_fagenrules',`
+	gen_require(`
+		type fagenrules_t, fagenrules_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, fagenrules_exec_t, fagenrules_t)
+')
+
+########################################
+## <summary>
+##	Execute fagenrules in the fagenrules domain,
+##	and allow the specified roles the
+##	fagenurles domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fapolicyd_run_fagenrules',`
+	gen_require(`
+		attribute_role fagenrules_roles;
+	')
+
+	fapolicyd_domtrans_fagenrules($1)
+	roleattribute $2 fagenrules_roles;
+')
+
+
+#####################################
+## <summary>
+##	Execute fapolicyd-cli in the fapolicyc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`fapolicyd_domtrans_cli',`
+	gen_require(`
+		type fapolicyc_t, fapolicyc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, fapolicyc_exec_t, fapolicyc_t)
+')
+
+########################################
+## <summary>
+##	Execute fapoliyd-cli in the fapolicyc domain,
+##	and allow the specified roles the
+##	fapolicyc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fapolicyd_run_cli',`
+	gen_require(`
+		attribute_role fapolicyc_roles;
+	')
+
+	fapolicyd_domtrans_cli($1)
+	roleattribute $2 fapolicyc_roles;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an fapolicyd environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fapolicyd_admin',`
+	gen_require(`
+		type fagenrules_tmp_t;
+		type fapolicyd_config_t;
+		type fapolicyd_log_t;
+		type fapolicyd_runtime_t;
+	')
+
+	files_search_tmp($1)
+	admin_pattern($1, fagenrules_tmp_t)
+
+	files_search_etc($1)
+	admin_pattern($1, fapolicyd_config_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, fapolicyd_log_t)
+
+	files_search_runtime($1)
+	admin_pattern($1, fapolicyd_runtime_t)
+
+	fapolicyd_run_fagenrules($1, $2)
+	fapolicyd_run_cli($1, $2)
+')
diff --git a/policy/modules/admin/fapolicyd.te b/policy/modules/admin/fapolicyd.te
new file mode 100644
index 0000000000..35e475340c
--- /dev/null
+++ b/policy/modules/admin/fapolicyd.te
@@ -0,0 +1,170 @@
+policy_module(fapolicyd)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role fapolicyc_roles;
+attribute_role fagenrules_roles;
+
+# for the fapolicyd daemon - long running process
+type fapolicyd_t;
+type fapolicyd_exec_t;
+init_daemon_domain(fapolicyd_t, fapolicyd_exec_t)
+
+# for the fapolicyd-cli process - interact with daemon
+type fapolicyc_t;
+type fapolicyc_exec_t;
+application_domain(fapolicyc_t, fapolicyc_exec_t)
+role fapolicyc_roles types fapolicyc_t;
+
+# for the fagenrules script - compile rules
+type fagenrules_t;
+type fagenrules_exec_t;
+application_domain(fagenrules_t, fagenrules_exec_t)
+init_script_domain(fagenrules_t, fagenrules_exec_t)
+role fagenrules_roles types fagenrules_t;
+
+type fapolicyd_config_t;
+files_config_file(fapolicyd_config_t)
+
+type fapolicyd_compiled_rules_t;
+files_security_file(fapolicyd_compiled_rules_t)
+
+type fapolicyd_log_t;
+logging_log_file(fapolicyd_log_t)
+
+type fapolicyd_runtime_t;
+files_runtime_file(fapolicyd_runtime_t)
+
+type fagenrules_tmp_t;
+files_tmp_file(fagenrules_tmp_t)
+
+type fapolicyd_unit_t;
+init_unit_file(fapolicyd_unit_t)
+
+type fapolicyd_var_lib_t;
+files_type(fapolicyd_var_lib_t)
+
+########################################
+#
+# fapolicyd (daemon) local policy
+#
+
+allow fapolicyd_t self:capability { audit_write chown dac_override setgid setuid sys_admin sys_nice sys_ptrace };
+allow fapolicyd_t self:process { setcap setsched };
+
+allow fapolicyd_t fapolicyd_log_t:file { create_file_perms write_file_perms };
+
+manage_fifo_files_pattern(fapolicyd_t, fapolicyd_runtime_t, fapolicyd_runtime_t)
+manage_files_pattern(fapolicyd_t, fapolicyd_runtime_t, fapolicyd_runtime_t)
+
+# compiled rules, compiled by /sbin/fagenrules and copied into place, then restorecon
+read_files_pattern(fapolicyd_t, fapolicyd_config_t, fapolicyd_compiled_rules_t)
+
+mmap_manage_files_pattern(fapolicyd_t, fapolicyd_var_lib_t, fapolicyd_var_lib_t)
+
+kernel_getattr_proc(fapolicyd_t)
+kernel_read_kernel_sysctls(fapolicyd_t)
+
+domain_read_all_domains_state(fapolicyd_t)
+
+files_read_all_files(fapolicyd_t)
+files_read_all_symlinks(fapolicyd_t)
+files_runtime_filetrans(fapolicyd_t, fapolicyd_runtime_t, { file fifo_file })
+files_map_usr_files(fapolicyd_t)
+files_watch_all_mountpoints(fapolicyd_t)
+files_watch_all_mount_perm(fapolicyd_t)
+
+fs_getattr_xattr_fs(fapolicyd_t)
+
+logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
+logging_send_syslog_msg(fapolicyd_t)
+
+fapolicyd_mmap_read_config_files(fapolicyd_t)
+
+optional_policy(`
+	rpm_manage_db(fapolicyd_t)
+')
+
+########################################
+#
+# fagenrules local policy
+#
+
+allow fagenrules_t self:capability { fsetid kill };
+allow fagenrules_t self:fifo_file rw_inherited_fifo_file_perms;
+
+
+# fagenpolicy finds running fapolicyd and sighup after generating rules
+allow fagenrules_t fapolicyd_t:process signal;
+ps_process_pattern(fagenrules_t, fapolicyd_t)
+
+# /sbin/fagenrules copies compiled rules into /etc/faplicyd then calls restorecon
+# on new /etc/fapolicy/compiled.rules
+allow fagenrules_t fapolicyd_compiled_rules_t:file { relabelfrom relabelto };
+filetrans_pattern(fagenrules_t, fapolicyd_config_t, fapolicyd_compiled_rules_t, file)
+manage_files_pattern(fagenrules_t, fapolicyd_config_t, fapolicyd_compiled_rules_t)
+
+manage_files_pattern(fagenrules_t, fapolicyd_var_lib_t, fapolicyd_var_lib_t)
+
+kernel_getattr_proc(fagenrules_t)
+kernel_read_kernel_sysctls(fagenrules_t)
+kernel_read_system_state(fagenrules_t)
+
+corecmd_exec_bin(fagenrules_t)
+corecmd_exec_shell(fagenrules_t)
+
+# fagenpolicy uses 'pidof' to find running fapolicyd
+domain_dontaudit_read_all_domains_state(fagenrules_t)
+domain_use_interactive_fds(fagenrules_t)
+
+files_list_runtime(fagenrules_t)
+files_read_etc_files(fagenrules_t)
+files_read_usr_files(fagenrules_t)
+files_search_var_lib(fagenrules_t)
+
+files_tmp_filetrans(fagenrules_t, fagenrules_tmp_t, { dir file })
+manage_files_pattern(fagenrules_t, fagenrules_tmp_t, fagenrules_tmp_t)
+
+init_rw_stream_sockets(fagenrules_t)
+
+logging_send_syslog_msg(fagenrules_t)
+
+miscfiles_read_localization(fagenrules_t)
+
+seutil_exec_setfiles(fagenrules_t)
+seutil_read_file_contexts(fagenrules_t)
+
+userdom_use_inherited_user_terminals(fagenrules_t)
+
+fapolicyd_mmap_read_config_files(fagenrules_t)
+
+########################################
+#
+# fapolicyc (fapolicyd-cli) local policy
+#
+
+allow fapolicyc_t fapolicyd_runtime_t:fifo_file write_fifo_file_perms;
+mmap_manage_files_pattern(fapolicyc_t, fapolicyd_var_lib_t, fapolicyd_var_lib_t)
+mmap_read_files_pattern(fapolicyc_t, fapolicyd_config_t, fapolicyd_compiled_rules_t)
+
+kernel_getattr_proc(fapolicyc_t)
+kernel_list_proc(fapolicyc_t)
+kernel_read_kernel_sysctls(fapolicyc_t)
+
+corecmd_search_bin(fapolicyc_t)
+
+domain_use_interactive_fds(fapolicyc_t)
+
+files_list_runtime(fapolicyc_t)
+files_read_all_files(fapolicyc_t)
+files_read_etc_files(fapolicyc_t)
+
+logging_send_syslog_msg(fapolicyc_t)
+
+userdom_use_inherited_user_terminals(fapolicyc_t)
+
+fapolicyd_mmap_read_config_files(fapolicyc_t)
+
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 9516c2321e..f7217b2261 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1902,6 +1902,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
 	dontaudit $1 mountpoint:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Watch all mountpoints.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir watch_mount;
+')
+
+########################################
+## <summary>
+##	Watch all mountpoints.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_all_mount_perm',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir watch_with_perm;
+')
+
 ########################################
 ## <summary>
 ##	Check if all mountpoints are writable.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 98c470af2c..1d9e7ea909 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -399,6 +399,10 @@ optional_policy(`
 	fail2ban_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	fapolicyd_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	fcoe_admin(sysadm_t, sysadm_r)
 ')

From a035f86cbd1e5f1f3a34b8bff368fc1255f25202 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Thu, 15 Sep 2022 22:22:07 -0400
Subject: [PATCH 042/257] networkmanager: allow watch etc_t and lib_t

node=localhost type=AVC msg=audit(1663293513.722:361): avc:  denied  { watch } for  pid=1060 comm="NetworkManager" path="/etc" dev="dm-0" ino=261122 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1663293513.872:369): avc:  denied  { watch } for  pid=1060 comm="NetworkManager" path="/usr/lib/NetworkManager/VPN" dev="dm-0" ino=656514 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/networkmanager.te |  3 +++
 policy/modules/system/libraries.if        | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 6568e314c2..27ca9adad9 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -145,6 +145,7 @@ files_manage_etc_symlinks(NetworkManager_t)
 files_read_etc_runtime_files(NetworkManager_t)
 files_read_usr_files(NetworkManager_t)
 files_read_usr_src_files(NetworkManager_t)
+files_watch_etc_dirs(NetworkManager_t)
 
 fs_getattr_all_fs(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
@@ -166,6 +167,8 @@ auth_use_nsswitch(NetworkManager_t)
 logging_send_audit_msgs(NetworkManager_t)
 logging_send_syslog_msg(NetworkManager_t)
 
+libs_watch_lib_dirs(NetworkManager_t)
+
 miscfiles_read_generic_certs(NetworkManager_t)
 miscfiles_read_localization(NetworkManager_t)
 
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index ab150d68ba..c603551ef8 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -276,6 +276,24 @@ interface(`libs_manage_lib_dirs',`
 	allow $1 lib_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Watch /usr/lib directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_watch_lib_dirs',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	dontaudit attempts to setattr on library files

From 8d22ebed52eeace029f6fbb375eeff7262762d2b Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Thu, 15 Sep 2022 20:33:24 -0400
Subject: [PATCH 043/257] firewalld: allow watch on firewalld files

Seeing the following spamming audit log:
node=localhost type=AVC msg=audit(1663285699.690:100198): avc:  denied { watch } for  pid=1021 comm="gmain" path="/usr/lib/firewalld/services" dev="dm-0" ino=136583 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1663285699.690:100199): avc:  denied { watch } for  pid=1021 comm="gmain" path="/etc/firewalld/helpers" dev="dm-0" ino=653079 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=dir permissive=0

node=localhost type=AVC msg=audit(1663291139.192:403): avc:  denied  { map } for  pid=1019 comm="firewalld" path=2F72756E2F2331323635202864656C6574656429 dev="tmpfs" ino=1265 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_runtime_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/firewalld.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index 2dbcba1458..954a348f02 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -39,6 +39,7 @@ allow firewalld_t self:unix_stream_socket { accept listen };
 allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
 allow firewalld_t self:udp_socket create_socket_perms;
 
+allow firewalld_t firewalld_etc_rw_t:dir watch;
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto };
@@ -54,7 +55,7 @@ files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
 allow firewalld_t firewalld_tmp_t:file mmap_exec_file_perms;
 
 manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
-manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
+mmap_manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
 
 manage_dirs_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
@@ -83,6 +84,8 @@ fs_getattr_xattr_fs(firewalld_t)
 
 logging_send_syslog_msg(firewalld_t)
 
+libs_watch_lib_dirs(firewalld_t)
+
 miscfiles_read_localization(firewalld_t)
 
 seutil_exec_setfiles(firewalld_t)

From 312457b21d66a1b501a2f69fa2c197492f4d44e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Sat, 17 Sep 2022 16:58:25 +0200
Subject: [PATCH 044/257] ci: update dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update checkout action to v3
Update python-setup action to v4
Update SELinux userspace to 3.3

Also print basic output from apt-get to debug potential flaky failures.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 .github/workflows/tests.yml | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index bb762d1e27..8fd0f11fee 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -3,29 +3,31 @@ name: Build tests
 on: [push, pull_request]
 
 env:
-  SELINUX_USERSPACE_VERSION: checkpolicy-3.1
+  # 3.4 fails to validate, fixed with 88a703399f3f
+  # ("libsepol: fix validation of user declarations in modules")
+  SELINUX_USERSPACE_VERSION: checkpolicy-3.3
 
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     # This version should be the minimum required to run the fc checker
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       with:
         python-version: 3.7
 
     - name: Install dependencies
       run: |
-        sudo apt-get update -qq
+        sudo apt-get update -q
 
         # Install SELint from Debian testing
         wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc 2>/dev/null | sudo apt-key add -
         sudo add-apt-repository 'deb http://deb.debian.org/debian/ testing main' -y
-        sudo apt-get install -qqy selint
+        sudo apt-get install -qy selint
         selint -V
 
     - name: Create generated policy files
@@ -79,18 +81,18 @@ jobs:
           - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     # This should be the minimum required Python version to build refpolicy.
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       with:
         python-version: 3.5
 
     - name: Install dependencies
       run: |
-        sudo apt-get update -qq
-        sudo apt-get install -qqy \
+        sudo apt-get update -q
+        sudo apt-get install -qy \
             bison \
             flex \
             gettext \

From e9429e0885feaa43ea79d99f38ca85337f6d4248 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Sat, 17 Sep 2022 16:54:48 +0200
Subject: [PATCH 045/257] ci: build SELint from source
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Disable newly added check C-008:

    usermanage.te:      581: (C): Identifier samba_domain_controller in expression for conditional block not found in own module, but in module samba (candidate for global declaration or interface) (C-008)
    mplayer.te:         122: (C): Identifier xserver_allow_dri in expression for conditional block not found in own module, but in module xserver (candidate for global declaration or interface) (C-008)
    nscd.te:            125: (C): Identifier samba_domain_controller in expression for conditional block not found in own module, but in module samba (candidate for global declaration or interface) (C-008)
    xguest.te:           44: (C): Identifier user_exec_noexattrfile in expression for conditional block not found in own module, but in module userdomain (candidate for global declaration or interface) (C-008)
    xguest.te:           48: (C): Identifier user_rw_noexattrfile in expression for conditional block not found in own module, but in module userdomain (candidate for global declaration or interface) (C-008)
    userdomain.if:     1278: (C): Identifier usbguard_user_modify_rule_files in expression for conditional block not found in own module, but in module usbguard (candidate for global declaration or interface) (C-008)
    Found the following issue counts:
    C-008: 6

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 .github/workflows/tests.yml | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 8fd0f11fee..c5e0eaf3b5 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -23,12 +23,23 @@ jobs:
     - name: Install dependencies
       run: |
         sudo apt-get update -q
+        sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev
 
-        # Install SELint from Debian testing
-        wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc 2>/dev/null | sudo apt-key add -
-        sudo add-apt-repository 'deb http://deb.debian.org/debian/ testing main' -y
-        sudo apt-get install -qy selint
-        selint -V
+    - name: Checkout SELint
+      uses: actions/checkout@v3
+      with:
+        repository: SELinuxProject/selint
+        # support exclusions in interface arguments
+        ref: '41a575e82dea5cd7f60b4fa7aeb84405dba3baba' # "Parse interface taking list of exemptions"
+        path: selint
+
+    - name: Build SELint
+      run: |
+        cd selint/
+        ./autogen.sh
+        ./configure --without-check
+        make -j$(nproc)
+        sudo make install
 
     - name: Create generated policy files
       run: |
@@ -41,8 +52,9 @@ jobs:
     - name: Run SELint
       run: |
         # disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing
+        # disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing
         # disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
-        selint --source --recursive --summary --fail --disable C-005 --disable W-005 policy
+        selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
 
   build:
     runs-on: ubuntu-latest

From 6bb56e61588278adeb45e99d6b3dc85968ac7dee Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 3 Jul 2020 16:04:45 +0800
Subject: [PATCH 046/257] logwatch: fixes for logwatch

* Allow logwatch_t to getsched
* Allow logwatch_t to create logwatch_lock_t dirs
* Allow logwatch_mail_t to read/write pipe of crond

Fixes:
avc:  denied  { getsched } for  pid=1012 comm="sort"
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023 tclass=process
permissive=0

avc:  denied  { write } for  pid=269 comm="lockfile-create"
name="logcheck" dev="tmpfs" ino=12709
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023
tcontext=system_u:object_r:logwatch_lock_t:s0 tclass=dir permissive=0

avc:  denied  { write } for  pid=1470 comm="sendmail"
path="pipe:[15133]" dev="pipefs" ino=15133
scontext=system_u:system_r:logwatch_mail_t:s0-s15:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tclass=fifo_file
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/admin/logwatch.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 9c77bcdb87..ae02e39b08 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -38,14 +38,14 @@ role system_r types logwatch_mail_t;
 #
 
 allow logwatch_t self:capability { dac_override dac_read_search setgid };
-allow logwatch_t self:process signal;
+allow logwatch_t self:process { signal getsched };
 allow logwatch_t self:fifo_file rw_fifo_file_perms;
 allow logwatch_t self:unix_stream_socket { accept listen };
 
 manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
 manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
 
-allow logwatch_t logwatch_lock_t:file manage_file_perms;
+manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
 files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
 
 manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
@@ -191,4 +191,5 @@ logging_read_all_logs(logwatch_mail_t)
 optional_policy(`
 	cron_use_system_job_fds(logwatch_mail_t)
 	cron_rw_system_job_pipes(logwatch_mail_t)
+	cron_rw_pipes(logwatch_mail_t)
 ')

From 5a93c88acc99951a573aa7ea3dc018950a913bac Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 9 Feb 2021 16:12:18 +0800
Subject: [PATCH 047/257] postfix: allow postfix_local_t to search
 logwatch_cache_t

Fixes:
avc:  denied  { search } for  pid=2421 comm="local" name="logcheck"
dev="vda" ino=29080
scontext=system_u:system_r:postfix_local_t:s0-s15:c0.c1023
tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/services/postfix.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 499d85c58f..c828efc632 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -472,6 +472,10 @@ optional_policy(`
 	dovecot_domtrans_deliver(postfix_local_t)
 ')
 
+optional_policy(`
+	logwatch_search_cache_dir(postfix_local_t)
+')
+
 optional_policy(`
 	mailman_manage_data_files(postfix_local_t)
 	mailman_append_log(postfix_local_t)

From ce8616ad34fe6e3877d4dc9efb7746ef5bba4d3d Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Wed, 8 Jul 2020 14:38:55 +0800
Subject: [PATCH 048/257] sysnetwork: allow systemd_networkd_t to read link
 file

Per https://systemd.network/systemd.network.html, we can create a
symlink pointing to /dev/null for systemd network configuration file.
For example:
$ ls -l /etc/systemd/network/80-wired.network
lrwxrwxrwx. 1 root root 9 Mar  9  2022 /etc/systemd/network/80-wired.network -> /dev/null

Fixes:
avc:  denied  { read } for  pid=211 comm="systemd-network"
name="80-wired.network" dev="vda" ino=1477
scontext=system_u:system_r:systemd_networkd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0

systemd-networkd[211]: Failed to load /etc/systemd/network/80-wired.network, ignoring: Permission denied

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/sysnetwork.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 4691d5c51d..5d2d3c1581 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -349,6 +349,7 @@ interface(`sysnet_read_config',`
 	files_search_runtime($1)
 	allow $1 net_conf_t:dir list_dir_perms;
 	allow $1 net_conf_t:file read_file_perms;
+	allow $1 net_conf_t:lnk_file read_lnk_file_perms;
 
 	ifdef(`distro_debian',`
 		files_search_runtime($1)

From 87119401a8f8c86d5dc302a6ffa0d89dc3c73841 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Tue, 20 Sep 2022 09:31:23 -0400
Subject: [PATCH 049/257] Revise userspace and SELint versions in CI

Revert checkpolicy to 3.1 and set SELint to 1.3.0.
---
 .github/workflows/tests.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index c5e0eaf3b5..d6684c1b3b 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -3,9 +3,8 @@ name: Build tests
 on: [push, pull_request]
 
 env:
-  # 3.4 fails to validate, fixed with 88a703399f3f
-  # ("libsepol: fix validation of user declarations in modules")
-  SELINUX_USERSPACE_VERSION: checkpolicy-3.3
+  # Minimum userspace version to build refpolicy.
+  SELINUX_USERSPACE_VERSION: checkpolicy-3.1
 
 jobs:
   lint:
@@ -30,7 +29,7 @@ jobs:
       with:
         repository: SELinuxProject/selint
         # support exclusions in interface arguments
-        ref: '41a575e82dea5cd7f60b4fa7aeb84405dba3baba' # "Parse interface taking list of exemptions"
+        ref: 'v1.3.0' # "Parse interface taking list of exemptions"
         path: selint
 
     - name: Build SELint

From 3c9564a802d4346a113e6cacd4c4d11907eb8763 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 20 Sep 2022 09:52:11 -0400
Subject: [PATCH 050/257] fapolicyd: Fix selint issue.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/admin/fapolicyd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/fapolicyd.te b/policy/modules/admin/fapolicyd.te
index 35e475340c..9effdb04ae 100644
--- a/policy/modules/admin/fapolicyd.te
+++ b/policy/modules/admin/fapolicyd.te
@@ -103,7 +103,7 @@ ps_process_pattern(fagenrules_t, fapolicyd_t)
 
 # /sbin/fagenrules copies compiled rules into /etc/faplicyd then calls restorecon
 # on new /etc/fapolicy/compiled.rules
-allow fagenrules_t fapolicyd_compiled_rules_t:file { relabelfrom relabelto };
+allow fagenrules_t fapolicyd_compiled_rules_t:file relabel_file_perms;
 filetrans_pattern(fagenrules_t, fapolicyd_config_t, fapolicyd_compiled_rules_t, file)
 manage_files_pattern(fagenrules_t, fapolicyd_config_t, fapolicyd_compiled_rules_t)
 

From 0da5dff449f149916c3d1cdb891f2f03b7023e44 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 20 Sep 2022 09:52:29 -0400
Subject: [PATCH 051/257] tests.yml: Remove irrelevant comment.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 .github/workflows/tests.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index d6684c1b3b..c120210ced 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -29,7 +29,7 @@ jobs:
       with:
         repository: SELinuxProject/selint
         # support exclusions in interface arguments
-        ref: 'v1.3.0' # "Parse interface taking list of exemptions"
+        ref: 'v1.3.0'
         path: selint
 
     - name: Build SELint

From 522eeb08ee2ea637d6e6ffacc1f3764abf2ebcd0 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 20 Sep 2022 10:59:19 -0400
Subject: [PATCH 052/257] Drop audit_access allows.

This permission is only used for auditing purposes. It is a no-op for allows.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/kernel/devices.te    |  6 +++---
 policy/modules/kernel/files.te      | 14 +++++++-------
 policy/modules/kernel/filesystem.te | 14 +++++++-------
 policy/modules/kernel/kernel.te     | 24 ++++++++++++------------
 policy/modules/kernel/storage.te    |  4 ++--
 5 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 49718cc262..5e2c77cbb4 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -434,6 +434,6 @@ files_associate_tmp(device_node)
 #
 
 allow devices_unconfined_type self:capability sys_rawio;
-allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch };
-allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod audit_access watch };
-allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod audit_access watch };
+allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch };
+allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod watch };
+allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch };
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 2691a86115..e8fe422141 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -227,13 +227,13 @@ fs_associate_tmpfs(tmpfsfile)
 #
 
 # Create/access any file in a labeled filesystem;
-allow files_unconfined_type file_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch };
-allow files_unconfined_type file_type:lnk_file  { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch };
-allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch };
-allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch };
-allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch };
-allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton audit_access watch };
-allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch };
+allow files_unconfined_type file_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch };
+allow files_unconfined_type file_type:lnk_file  { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch };
+allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch };
+allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch };
+allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch };
+allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton watch };
+allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch };
 
 # Mount/unmount any filesystem with the context= option.
 allow files_unconfined_type file_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 0fd90fb67a..632905dda8 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -338,10 +338,10 @@ allow filesystem_unconfined_type filesystem_type:filesystem { mount remount unmo
 # Create/access other files. fs_type is to pick up various
 # pseudo filesystem types that are applied to both the filesystem
 # and its files.
-allow filesystem_unconfined_type filesystem_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:lnk_file  { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton audit_access execmod watch };
-allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch };
+allow filesystem_unconfined_type filesystem_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch };
+allow filesystem_unconfined_type filesystem_type:lnk_file  { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch };
+allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch };
+allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch };
+allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch };
+allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod watch };
+allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch };
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5fbb78b443..5124ae016c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -548,22 +548,22 @@ if(secure_mode_insmod) {
 # Rules for unconfined access to this module
 #
 
-allow kern_unconfined proc_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton audit_access execmod watch };
-allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch };
-allow kern_unconfined proc_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch };
+allow kern_unconfined proc_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton execmod watch };
+allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch };
+allow kern_unconfined proc_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch };
 
-allow kern_unconfined sysctl_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton audit_access execmod watch };
-allow kern_unconfined sysctl_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch };
+allow kern_unconfined sysctl_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton execmod watch };
+allow kern_unconfined sysctl_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch };
 
 allow kern_unconfined kernel_t:system { ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload };
 
-allow kern_unconfined unlabeled_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch };
-allow kern_unconfined unlabeled_t:lnk_file  { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch };
-allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch };
-allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch };
-allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch };
-allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton audit_access watch };
-allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch };
+allow kern_unconfined unlabeled_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch };
+allow kern_unconfined unlabeled_t:lnk_file  { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch };
+allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch };
+allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch };
+allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch };
+allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton watch };
+allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch };
 allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
 allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext polmatch };
 allow kern_unconfined unlabeled_t:packet { send recv relabelto forward_in forward_out };
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index dfe1a16633..7d30dc4508 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -59,5 +59,5 @@ dev_node(tape_device_t)
 # Unconfined access to this module
 #
 
-allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod };
-allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod audit_access };
+allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod };
+allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod };

From 49e257840835839fc603a60d3f91e30ca23f429e Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Fri, 16 Sep 2022 22:28:33 -0400
Subject: [PATCH 053/257] Seeing long delay during shutdown saying: 'A stop job
 is running for Restore /run/initramfs on shutdown'

These were the denials in audit.log related to this

node=localhost type=AVC msg=audit(1663379349.428:5081): avc:  denied  { write } for  pid=3594 comm="cpio" name="initramfs" dev="tmpfs" ino=18 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.428:5081): avc:  denied  { add_name } for  pid=3594 comm="cpio" name="bin" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5083): avc:  denied  { create } for  pid=3594 comm="cpio" name="dev" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5084): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="dev" dev="tmpfs" ino=1356 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.430:5087): avc:  denied  { create } for  pid=3594 comm="cpio" name="systemd.conf" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.430:5087): avc:  denied  { write open } for pid=3594 comm="cpio" path="/run/initramfs/etc/conf.d/systemd.conf" dev="tmpfs" ino=1365 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.430:5088): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="systemd.conf" dev="tmpfs" ino=1365 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.834:5119): avc:  denied  { read } for  pid=3594 comm="cpio" name="gr737d-8x16.psfu.gz" dev="tmpfs" ino=1632 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.834:5119): avc:  denied  { link } for  pid=3594 comm="cpio" name="gr737d-8x16.psfu.gz" dev="tmpfs" ino=1632 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1

Also seeing the following, but seems to function without related rules:

node=localhost type=AVC msg=audit(1663379349.428:5081): avc:  denied  { create } for  pid=3594 comm="cpio" name="bin" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1
node=localhost type=AVC msg=audit(1663379349.428:5082): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="bin" dev="tmpfs" ino=1355 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5085): avc:  denied  { create } for  pid=3594 comm="cpio" name="console" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5086): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="console" dev="tmpfs" ino=1357 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/system/init.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 32a6f85830..97a75cf86f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1015,6 +1015,8 @@ ifdef(`distro_redhat',`
 
 	fs_read_tmpfs_symlinks(initrc_t)
 	fs_rw_tmpfs_chr_files(initrc_t)
+	fs_manage_tmpfs_dirs(initrc_t)
+	fs_manage_tmpfs_files(initrc_t)
 
 	storage_manage_fixed_disk(initrc_t)
 	storage_dev_filetrans_fixed_disk(initrc_t)

From 48ccf942a5cb071629a3d73a14df5252910e2d33 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 19 Sep 2022 19:06:34 -0400
Subject: [PATCH 054/257] zfs: various fixes

Minor fixes for ZFS, including allowing Zed to use sendmail and write
LED statuses to enclosure devices.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/zfs.te | 47 +++++++++++++++++++++++++++++++---
 1 file changed, 44 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index 05e0d3e5f4..519295e96e 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -50,39 +50,49 @@ files_runtime_filetrans(zed_t, zfs_runtime_t, file)
 corecmd_exec_bin(zed_t)
 corecmd_exec_shell(zed_t)
 
-dev_read_sysfs(zed_t)
+dev_rw_sysfs(zed_t)
 
 files_search_etc(zed_t)
 
+kernel_read_system_state(zed_t)
 kernel_read_vm_overcommit_sysctl(zed_t)
 
 storage_raw_rw_fixed_disk(zed_t)
 
 auth_use_nsswitch(zed_t)
 
+hostname_exec(zed_t)
+
 logging_send_syslog_msg(zed_t)
 
 miscfiles_read_localization(zed_t)
 
 udev_search_runtime(zed_t)
 
+zfs_rw_zpool_cache(zed_t)
+
 ########################################
 #
 # zfs local policy
 #
 
-allow zfs_t self:process getsched;
-allow zfs_t self:capability sys_admin;
+allow zfs_t self:process { getsched signull };
+allow zfs_t self:capability { sys_admin sys_rawio };
 allow zfs_t self:fifo_file rw_fifo_file_perms;
 
 list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)
 read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
 read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
 
+manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
+files_runtime_filetrans(zfs_t, zfs_runtime_t, file)
+
 # to execute scripts in /usr/libexec/zfs
 corecmd_exec_bin(zfs_t)
 corecmd_exec_shell(zfs_t)
 
+dev_delete_generic_symlinks(zfs_t)
+dev_getattr_sysfs(zfs_t)
 dev_read_sysfs(zfs_t)
 
 domain_use_interactive_fds(zfs_t)
@@ -104,6 +114,8 @@ kernel_read_kernel_sysctls(zfs_t)
 
 storage_raw_rw_fixed_disk(zfs_t)
 
+udev_read_runtime_files(zfs_t)
+
 miscfiles_read_localization(zfs_t)
 
 auth_use_nsswitch(zfs_t)
@@ -112,9 +124,38 @@ mount_exec(zfs_t)
 
 userdom_use_user_terminals(zfs_t)
 
+zfs_rw_zpool_cache(zfs_t)
+
 optional_policy(`
 	kernel_rw_rpc_sysctls(zfs_t)
 
 	rpc_manage_nfs_state_data(zfs_t)
 	rpc_read_exports(zfs_t)
 ')
+
+#######################################
+#
+# Mail local policy
+#
+
+optional_policy(`
+	mta_base_mail_template(zed)
+	role system_r types zed_mail_t;
+
+	allow zed_mail_t zed_t:fd use;
+	allow zed_mail_t zed_t:fifo_file rw_fifo_file_perms;
+	allow zed_mail_t zed_t:process sigchld;
+
+	manage_dirs_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
+	manage_files_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
+	files_tmp_filetrans(zed_t, zed_mail_tmp_t, { dir file })
+
+	allow zfs_t zed_mail_tmp_t:file write_file_perms;
+
+	mta_sendmail_domtrans(zed_t, zed_mail_t)
+
+	allow zed_mail_t self:capability { dac_override dac_read_search };
+
+	storage_dontaudit_read_fixed_disk(zed_mail_t)
+	storage_dontaudit_write_fixed_disk(zed_mail_t)
+')

From 4f95bb1e142cfc67e37ce33195b0f5fb7af7e12c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 19 Sep 2022 19:38:51 -0400
Subject: [PATCH 055/257] mta: add support for nullmailer

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/mta.fc | 2 ++
 policy/modules/services/mta.te | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 66634b0c72..f5738937f3 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -38,3 +38,5 @@ HOME_DIR/\.maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 /var/spool/(client)?mqueue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/nullmailer(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/nullmailer/queue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 5eecac3896..d4569fce27 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -69,6 +69,8 @@ read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t
 
 manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
 read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
+# allow IPC with nullmailer via /var/spool/nullmailer/trigger
+allow user_mail_domain mail_spool_t:fifo_file rw_fifo_file_perms;
 
 allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
 

From 10dca55c0921ad9ab9e3b9bb0d5321eec5c44920 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 24 Sep 2022 00:00:28 -0400
Subject: [PATCH 056/257] devices: add interface to rw infiniband devices

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c09ac3746e..4239ba1f32 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2404,6 +2404,24 @@ interface(`dev_rw_hyperv_vss',`
 	rw_chr_files_pattern($1, device_t, hyperv_vss_device_t)
 ')
 
+########################################
+## <summary>
+##	Allow read/write access to InfiniBand devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_infiniband',`
+	gen_require(`
+		type device_t, infiniband_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, infiniband_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the kernel messages

From c710767cb25a66454e63d2bed13f5fc2cf2f2d94 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 24 Sep 2022 13:23:53 -0400
Subject: [PATCH 057/257] xdg: add interface to dontaudit searching xdg data
 dirs

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/xdg.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index a3c2759b77..f8030172ad 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -653,6 +653,25 @@ interface(`xdg_search_data_dirs',`
 	allow $1 xdg_data_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search through the
+##	xdg data home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xdg_dontaudit_search_data_dirs',`
+	gen_require(`
+		type xdg_data_t;
+	')
+
+	dontaudit $1 xdg_data_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Watch the xdg data home directories

From f004ae1c9b26675740ffe8202fbf50fea28acc65 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 24 Sep 2022 00:09:19 -0400
Subject: [PATCH 058/257] opensm: initial policy

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/opensm.fc | 10 ++++
 policy/modules/services/opensm.if | 86 +++++++++++++++++++++++++++++++
 policy/modules/services/opensm.te | 45 ++++++++++++++++
 3 files changed, 141 insertions(+)
 create mode 100644 policy/modules/services/opensm.fc
 create mode 100644 policy/modules/services/opensm.if
 create mode 100644 policy/modules/services/opensm.te

diff --git a/policy/modules/services/opensm.fc b/policy/modules/services/opensm.fc
new file mode 100644
index 0000000000..6d9566bb19
--- /dev/null
+++ b/policy/modules/services/opensm.fc
@@ -0,0 +1,10 @@
+/usr/bin/opensm	--	gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/usr/sbin/opensm	--	gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/etc/opensm(/.*)?		gen_context(system_u:object_r:opensm_conf_t,s0)
+
+/var/cache/opensm(/.*)?		gen_context(system_u:object_r:opensm_cache_t,s0)
+
+/var/log/opensm\.log	--	gen_context(system_u:object_r:opensm_log_t,s0)
+/var/log/opensm-subnet\.lst	--	gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/policy/modules/services/opensm.if b/policy/modules/services/opensm.if
new file mode 100644
index 0000000000..47664ce158
--- /dev/null
+++ b/policy/modules/services/opensm.if
@@ -0,0 +1,86 @@
+## <summary>OpenSM is a software implementation of an InfiniBand subnet manager.</summary>
+
+########################################
+## <summary>
+##	Execute opensm in the opensm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`opensm_domtrans',`
+	gen_require(`
+		type opensm_t, opensm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, opensm_exec_t, opensm_t)
+')
+
+########################################
+## <summary>
+##	Execute opensm in the opensm domain, and
+##	allow the specified role the opensm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`opensm_run',`
+	gen_require(`
+		type opensm_t;
+	')
+
+	opensm_domtrans($1)
+	role $2 types opensm_t;
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an opensm environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`opensm_admin',`
+	gen_require(`
+		type opensm_t;
+		type opensm_conf_t, opensm_cache_t;
+		type opensm_log_t;
+	')
+
+	opensm_run($1, $2)
+
+	allow $1 opensm_t:process { ptrace signal_perms };
+	ps_process_pattern($1, opensm_t)
+
+	files_search_etc($1)
+	admin_pattern($1, opensm_conf_t)
+
+	files_search_var($1)
+	admin_pattern($1, opensm_cache_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, opensm_log_t)
+')
diff --git a/policy/modules/services/opensm.te b/policy/modules/services/opensm.te
new file mode 100644
index 0000000000..1d5c2f57d9
--- /dev/null
+++ b/policy/modules/services/opensm.te
@@ -0,0 +1,45 @@
+policy_module(opensm)
+
+########################################
+#
+# Declarations
+#
+
+type opensm_t;
+type opensm_exec_t;
+init_daemon_domain(opensm_t, opensm_exec_t)
+
+type opensm_conf_t;
+files_config_file(opensm_conf_t)
+
+type opensm_cache_t;
+files_type(opensm_cache_t)
+
+type opensm_log_t;
+logging_log_file(opensm_log_t)
+
+########################################
+#
+# opensm local policy
+#
+
+allow opensm_t self:process { getsched signal };
+allow opensm_t self:unix_dgram_socket create_socket_perms;
+
+read_files_pattern(opensm_t, opensm_conf_t, opensm_conf_t)
+
+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+files_var_filetrans(opensm_t, opensm_cache_t, dir)
+
+create_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+append_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+rw_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+logging_log_filetrans(opensm_t, opensm_log_t, file)
+
+dev_read_sysfs(opensm_t)
+dev_rw_infiniband(opensm_t)
+
+logging_send_syslog_msg(opensm_t)
+
+miscfiles_read_localization(opensm_t)

From 2f53213caf4ffa852dda308c3601f54689391579 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 24 Sep 2022 12:36:39 -0400
Subject: [PATCH 059/257] sysadm: allow opensm access

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 98c470af2c..a5c7b74014 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -732,6 +732,10 @@ optional_policy(`
 	openhpi_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	opensm_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	openvpn_admin(sysadm_t, sysadm_r)
 ')

From b296cf1a84b664c17759f0c2f1bcba2a4e812718 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 24 Sep 2022 00:24:11 -0400
Subject: [PATCH 060/257] corenet: add portcon for glusterfs

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/corenetwork.te.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 35ac90ba53..2bc2596782 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -147,6 +147,7 @@ network_port(gdomap, tcp,538,s0, udp,538,s0)
 network_port(gds_db, tcp,3050,s0, udp,3050,s0)
 network_port(git, tcp,9418,s0, udp,9418,s0)
 network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
+network_port(glusterd, tcp,24007,s0, tcp,24009,s0)
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
 network_port(hadoop_datanode, tcp,50010,s0)

From aa07b5c3a49bb80cd40202427a4071c843626d3d Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 24 Sep 2022 00:59:10 -0400
Subject: [PATCH 061/257] glusterfs: various fixes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/glusterfs.fc | 12 +++--
 policy/modules/services/glusterfs.if | 70 ++++++++++++++++++++++++++++
 policy/modules/services/glusterfs.te | 47 +++++++++++++++----
 3 files changed, 114 insertions(+), 15 deletions(-)

diff --git a/policy/modules/services/glusterfs.fc b/policy/modules/services/glusterfs.fc
index 8e538dc8e5..158a4a85ef 100644
--- a/policy/modules/services/glusterfs.fc
+++ b/policy/modules/services/glusterfs.fc
@@ -1,7 +1,7 @@
 /etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 
-/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterfs(/.*)?		gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_conf_t,s0)
 
 /usr/bin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 /usr/bin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
@@ -11,9 +11,11 @@
 
 /opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 
-/var/lib/gluster.*	gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+/var/lib/gluster.*		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
 
-/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/glusterfs(/.*)?		gen_context(system_u:object_r:glusterd_log_t,s0)
 
-/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/gluster(/.*)?		gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_runtime_t,s0)
 /run/glusterd\.pid	--	gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/glusterd\.socket	-s	gen_context(system_u:object_r:glusterd_runtime_t,s0)
diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index 27c6bd6f76..b2b485ede4 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -1,5 +1,71 @@
 ## <summary>Cluster File System binary, daemon and command line.</summary>
 
+########################################
+## <summary>
+##	Execute glusterd in the glusterd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`glusterfs_domtrans_daemon',`
+	gen_require(`
+		type glusterd_t, glusterd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+########################################
+## <summary>
+##	Execute glusterd in the glusterd domain, and
+##	allow the specified role the glusterd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterfs_run_daemon',`
+	gen_require(`
+		type glusterd_t;
+	')
+
+	glusterfs_domtrans_daemon($1)
+	role $2 types glusterd_t;
+')
+
+########################################
+## <summary>
+##	Connect to glusterd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterfs_stream_connect_daemon',`
+	gen_require(`
+		type glusterd_t;
+		type glusterd_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, glusterd_runtime_t, glusterd_runtime_t, glusterd_t)
+	allow $1 glusterd_runtime_t:sock_file read_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -24,11 +90,15 @@ interface(`glusterfs_admin',`
 		type glusterd_runtime_t;
 	')
 
+	glusterfs_run_daemon($1, $2)
+
 	init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t)
 
 	allow $1 glusterd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, glusterd_t)
 
+	glusterfs_stream_connect_daemon($1)
+
 	files_search_etc($1)
 	admin_pattern($1, glusterd_conf_t)
 
diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index de4f9baea2..2d94845d9d 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -32,11 +32,11 @@ files_type(glusterd_var_lib_t)
 # Local policy
 #
 
-allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource };
-allow glusterd_t self:process { setrlimit signal };
+allow glusterd_t self:capability { chown dac_override dac_read_search fowner ipc_lock sys_admin sys_resource };
+allow glusterd_t self:process { getsched setrlimit signal signull };
 allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
+allow glusterd_t self:tcp_socket create_stream_socket_perms;
+allow glusterd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
 manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
@@ -58,17 +58,14 @@ manage_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t)
 manage_sock_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t)
 files_runtime_filetrans(glusterd_t, glusterd_runtime_t, { dir file sock_file })
 
+can_exec(glusterd_t, glusterd_var_lib_t)
 manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
 
 can_exec(glusterd_t, glusterd_exec_t)
 
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
 corenet_all_recvfrom_netlabel(glusterd_t)
 corenet_tcp_sendrecv_generic_if(glusterd_t)
 corenet_udp_sendrecv_generic_if(glusterd_t)
@@ -77,6 +74,9 @@ corenet_udp_sendrecv_generic_node(glusterd_t)
 corenet_tcp_bind_generic_node(glusterd_t)
 corenet_udp_bind_generic_node(glusterd_t)
 
+corenet_tcp_bind_glusterd_port(glusterd_t)
+corenet_tcp_connect_glusterd_port(glusterd_t)
+
 # Too coarse?
 corenet_sendrecv_all_server_packets(glusterd_t)
 corenet_tcp_bind_all_reserved_ports(glusterd_t)
@@ -86,17 +86,44 @@ corenet_udp_bind_ipp_port(glusterd_t)
 corenet_sendrecv_all_client_packets(glusterd_t)
 corenet_tcp_connect_all_unreserved_ports(glusterd_t)
 
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
 dev_read_sysfs(glusterd_t)
 dev_read_urand(glusterd_t)
 
 domain_read_all_domains_state(glusterd_t)
-
 domain_use_interactive_fds(glusterd_t)
 
 files_read_usr_files(glusterd_t)
+files_mounton_mnt(glusterd_t)
+
+fs_dontaudit_getattr_all_fs(glusterd_t)
+fs_getattr_xattr_fs(glusterd_t)
+fs_mount_fusefs(glusterd_t)
+fs_unmount_fusefs(glusterd_t)
+
+kernel_dontaudit_getattr_proc(glusterd_t)
+kernel_read_kernel_sysctls(glusterd_t)
+kernel_read_net_sysctls(glusterd_t)
+kernel_read_system_state(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
 
 auth_use_nsswitch(glusterd_t)
 
+hostname_exec(glusterd_t)
+
 logging_send_syslog_msg(glusterd_t)
 
+miscfiles_read_generic_certs(glusterd_t)
 miscfiles_read_localization(glusterd_t)
+
+# needed by relabeling hooks when adding bricks
+seutil_domtrans_semanage(glusterd_t)
+seutil_exec_setfiles(glusterd_t)
+seutil_read_default_contexts(glusterd_t)
+
+userdom_dontaudit_search_user_runtime_root(glusterd_t)
+
+xdg_dontaudit_search_data_dirs(glusterd_t)

From 6d6f0923765ee95a7effc0b9b31fa1fe5015b88c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 24 Sep 2022 01:32:41 -0400
Subject: [PATCH 062/257] glusterfs: add type for gluster bricks

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/glusterfs.if |  6 +++++-
 policy/modules/services/glusterfs.te | 10 ++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index b2b485ede4..328818ad3f 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -87,7 +87,7 @@ interface(`glusterfs_admin',`
 	gen_require(`
 		type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
 		type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
-		type glusterd_runtime_t;
+		type glusterd_runtime_t, glusterd_brick_t;
 	')
 
 	glusterfs_run_daemon($1, $2)
@@ -113,4 +113,8 @@ interface(`glusterfs_admin',`
 
 	files_search_runtime($1)
 	admin_pattern($1, glusterd_runtime_t)
+
+	# searching var for /srv
+	files_search_var($1)
+	admin_pattern($1, glusterd_brick_t)
 ')
diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index 2d94845d9d..690aa828a8 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -27,6 +27,9 @@ files_tmp_file(glusterd_tmp_t)
 type glusterd_var_lib_t;
 files_type(glusterd_var_lib_t)
 
+type glusterd_brick_t;
+files_type(glusterd_brick_t)
+
 ########################################
 #
 # Local policy
@@ -64,6 +67,13 @@ manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
 
+manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_sock_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+
 can_exec(glusterd_t, glusterd_exec_t)
 
 corenet_all_recvfrom_netlabel(glusterd_t)

From 5d6975aa089dd4c7be89c51789a8a98ce63e330e Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 24 Sep 2022 12:35:52 -0400
Subject: [PATCH 063/257] mount: allow mounting glusterfs volumes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/mount.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 11dc870cfe..e75a9eeedd 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -195,6 +195,13 @@ optional_policy(`
 	container_getattr_fs(mount_t)
 ')
 
+optional_policy(`
+	glusterfs_domtrans_daemon(mount_t)
+
+	# required for mount.glusterfs
+	corecmd_exec_shell(mount_t)
+')
+
 optional_policy(`
 	modutils_read_module_deps(mount_t)
 ')

From cc32d192c1bc7c194fba34622ca88d76e642bc08 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 24 Sep 2022 13:05:00 -0400
Subject: [PATCH 064/257] selinuxutil: allow semanage, setfiles to inherit
 gluster fds

The Gluster daemon uses a hook which adds a file context for gluster
bricks when they are created via the use of 'semanage fcontex -a'.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/glusterfs.if | 18 ++++++++++++++++++
 policy/modules/system/selinuxutil.te |  9 +++++++++
 2 files changed, 27 insertions(+)

diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index 328818ad3f..5e6af0eccb 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -66,6 +66,24 @@ interface(`glusterfs_stream_connect_daemon',`
 	allow $1 glusterd_runtime_t:sock_file read_sock_file_perms;
 ')
 
+########################################
+## <summary>
+##	Inherit and use glusterd file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterfs_use_daemon_fds',`
+	gen_require(`
+		type glusterd_t;
+	')
+
+	allow $1 glusterd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 88e099e602..5d968e1008 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -208,6 +208,11 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+optional_policy(`
+	# glusterd calls semanage fcontext
+	glusterfs_use_daemon_fds(load_policy_t)
+')
+
 optional_policy(`
 	portage_dontaudit_use_fds(load_policy_t)
 ')
@@ -685,6 +690,10 @@ optional_policy(`
 	apt_use_fds(setfiles_t)
 ')
 
+optional_policy(`
+	glusterfs_use_daemon_fds(setfiles_t)
+')
+
 optional_policy(`
         # leaked file descriptors
         udev_dontaudit_rw_dgram_sockets(setfiles_t)

From ee3573d6bb9a7edcec166e3cfb27c39432e9889f Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 24 Sep 2022 13:51:14 -0400
Subject: [PATCH 065/257] glusterfs, selinuxutil: make modifying fcontexts a
 tunable

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/glusterfs.te | 26 ++++++++++++++++----
 policy/modules/system/selinuxutil.if | 36 ++++++++++++++++++++++++++++
 policy/modules/system/selinuxutil.te | 11 +++++----
 3 files changed, 64 insertions(+), 9 deletions(-)

diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index 690aa828a8..85a55ed5b0 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -1,5 +1,15 @@
 policy_module(glusterfs)
 
+## <desc>
+##	<p>
+##	Allow the gluster daemon to automatically
+##	add and remove file contexts from the local
+##	SELinux policy when adding and removing
+##	bricks.
+##	</p>
+## </desc>
+gen_tunable(glusterfs_modify_policy, false)
+
 ########################################
 #
 # Declarations
@@ -129,11 +139,17 @@ logging_send_syslog_msg(glusterd_t)
 miscfiles_read_generic_certs(glusterd_t)
 miscfiles_read_localization(glusterd_t)
 
-# needed by relabeling hooks when adding bricks
-seutil_domtrans_semanage(glusterd_t)
-seutil_exec_setfiles(glusterd_t)
-seutil_read_default_contexts(glusterd_t)
-
 userdom_dontaudit_search_user_runtime_root(glusterd_t)
 
 xdg_dontaudit_search_data_dirs(glusterd_t)
+
+tunable_policy(`glusterfs_modify_policy',`
+	# needed by relabeling hooks when adding bricks
+	seutil_domtrans_semanage(glusterd_t)
+	seutil_exec_setfiles(glusterd_t)
+	seutil_read_default_contexts(glusterd_t)
+',`
+	seutil_dontaudit_exec_semanage(glusterd_t)
+	seutil_dontaudit_exec_setfiles(glusterd_t)
+	seutil_dontaudit_read_file_contexts(glusterd_t)
+')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 6dcf34d4e1..86411f9fcf 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -574,6 +574,24 @@ interface(`seutil_exec_setfiles',`
 	can_exec($1, setfiles_exec_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to execute setfiles.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_exec_setfiles',`
+	gen_require(`
+		type setfiles_exec_t;
+	')
+
+	dontaudit $1 setfiles_exec_t:file exec_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search the SELinux
@@ -1022,6 +1040,24 @@ interface(`seutil_run_semanage',`
 	roleattribute $2 semanage_roles;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to execute semanage.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_exec_semanage',`
+	gen_require(`
+		type semanage_exec_t;
+	')
+
+	dontaudit $1 semanage_exec_t:file exec_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read the semanage module store.
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 5d968e1008..d7f047c2dc 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -209,8 +209,9 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
-	# glusterd calls semanage fcontext
-	glusterfs_use_daemon_fds(load_policy_t)
+	tunable_policy(`glusterfs_modify_policy',`
+		glusterfs_use_daemon_fds(load_policy_t)
+	')
 ')
 
 optional_policy(`
@@ -687,11 +688,13 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
-	apt_use_fds(setfiles_t)
+	tunable_policy(`glusterfs_modify_policy',`
+		glusterfs_use_daemon_fds(setfiles_t)
+	')
 ')
 
 optional_policy(`
-	glusterfs_use_daemon_fds(setfiles_t)
+	apt_use_fds(setfiles_t)
 ')
 
 optional_policy(`

From e660eb5f14f975683d4aa57a5c633fe08974fdcc Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 26 Sep 2022 17:00:18 -0400
Subject: [PATCH 066/257] glusterfs: add type for glusterd hooks

Add a private type for glusterd hooks in order to enforce W^X for them.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/glusterfs.fc | 1 +
 policy/modules/services/glusterfs.if | 3 ++-
 policy/modules/services/glusterfs.te | 8 ++++++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/glusterfs.fc b/policy/modules/services/glusterfs.fc
index 158a4a85ef..50bd936046 100644
--- a/policy/modules/services/glusterfs.fc
+++ b/policy/modules/services/glusterfs.fc
@@ -12,6 +12,7 @@
 /opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 
 /var/lib/gluster.*		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+/var/lib/glusterd/hooks(/.*)?		gen_context(system_u:object_r:glusterd_hook_t,s0)
 
 /var/log/glusterfs(/.*)?		gen_context(system_u:object_r:glusterd_log_t,s0)
 
diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index 5e6af0eccb..ab5c8a4da8 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -105,7 +105,7 @@ interface(`glusterfs_admin',`
 	gen_require(`
 		type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
 		type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
-		type glusterd_runtime_t, glusterd_brick_t;
+		type glusterd_hook_t, glusterd_runtime_t, glusterd_brick_t;
 	')
 
 	glusterfs_run_daemon($1, $2)
@@ -128,6 +128,7 @@ interface(`glusterfs_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, glusterd_var_lib_t)
+	admin_pattern($1, glusterd_hook_t)
 
 	files_search_runtime($1)
 	admin_pattern($1, glusterd_runtime_t)
diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index 85a55ed5b0..c46215be15 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -40,6 +40,9 @@ files_type(glusterd_var_lib_t)
 type glusterd_brick_t;
 files_type(glusterd_brick_t)
 
+type glusterd_hook_t;
+files_type(glusterd_hook_t)
+
 ########################################
 #
 # Local policy
@@ -77,6 +80,11 @@ manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
 
+list_dirs_pattern(glusterd_t, glusterd_hook_t, glusterd_hook_t)
+read_files_pattern(glusterd_t, glusterd_hook_t, glusterd_hook_t)
+read_lnk_files_pattern(glusterd_t, glusterd_hook_t, glusterd_hook_t)
+can_exec(glusterd_t, glusterd_hook_t)
+
 manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
 manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
 manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

From 06f06bb236599e618adce6a7b19986e0709e608b Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 4 Feb 2016 02:10:15 -0500
Subject: [PATCH 067/257] logging: allow systemd-journal to manage
 syslogd_runtime_t sock_file

Fixes:
avc:  denied  { write } for  pid=165 comm="systemd-journal"
name="syslog" dev="tmpfs" ino=545 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index c9b8511f48..abd61e6bd7 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -437,7 +437,7 @@ files_search_var_lib(syslogd_t)
 
 # manage runtime files
 allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
-allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
+allow syslogd_t syslogd_runtime_t:sock_file manage_sock_file_perms;
 allow syslogd_t syslogd_runtime_t:file map;
 manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
 files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)

From ac25e5ac3b0b7252f5d6427502ee822b5b0b19b9 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 3 Jul 2020 10:32:41 +0800
Subject: [PATCH 068/257] radius: fixes for freeradius

* Add dac_read_search capability to radiusd_t
* Add getcap to radiusd_t process

Fixes:
avc: denied { dac_read_search } for pid=473 comm="radiusd" capability=2
scontext=system_u:system_r:radiusd_t
tcontext=system_u:system_r:radiusd_t tclass=capability permissive=1

avc: denied { getcap } for pid=473 comm="radiusd"
scontext=system_u:system_r:radiusd_t
tcontext=system_u:system_r:radiusd_t tclass=process permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/services/radius.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index e5d37e7224..8ac766c39b 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -32,9 +32,9 @@ files_type(radiusd_var_lib_t)
 # Local policy
 #
 
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+allow radiusd_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_resource sys_tty_config };
 dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:process { getcap getsched setrlimit setsched sigkill signal };
 allow radiusd_t self:fifo_file rw_fifo_file_perms;
 allow radiusd_t self:unix_stream_socket { accept listen };
 allow radiusd_t self:tcp_socket { accept listen };

From cdfa072c0bc6671c009aa1f1cf61ec3bb4cd91d2 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Mon, 3 Oct 2022 07:54:03 -0400
Subject: [PATCH 069/257] fix: issue #550 - compile failed when DIRECT_INITRC=y

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/admin/fapolicyd.if | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/fapolicyd.if b/policy/modules/admin/fapolicyd.if
index aaa4c14eb5..4ae2590ac0 100644
--- a/policy/modules/admin/fapolicyd.if
+++ b/policy/modules/admin/fapolicyd.if
@@ -152,6 +152,8 @@ interface(`fapolicyd_admin',`
 	files_search_runtime($1)
 	admin_pattern($1, fapolicyd_runtime_t)
 
-	fapolicyd_run_fagenrules($1, $2)
+	ifndef(`direct_sysadm_daemon',`
+		fapolicyd_run_fagenrules($1, $2)
+	')
 	fapolicyd_run_cli($1, $2)
 ')

From 2b349d795a7de2250a4112d950dc4c835c9e8792 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Mon, 3 Oct 2022 16:54:41 -0400
Subject: [PATCH 070/257] fapolicyd: fagenrules chgrp's the compiled.rules

node=localhost type=AVC msg=audit(1664829990.107:8051): avc:  denied  { chown } for  pid=3709 comm="chgrp" capability=0 scontext=toor_u:sysadm_r:fagenrules_t:s0 tcontext=sysadm_u:sysadm_r:fagenrules_t:s0 tclass=capability permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/admin/fapolicyd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/fapolicyd.te b/policy/modules/admin/fapolicyd.te
index 9effdb04ae..2e716c1aa5 100644
--- a/policy/modules/admin/fapolicyd.te
+++ b/policy/modules/admin/fapolicyd.te
@@ -93,7 +93,7 @@ optional_policy(`
 # fagenrules local policy
 #
 
-allow fagenrules_t self:capability { fsetid kill };
+allow fagenrules_t self:capability { chown fsetid kill };
 allow fagenrules_t self:fifo_file rw_inherited_fifo_file_perms;
 
 

From 847cffd32ee31d1758f387c4d83e6bc0fc6579c3 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Fri, 7 Oct 2022 20:41:22 -0400
Subject: [PATCH 071/257] Add 'DIRECT_INITRC' config to automated tests

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 .github/workflows/tests.yml | 84 ++++++++++++++++++++++++-------------
 1 file changed, 56 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index c120210ced..816e740330 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -63,33 +63,60 @@ jobs:
 
       matrix:
         build-opts:
-          - {type: standard, distro: redhat, monolithic: y, systemd: y}
-          - {type: standard, distro: redhat, monolithic: n, systemd: y}
-          - {type: standard, distro: debian, monolithic: y, systemd: y}
-          - {type: standard, distro: debian, monolithic: n, systemd: y}
-          - {type: standard, distro: gentoo, monolithic: y, systemd: n}
-          - {type: standard, distro: gentoo, monolithic: n, systemd: n}
-          - {type: mcs, distro: redhat, monolithic: y, systemd: y}
-          - {type: mcs, distro: redhat, monolithic: n, systemd: y}
-          - {type: mcs, distro: debian, monolithic: y, systemd: y}
-          - {type: mcs, distro: debian, monolithic: n, systemd: y}
-          - {type: mcs, distro: gentoo, monolithic: y, systemd: n}
-          - {type: mcs, distro: gentoo, monolithic: n, systemd: n}
-          - {type: mls, distro: redhat, monolithic: y, systemd: y}
-          - {type: mls, distro: redhat, monolithic: n, systemd: y}
-          - {type: mls, distro: debian, monolithic: y, systemd: y}
-          - {type: mls, distro: debian, monolithic: n, systemd: y}
-          - {type: mls, distro: gentoo, monolithic: y, systemd: n}
-          - {type: mls, distro: gentoo, monolithic: n, systemd: n}
-          - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
-          - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
-          - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
+          - {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
+          - {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
+          - {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
+          - {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
+          - {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
+          - {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
 
     steps:
     - uses: actions/checkout@v3
@@ -124,6 +151,7 @@ jobs:
         echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV
         echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV
         echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
+        echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV
         echo "WERROR=y" >> $GITHUB_ENV
 
     - name: Build toolchain
@@ -144,7 +172,7 @@ jobs:
     - name: Build refpolicy
       run: |
         # Drop build.conf settings to listen to env vars
-        sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
+        sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf
 
         make bare
         make conf

From 4257f875d8c205efb2638c72e7f68062f703b9f3 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 23 Sep 2022 10:43:14 -0400
Subject: [PATCH 072/257] usermanage: add file context for chpasswd in /usr/bin

chpasswd is installed to /usr/bin in Gentoo.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/usermanage.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index 1065db1025..7209a8dd00 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -4,6 +4,7 @@ ifdef(`distro_debian',`
 
 /usr/bin/chage		--	gen_context(system_u:object_r:passwd_exec_t,s0)
 /usr/bin/chfn		--	gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chpasswd	--	gen_context(system_u:object_r:passwd_exec_t,s0)
 /usr/bin/chsh		--	gen_context(system_u:object_r:chfn_exec_t,s0)
 /usr/bin/crack_[a-z]*	--	gen_context(system_u:object_r:crack_exec_t,s0)
 /usr/bin/cracklib-[a-z]* --	gen_context(system_u:object_r:crack_exec_t,s0)

From 1206a74fa15912393001e2cfcd1e90dda4d490d8 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 23 Sep 2022 15:33:11 -0400
Subject: [PATCH 073/257] node_exporter: add file context for node_exporter in
 /usr/bin

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/node_exporter.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/node_exporter.fc b/policy/modules/services/node_exporter.fc
index f2527d15ed..4126180085 100644
--- a/policy/modules/services/node_exporter.fc
+++ b/policy/modules/services/node_exporter.fc
@@ -1,5 +1,7 @@
 /run/node_exporter\.pid	--	gen_context(system_u:object_r:node_exporter_runtime_t,s0)
 
+/usr/bin/node_exporter	--	gen_context(system_u:object_r:node_exporter_exec_t,s0)
+
 /usr/sbin/node_exporter	--	gen_context(system_u:object_r:node_exporter_exec_t,s0)
 
 /var/lib/node_exporter(/.*)?	gen_context(system_u:object_r:node_exporter_var_lib_t,s0)

From 56fed5bdb927cc8adb2d1ce313506382eff6d14a Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 23 Sep 2022 15:35:23 -0400
Subject: [PATCH 074/257] usbguard: add file context for usbguard in /usr/bin

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/usbguard.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usbguard.fc b/policy/modules/admin/usbguard.fc
index bb03bd2698..6eedadef81 100644
--- a/policy/modules/admin/usbguard.fc
+++ b/policy/modules/admin/usbguard.fc
@@ -5,6 +5,8 @@
 /run/usbguard(/.*)?					gen_context(system_u:object_r:usbguard_runtime_t,s0)
 /run/usbguard\.pid					gen_context(system_u:object_r:usbguard_runtime_t,s0)
 
+/usr/bin/usbguard-daemon			--	gen_context(system_u:object_r:usbguard_daemon_exec_t,s0)
+
 /usr/sbin/usbguard-daemon			--	gen_context(system_u:object_r:usbguard_daemon_exec_t,s0)
 
 /var/log/usbguard(/.*)?					gen_context(system_u:object_r:usbguard_log_t,s0)

From 9ee16f9c41690e5631b79e8d7911d9568e18ea79 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 8 Oct 2022 15:14:28 -0400
Subject: [PATCH 075/257] init: add file context for systemd units in dracut
 modules

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.fc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index ef807ba595..1a99e58240 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -28,7 +28,8 @@ ifdef(`distro_gentoo',`
 /usr/bin/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/bin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
 
-/usr/lib/systemd/systemd --	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/dracut/modules\.d/[^/]+/.*\.service	--	gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/systemd-shutdown	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)

From 389ae8d0f2ade079f26a27d63dab8eac3d14cc25 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 8 Oct 2022 15:22:34 -0400
Subject: [PATCH 076/257] git: add file contexts for other git utilities

The git binary and its subcommands are hardlinks that live in /usr/bin
and /usr/libexec/git-core. Add a file context to encompass all these
binaries. This also fixes conflicting type specifications.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/git.fc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index eaea0d5ab4..f9a0c6199d 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -4,9 +4,12 @@ HOME_DIR/\.gitconfig	--	gen_context(system_u:object_r:git_xdg_config_t,s0)
 HOME_DIR/\.git-credentials	--	gen_context(system_u:object_r:git_xdg_config_t,s0)
 
 /usr/bin/git	--	gen_context(system_u:object_r:git_exec_t,s0)
+/usr/bin/git-[^/]+	--	gen_context(system_u:object_r:git_exec_t,s0)
+/usr/bin/git2_cli	--	gen_context(system_u:object_r:git_exec_t,s0)
 
 /usr/lib/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
 
+/usr/libexec/git-core/git-[^/]+ --	gen_context(system_u:object_r:git_exec_t,s0)
 /usr/libexec/git-core/git-daemon --	gen_context(system_u:object_r:gitd_exec_t,s0)
 
 /usr/share/gitweb/gitweb\.cgi	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)

From e1cdd5a94493db1da7d4a815760453a54c45f11c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 2 Oct 2022 19:07:08 -0400
Subject: [PATCH 077/257] dbus, init, mount, rpc: minor fixes for mount.nfs

mount.nfs will attempt to start the rpc-statd.service unit but will fall
back to executing start-statd directly. Dontaudit attempts to start the
unit and perform a domain transition to start-statd from mount.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/dbus.if | 19 +++++++++++++++++++
 policy/modules/services/rpc.te  |  4 ++++
 policy/modules/system/init.if   | 19 +++++++++++++++++++
 policy/modules/system/mount.te  | 10 ++++++++++
 4 files changed, 52 insertions(+)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index de9b0b45c2..ee497809bb 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -709,6 +709,25 @@ interface(`dbus_read_system_bus_runtime_named_sockets',`
 	allow $1 system_dbusd_runtime_t:sock_file read;
 ')
 
+#######################################
+## <summary>
+##	Do not audit attempts to write to
+##	system bus runtime named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_write_system_bus_runtime_named_sockets',`
+	gen_require(`
+		type system_dbusd_runtime_t;
+	')
+
+	dontaudit $1 system_dbusd_runtime_t:sock_file write;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to DBUS.
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 4d1e1a3eb1..37d2b7ae02 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -264,6 +264,7 @@ fs_watch_rpc_pipefs_dirs(rpcd_t)
 fs_get_all_fs_quotas(rpcd_t)
 fs_set_xattr_fs_quotas(rpcd_t)
 fs_getattr_all_fs(rpcd_t)
+fs_ioctl_cgroup_dirs(rpcd_t)
 
 storage_getattr_fixed_disk_dev(rpcd_t)
 
@@ -272,6 +273,9 @@ selinux_dontaudit_read_fs(rpcd_t)
 miscfiles_read_generic_certs(rpcd_t)
 miscfiles_read_generic_tls_privkey(rpcd_t)
 
+# for mount.nfs
+mount_rw_runtime_files(rpcd_t)
+
 seutil_dontaudit_search_config(rpcd_t)
 
 userdom_signal_all_users(rpcd_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 017129a7fd..ba25610486 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3314,6 +3314,25 @@ interface(`init_write_runtime_socket',`
 	allow $1 init_runtime_t:sock_file write;
 ')
 
+#######################################
+## <summary>
+##  Do not audit attempts to write to
+##	init sock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_write_runtime_socket',`
+	gen_require(`
+		type init_runtime_t;
+	')
+
+	dontaudit $1 init_runtime_t:sock_file write;
+')
+
 ########################################
 ## <summary>
 ##	Read init unnamed pipes.
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index e75a9eeedd..d028723ce6 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,6 +42,8 @@ application_domain(unconfined_mount_t, mount_exec_t)
 
 # setuid/setgid needed to mount cifs
 allow mount_t self:capability { chown dac_override dac_read_search ipc_lock setgid setuid sys_admin sys_rawio sys_tty_config };
+dontaudit mount_t self:capability { kill net_admin };
+dontaudit mount_t self:process setrlimit;
 
 allow mount_t mount_tmp_t:file manage_file_perms;
 allow mount_t mount_tmp_t:dir manage_dir_perms;
@@ -129,6 +131,8 @@ auth_use_nsswitch(mount_t)
 init_use_fds(mount_t)
 init_use_script_ptys(mount_t)
 init_dontaudit_getattr_initctl(mount_t)
+init_dontaudit_read_state(mount_t)
+init_dontaudit_write_runtime_socket(mount_t)
 
 logging_send_syslog_msg(mount_t)
 
@@ -141,6 +145,8 @@ selinux_getattr_fs(mount_t)
 
 userdom_use_all_users_fds(mount_t)
 
+dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
+
 ifdef(`distro_redhat',`
 	optional_policy(`
 		auth_read_pam_console_data(mount_t)
@@ -210,6 +216,10 @@ optional_policy(`
 	puppet_rw_tmp(mount_t)
 ')
 
+optional_policy(`
+	rpc_domtrans_rpcd(mount_t)
+')
+
 # for kernel package installation
 optional_policy(`
 	rpm_rw_pipes(mount_t)

From d0f30da8cf6fa38132d6e4e844f3d6017c894b83 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 5 Oct 2022 23:25:56 -0400
Subject: [PATCH 078/257] zfs: allow reading exports

Needed for NFS on ZFS.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/zfs.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index 519295e96e..ebe389e05a 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -111,6 +111,7 @@ fs_rw_nfsd_fs(zfs_t)
 
 kernel_read_fs_sysctls(zfs_t)
 kernel_read_kernel_sysctls(zfs_t)
+kernel_read_system_state(zfs_t)
 
 storage_raw_rw_fixed_disk(zfs_t)
 

From d4f3b21e184a3af54a2079598b7b997fcf8f4288 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 5 Oct 2022 23:27:33 -0400
Subject: [PATCH 079/257] systemd: allow systemd-generator to use dns
 resolution

systemd-generator will create mount units for NFS shares in /etc/fstab,
but will need to use DNS resolution if those fstab entries use
hostnames.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 341efbf4b0..85a898e71b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -516,6 +516,9 @@ kernel_dontaudit_search_unlabeled(systemd_generator_t)
 storage_raw_read_fixed_disk(systemd_generator_t)
 storage_raw_read_removable_device(systemd_generator_t)
 
+# needed to resolve hostnames for NFS mounts
+sysnet_dns_name_resolve(systemd_generator_t)
+
 systemd_log_parse_environment(systemd_generator_t)
 
 term_use_unallocated_ttys(systemd_generator_t)

From ef70117066d73c74903ef6cc6a6709be0b9936db Mon Sep 17 00:00:00 2001
From: Russell Coker <russell@coker.com.au>
Date: Sun, 25 Sep 2022 23:58:18 +1000
Subject: [PATCH 080/257] Sympa list server

Policy for the Sympa mailing list server.

I think this is ready to merge, it works well.

Signed-off-by: Russell Coker <russell@coker.com.au>
---
 policy/modules/services/apache.te |  15 +++
 policy/modules/services/exim.te   |   7 +
 policy/modules/services/mta.if    |  20 +++
 policy/modules/services/mta.te    |  10 ++
 policy/modules/services/sympa.fc  |   6 +
 policy/modules/services/sympa.if  | 209 ++++++++++++++++++++++++++++++
 policy/modules/services/sympa.te  |  86 ++++++++++++
 7 files changed, 353 insertions(+)
 create mode 100644 policy/modules/services/sympa.fc
 create mode 100644 policy/modules/services/sympa.if
 create mode 100644 policy/modules/services/sympa.te

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index e2c50da234..5587583a14 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -896,6 +896,14 @@ optional_policy(`
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
 
+optional_policy(`
+	sympa_manage_runtime_sock_files(httpd_t)
+	sympa_map_var_files(httpd_t)
+	sympa_read_conf(httpd_t)
+	sympa_read_var_files(httpd_t)
+')
+
+
 ########################################
 #
 # Helper local policy
@@ -1237,6 +1245,8 @@ files_read_var_symlinks(httpd_sys_script_t)
 files_search_var_lib(httpd_sys_script_t)
 files_search_spool(httpd_sys_script_t)
 
+miscfiles_read_generic_certs(httpd_sys_script_t)
+
 apache_domtrans_rotatelogs(httpd_sys_script_t)
 
 auth_use_nsswitch(httpd_sys_script_t)
@@ -1319,6 +1329,11 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	sympa_manage_var_files(httpd_sys_script_t)
+	sympa_read_conf(httpd_sys_script_t)
+')
+
 ########################################
 #
 # Rotatelogs local policy
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 1aab4002c8..20d5cb5173 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -250,3 +250,10 @@ optional_policy(`
 	spamassassin_exec(exim_t)
 	spamassassin_exec_client(exim_t)
 ')
+
+optional_policy(`
+	# each of these should probably be for mailserver_delivery or mailserver_domain
+	sympa_append_var_files(exim_t)
+	sympa_read_var_files(exim_t)
+	sympa_use_fd(exim_t)
+')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 779c9a9717..71d56eda9c 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -805,6 +805,26 @@ interface(`mta_read_spool_symlinks',`
 	allow $1 mail_spool_t:lnk_file read;
 ')
 
+#######################################
+## <summary>
+##	read and write fifo files inherited from delivery domains
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to use fifo files
+##	</summary>
+## </param>
+#
+interface(`mta_rw_delivery_fifos',`
+	gen_require(`
+		attribute mailserver_delivery;
+	')
+
+	allow $1 mailserver_delivery:fd use;
+	allow $1 mailserver_delivery:fifo_file { getattr read write };
+')
+
+
 #######################################
 ## <summary>
 ##	Do not audit attempts to read
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index d4569fce27..70427f3568 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -297,6 +297,11 @@ optional_policy(`
 	smartmon_read_tmp_files(system_mail_t)
 ')
 
+optional_policy(`
+	sympa_append_var_files(system_mail_t)
+	sympa_dontaudit_tcp_rw(system_mail_t)
+')
+
 optional_policy(`
 	unconfined_use_fds(system_mail_t)
 ')
@@ -387,6 +392,11 @@ optional_policy(`
 	postfix_rw_inherited_master_pipes(mailserver_delivery)
 ')
 
+optional_policy(`
+	sympa_dontaudit_tcp_rw(mailserver_delivery)
+	sympa_domtrans(mailserver_delivery)
+')
+
 optional_policy(`
 	uucp_domtrans_uux(mailserver_delivery)
 ')
diff --git a/policy/modules/services/sympa.fc b/policy/modules/services/sympa.fc
new file mode 100644
index 0000000000..328260c37c
--- /dev/null
+++ b/policy/modules/services/sympa.fc
@@ -0,0 +1,6 @@
+/usr/lib/sympa/bin/.*	--	gen_context(system_u:object_r:sympa_exec_t,s0)
+/var/lib/sympa(/.*)?		gen_context(system_u:object_r:sympa_var_t,s0)
+/var/spool/sympa(/.*)?		gen_context(system_u:object_r:sympa_var_t,s0)
+/run/sympa(/.*)?		gen_context(system_u:object_r:sympa_runtime_t,s0)
+/etc/mail/sympa(/.*)?		gen_context(system_u:object_r:sympa_etc_t,s0)
+/etc/sympa(/.*)?		gen_context(system_u:object_r:sympa_etc_t,s0)
diff --git a/policy/modules/services/sympa.if b/policy/modules/services/sympa.if
new file mode 100644
index 0000000000..3b05ce50e8
--- /dev/null
+++ b/policy/modules/services/sympa.if
@@ -0,0 +1,209 @@
+## <summary>Sympa mailing list manager</summary>
+##
+## <desc>
+## Sympa is a popular mailing list manager.
+## https://www.sympa.org/
+## </desc>
+
+########################################
+## <summary>
+##      Allow appending to sympa_var_t (for error log)
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_append_var_files',`
+	gen_require(`
+		type sympa_var_t;
+	')
+
+	allow $1 sympa_var_t:file { append getattr };
+')
+
+########################################
+## <summary>
+##      Allow reading sympa_var_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_read_var_files',`
+	gen_require(`
+		type sympa_var_t;
+	')
+
+	allow $1 sympa_var_t:dir list_dir_perms;
+	allow $1 sympa_var_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##      Allow managing sympa_var_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_manage_var_files',`
+	gen_require(`
+		type sympa_var_t;
+	')
+
+	allow $1 sympa_var_t:dir rw_dir_perms;
+	allow $1 sympa_var_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##      Allow mapping sympa_var_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_map_var_files',`
+	gen_require(`
+		type sympa_var_t;
+	')
+
+	allow $1 sympa_var_t:file map;
+')
+
+########################################
+## <summary>
+##      Transition to sympa_t when executing sympa_exec_t
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_domtrans',`
+	gen_require(`
+		type sympa_exec_t, sympa_t;
+	')
+
+	domain_auto_transition_pattern($1, sympa_exec_t, sympa_t)
+')
+
+########################################
+## <summary>
+##      Use file handles inherited from sympa
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_use_fd',`
+	gen_require(`
+		type sympa_t;
+	')
+
+	allow $1 sympa_t:fd use;
+')
+
+########################################
+## <summary>
+##      Dontaudit access to inherited sympa tcp sockets
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit
+##      </summary>
+## </param>
+#
+interface(`sympa_dontaudit_tcp_rw',`
+	gen_require(`
+		type sympa_t;
+	')
+
+	dontaudit $1 sympa_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Allow reading sympa config files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow
+##      </summary>
+## </param>
+#
+interface(`sympa_read_conf',`
+	gen_require(`
+		type sympa_etc_t;
+	')
+
+	allow $1 sympa_etc_t:dir list_dir_perms;
+	allow $1 sympa_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow rw sympa runtime dirs and manage sympa runtime files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow
+##      </summary>
+## </param>
+#
+interface(`sympa_manage_runtime_files',`
+	gen_require(`
+		type sympa_runtime_t;
+	')
+
+	allow $1 sympa_runtime_t:dir rw_dir_perms;
+	allow $1 sympa_runtime_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow rw sympa runtime dirs and manage sympa runtime sock files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow
+##      </summary>
+## </param>
+#
+interface(`sympa_manage_runtime_sock_files',`
+	gen_require(`
+		type sympa_runtime_t;
+	')
+
+	allow $1 sympa_runtime_t:dir rw_dir_perms;
+	allow $1 sympa_runtime_t:sock_file { setattr create unlink write };
+')
+
+########################################
+## <summary>
+##	Allow domain to connect to sympa socket
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow
+##      </summary>
+## </param>
+#
+interface(`sympa_connect_runtime_sock_files',`
+	gen_require(`
+		type sympa_t;
+	')
+
+	allow $1 sympa_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te
new file mode 100644
index 0000000000..5db699b309
--- /dev/null
+++ b/policy/modules/services/sympa.te
@@ -0,0 +1,86 @@
+policy_module(sympa,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sympa_t;
+type sympa_exec_t;
+init_daemon_domain(sympa_t, sympa_exec_t)
+
+type sympa_var_t;
+files_type(sympa_var_t)
+
+type sympa_runtime_t;
+files_runtime_file(sympa_runtime_t)
+
+type sympa_etc_t;
+files_config_file(sympa_etc_t)
+
+type sympa_tmp_t;
+files_tmp_file(sympa_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow sympa_t self:capability { chown dac_override setgid setuid };
+allow sympa_t self:fifo_file rw_file_perms;
+allow sympa_t self:tcp_socket create_socket_perms;
+allow sympa_t self:unix_dgram_socket create_socket_perms;
+allow sympa_t self:process signull;
+allow sympa_t sympa_var_t:dir manage_dir_perms;
+allow sympa_t sympa_var_t:file manage_file_perms;
+
+allow sympa_t sympa_runtime_t:dir manage_dir_perms;
+allow sympa_t sympa_runtime_t:file manage_file_perms;
+allow sympa_t sympa_runtime_t:sock_file { create setattr unlink write };
+
+allow sympa_t sympa_etc_t:dir list_dir_perms;
+allow sympa_t sympa_etc_t:file read_file_perms;
+
+files_tmp_filetrans(sympa_t, sympa_tmp_t, { file })
+allow sympa_t sympa_tmp_t:file manage_file_perms;
+
+can_exec(sympa_t, sympa_exec_t)
+
+kernel_read_kernel_sysctls(sympa_t)
+
+auth_dontaudit_read_shadow(sympa_t)
+
+# for setting SE Linux context in systemd unit file
+corecmd_bin_entry_type(sympa_t)
+
+corecmd_exec_bin(sympa_t)
+corecmd_exec_shell(sympa_t)
+
+dev_read_urand(sympa_t)
+
+files_read_etc_files(sympa_t)
+files_read_usr_files(sympa_t)
+files_search_spool(sympa_t)
+files_search_var_lib(sympa_t)
+
+logging_send_syslog_msg(sympa_t)
+
+miscfiles_read_generic_certs(sympa_t)
+miscfiles_read_localization(sympa_t)
+
+sysnet_read_config(sympa_t)
+
+optional_policy(`
+	apache_search_sys_scripts(sympa_t)
+')
+
+optional_policy(`
+	mta_read_config(sympa_t)
+	mta_send_mail(sympa_t)
+	mta_rw_delivery_fifos(sympa_t)
+')
+
+optional_policy(`
+	mysql_tcp_connect(sympa_t)
+	mysql_stream_connect(sympa_t)
+')

From 6a0a90065e1a8462e1b9fc024ee42b5644f3c7f8 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 10 Oct 2022 10:07:23 -0400
Subject: [PATCH 081/257] sympa: Move lines.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/services/sympa.fc |  9 ++++++---
 policy/modules/services/sympa.te | 27 ++++++++++++++-------------
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/policy/modules/services/sympa.fc b/policy/modules/services/sympa.fc
index 328260c37c..c40da944eb 100644
--- a/policy/modules/services/sympa.fc
+++ b/policy/modules/services/sympa.fc
@@ -1,6 +1,9 @@
+/etc/mail/sympa(/.*)?		gen_context(system_u:object_r:sympa_etc_t,s0)
+/etc/sympa(/.*)?		gen_context(system_u:object_r:sympa_etc_t,s0)
+
+/run/sympa(/.*)?		gen_context(system_u:object_r:sympa_runtime_t,s0)
+
 /usr/lib/sympa/bin/.*	--	gen_context(system_u:object_r:sympa_exec_t,s0)
+
 /var/lib/sympa(/.*)?		gen_context(system_u:object_r:sympa_var_t,s0)
 /var/spool/sympa(/.*)?		gen_context(system_u:object_r:sympa_var_t,s0)
-/run/sympa(/.*)?		gen_context(system_u:object_r:sympa_runtime_t,s0)
-/etc/mail/sympa(/.*)?		gen_context(system_u:object_r:sympa_etc_t,s0)
-/etc/sympa(/.*)?		gen_context(system_u:object_r:sympa_etc_t,s0)
diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te
index 5db699b309..9689cf890d 100644
--- a/policy/modules/services/sympa.te
+++ b/policy/modules/services/sympa.te
@@ -9,18 +9,18 @@ type sympa_t;
 type sympa_exec_t;
 init_daemon_domain(sympa_t, sympa_exec_t)
 
-type sympa_var_t;
-files_type(sympa_var_t)
+type sympa_etc_t;
+files_config_file(sympa_etc_t)
 
 type sympa_runtime_t;
 files_runtime_file(sympa_runtime_t)
 
-type sympa_etc_t;
-files_config_file(sympa_etc_t)
-
 type sympa_tmp_t;
 files_tmp_file(sympa_tmp_t)
 
+type sympa_var_t;
+files_type(sympa_var_t)
+
 ########################################
 #
 # Local policy
@@ -31,23 +31,22 @@ allow sympa_t self:fifo_file rw_file_perms;
 allow sympa_t self:tcp_socket create_socket_perms;
 allow sympa_t self:unix_dgram_socket create_socket_perms;
 allow sympa_t self:process signull;
-allow sympa_t sympa_var_t:dir manage_dir_perms;
-allow sympa_t sympa_var_t:file manage_file_perms;
+
+allow sympa_t sympa_etc_t:dir list_dir_perms;
+allow sympa_t sympa_etc_t:file read_file_perms;
 
 allow sympa_t sympa_runtime_t:dir manage_dir_perms;
 allow sympa_t sympa_runtime_t:file manage_file_perms;
-allow sympa_t sympa_runtime_t:sock_file { create setattr unlink write };
+allow sympa_t sympa_runtime_t:sock_file manage_sock_file_perms;
 
-allow sympa_t sympa_etc_t:dir list_dir_perms;
-allow sympa_t sympa_etc_t:file read_file_perms;
+allow sympa_t sympa_var_t:dir manage_dir_perms;
+allow sympa_t sympa_var_t:file manage_file_perms;
 
-files_tmp_filetrans(sympa_t, sympa_tmp_t, { file })
 allow sympa_t sympa_tmp_t:file manage_file_perms;
+files_tmp_filetrans(sympa_t, sympa_tmp_t, { file })
 
 can_exec(sympa_t, sympa_exec_t)
 
-kernel_read_kernel_sysctls(sympa_t)
-
 auth_dontaudit_read_shadow(sympa_t)
 
 # for setting SE Linux context in systemd unit file
@@ -63,6 +62,8 @@ files_read_usr_files(sympa_t)
 files_search_spool(sympa_t)
 files_search_var_lib(sympa_t)
 
+kernel_read_kernel_sysctls(sympa_t)
+
 logging_send_syslog_msg(sympa_t)
 
 miscfiles_read_generic_certs(sympa_t)

From be2ba4e4730d52687767a4b3e4cc0d9289bb38d1 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 10 Oct 2022 10:07:58 -0400
Subject: [PATCH 082/257] sympa: Drop module version.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/services/sympa.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te
index 9689cf890d..162505fa8a 100644
--- a/policy/modules/services/sympa.te
+++ b/policy/modules/services/sympa.te
@@ -1,4 +1,4 @@
-policy_module(sympa,1.0.0)
+policy_module(sympa)
 
 ########################################
 #

From 3fd5341bffde5a1ab4f9f7124af5cabc183a7dd9 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 10 Oct 2022 10:09:18 -0400
Subject: [PATCH 083/257] sympa, mta, exim: Revise interfaces.

Revise interfaces added as part of sympa work.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/services/exim.te  |  3 +--
 policy/modules/services/mta.if   |  4 ++--
 policy/modules/services/mta.te   |  6 +++---
 policy/modules/services/sympa.if | 31 ++++++-------------------------
 policy/modules/services/sympa.te |  2 +-
 policy/support/obj_perm_sets.spt |  1 +
 6 files changed, 14 insertions(+), 33 deletions(-)

diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 20d5cb5173..5e001b37b0 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -253,7 +253,6 @@ optional_policy(`
 
 optional_policy(`
 	# each of these should probably be for mailserver_delivery or mailserver_domain
-	sympa_append_var_files(exim_t)
+	sympa_append_inherited_var_files(exim_t)
 	sympa_read_var_files(exim_t)
-	sympa_use_fd(exim_t)
 ')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 71d56eda9c..a20b2c09de 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -815,13 +815,13 @@ interface(`mta_read_spool_symlinks',`
 ##	</summary>
 ## </param>
 #
-interface(`mta_rw_delivery_fifos',`
+interface(`mta_rw_inherited_delivery_pipes',`
 	gen_require(`
 		attribute mailserver_delivery;
 	')
 
 	allow $1 mailserver_delivery:fd use;
-	allow $1 mailserver_delivery:fifo_file { getattr read write };
+	allow $1 mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 70427f3568..817cbfe49a 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -298,8 +298,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	sympa_append_var_files(system_mail_t)
-	sympa_dontaudit_tcp_rw(system_mail_t)
+	sympa_append_inherited_var_files(system_mail_t)
+	symba_dontaudit_rw_inherited_tcp_sockets(system_mail_t)
 ')
 
 optional_policy(`
@@ -393,7 +393,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	sympa_dontaudit_tcp_rw(mailserver_delivery)
+	symba_dontaudit_rw_inherited_tcp_sockets(mailserver_delivery)
 	sympa_domtrans(mailserver_delivery)
 ')
 
diff --git a/policy/modules/services/sympa.if b/policy/modules/services/sympa.if
index 3b05ce50e8..79ed3b2a8a 100644
--- a/policy/modules/services/sympa.if
+++ b/policy/modules/services/sympa.if
@@ -1,5 +1,4 @@
 ## <summary>Sympa mailing list manager</summary>
-##
 ## <desc>
 ## Sympa is a popular mailing list manager.
 ## https://www.sympa.org/
@@ -15,12 +14,13 @@
 ##      </summary>
 ## </param>
 #
-interface(`sympa_append_var_files',`
+interface(`sympa_append_inherited_var_files',`
 	gen_require(`
-		type sympa_var_t;
+		type sympa_t, sympa_var_t;
 	')
 
-	allow $1 sympa_var_t:file { append getattr };
+        allow $1 sympa_t:fd use;
+	allow $1 sympa_var_t:file append_inherited_file_perms;
 ')
 
 ########################################
@@ -57,8 +57,7 @@ interface(`sympa_manage_var_files',`
 		type sympa_var_t;
 	')
 
-	allow $1 sympa_var_t:dir rw_dir_perms;
-	allow $1 sympa_var_t:file manage_file_perms;
+        manage_files_pattern($1, sympa_var_t, sympa_var_t)
 ')
 
 ########################################
@@ -97,24 +96,6 @@ interface(`sympa_domtrans',`
 	domain_auto_transition_pattern($1, sympa_exec_t, sympa_t)
 ')
 
-########################################
-## <summary>
-##      Use file handles inherited from sympa
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`sympa_use_fd',`
-	gen_require(`
-		type sympa_t;
-	')
-
-	allow $1 sympa_t:fd use;
-')
-
 ########################################
 ## <summary>
 ##      Dontaudit access to inherited sympa tcp sockets
@@ -125,7 +106,7 @@ interface(`sympa_use_fd',`
 ##      </summary>
 ## </param>
 #
-interface(`sympa_dontaudit_tcp_rw',`
+interface(`symba_dontaudit_rw_inherited_tcp_sockets',`
 	gen_require(`
 		type sympa_t;
 	')
diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te
index 162505fa8a..b8bdaaf532 100644
--- a/policy/modules/services/sympa.te
+++ b/policy/modules/services/sympa.te
@@ -78,7 +78,7 @@ optional_policy(`
 optional_policy(`
 	mta_read_config(sympa_t)
 	mta_send_mail(sympa_t)
-	mta_rw_delivery_fifos(sympa_t)
+	mta_rw_inherited_delivery_pipes(sympa_t)
 ')
 
 optional_policy(`
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 804a01b463..e62863f6f3 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -155,6 +155,7 @@ define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
 define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
 define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
 define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
+define(`append_inherited_file_perms',`{ getattr append lock ioctl }')
 define(`append_file_perms',`{ getattr open append lock ioctl }')
 define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
 define(`write_file_perms',`{ getattr open write append lock ioctl }')

From accdce94a23a77aa6f48d29b1a6d2fd1ea9f1ae5 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 10 Oct 2022 10:39:05 -0400
Subject: [PATCH 084/257] sympa, logging; Fix lint errors.

Logging is from new append_inherited_file_perms set.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/services/sympa.te | 2 +-
 policy/modules/system/logging.if | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te
index b8bdaaf532..b2aea679d5 100644
--- a/policy/modules/services/sympa.te
+++ b/policy/modules/services/sympa.te
@@ -27,7 +27,7 @@ files_type(sympa_var_t)
 #
 
 allow sympa_t self:capability { chown dac_override setgid setuid };
-allow sympa_t self:fifo_file rw_file_perms;
+allow sympa_t self:fifo_file rw_fifo_file_perms;
 allow sympa_t self:tcp_socket create_socket_perms;
 allow sympa_t self:unix_dgram_socket create_socket_perms;
 allow sympa_t self:process signull;
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 341763730f..cf7ef17214 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1069,7 +1069,7 @@ interface(`logging_append_all_inherited_logs',`
 		attribute logfile;
 	')
 
-	allow $1 logfile:file { getattr append ioctl lock };
+	allow $1 logfile:file append_inherited_file_perms;
 ')
 
 ########################################

From 4f157b5f638d8ca0a3a19e08f7935fb466ffb43d Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 4 Oct 2022 21:46:34 -0400
Subject: [PATCH 085/257] rpc: allow rpc admins to rw nfsd fs

Seen when using exportfs.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/rpc.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 6ff7f58b1c..482f89f44c 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -425,5 +425,5 @@ interface(`rpc_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, gssd_tmp_t)
 
-	fs_search_nfsd_fs($1)
+	fs_rw_nfsd_fs($1)
 ')

From 5399afbc7d810f376cb69621bef2bce720f4bc56 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Wed, 12 Oct 2022 09:40:50 -0400
Subject: [PATCH 086/257] container: Add missing UDP node bind access on
 container engines.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/services/container.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index e4a3f1f75a..ac1bf04691 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -431,6 +431,7 @@ corenet_tcp_bind_generic_node(container_engine_domain)
 corenet_tcp_connect_http_port(container_engine_domain)
 corenet_tcp_connect_http_cache_port(container_engine_domain)
 corenet_tcp_bind_all_ports(container_engine_domain)
+corenet_udp_bind_generic_node(container_engine_domain)
 corenet_udp_bind_all_ports(container_engine_domain)
 corenet_rw_tun_tap_dev(container_engine_domain)
 

From 93575af48cfcb9b3a891e3ec9be6089337c79d6d Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Sun, 16 Oct 2022 16:31:48 +0800
Subject: [PATCH 087/257] udev: allow udev_read_runtime_files to read link
 files

There are some link files under /run/udev directory:
$ ls -lZ /run/udev/static_node-tags/uaccess/
total 0
lrwxrwxrwx. 1 root root system_u:object_r:udev_runtime_t:SystemLow 12 Oct 16 08:32 'snd\x2fseq' -> /dev/snd/seq
lrwxrwxrwx. 1 root root system_u:object_r:udev_runtime_t:SystemLow 14 Oct 16 08:32 'snd\x2ftimer' -> /dev/snd/timer

Fixes:
avc:  denied  { read } for  pid=297 comm="systemd-logind"
name="snd\x2fseq" dev="tmpfs" ino=125
scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=lnk_file
permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/udev.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index d671b56003..fef83e80e7 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -504,6 +504,7 @@ interface(`udev_read_runtime_files',`
 
 	files_search_runtime($1)
 	read_files_pattern($1, udev_runtime_t, udev_runtime_t)
+	read_lnk_files_pattern($1, udev_runtime_t, udev_runtime_t)
 ')
 
 ########################################

From 44873ba42a4d7437b8e1c8b1ebdfd6cf2c565613 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Wed, 19 Oct 2022 15:11:25 +0800
Subject: [PATCH 088/257] watchdog: allow watchdog to create /var/log/watchdog
 directory

Allow watchdog to create log directory with correct label.

Fixes:
avc: denied { create } for pid=315 comm="watchdog" name="watchdog"
scontext=system_u:system_r:watchdog_t tcontext=system_u:object_r:var_log_t
tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/services/watchdog.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 36ea883b0c..e850eed818 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -31,7 +31,8 @@ allow watchdog_t self:rawip_socket create_socket_perms;
 allow watchdog_t self:tcp_socket { accept listen };
 
 allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
+manage_dirs_pattern(watchdog_t, watchdog_log_t, watchdog_log_t)
+logging_log_filetrans(watchdog_t, watchdog_log_t, {dir file})
 
 manage_files_pattern(watchdog_t, watchdog_runtime_t, watchdog_runtime_t)
 files_runtime_filetrans(watchdog_t, watchdog_runtime_t, file)

From b1f16bf75513d874265e2385eff788d75e6eba38 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 25 Jan 2021 14:14:59 +0800
Subject: [PATCH 089/257] systemd: allow systemd-resolved to manage link files

The systemd-resolved may create a symlink stub-resolv.conf pointing to
resolv.conf under /run/system/resolve directory.

Fixes:
avc:  denied  { create } for  pid=329 comm="systemd-resolve"
name=".#stub-resolv.conf53cb7f9d1e3aa72b"
scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 85a898e71b..1f59f3cc6d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1422,6 +1422,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
 
 manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
 

From 77fd73e6b894b3e1ee7db8d6f697638d55a04f02 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 24 Sep 2020 14:05:52 +0800
Subject: [PATCH 090/257] sysnetwork: fix privilege separation functionality of
 dhcpcd

Fixes:
dhcpcd[410]: ps_dropprivs: chroot: /var/lib/dhcpcd: Operation not permitted
dhcpcd[410]: failed to drop privileges: Operation not permitted
dhcpcd[264]: setrlimit RLIMIT_NOFILE: Permission denied
dhcpcd[264]: setrlimit RLIMIT_NPROC: Permission denied

avc:  denied  { sys_chroot } for  pid=332 comm="dhcpcd" capability=18
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0

avc:  denied  { setgid } for  pid=332 comm="dhcpcd" capability=6
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0

avc:  denied  { setuid } for  pid=332 comm="dhcpcd" capability=7
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0

avc:  denied  { setrlimit } for  pid=332 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process
permissive=0

avc:  denied  { getattr } for  pid=330 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/sysnetwork.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index fb562afe44..fdbceafd2f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -61,11 +61,11 @@ ifdef(`distro_debian',`
 #
 # DHCP client local policy
 #
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setgid setpcap setuid sys_chroot sys_nice sys_resource sys_tty_config };
 dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit };
 allow dhcpc_t self:cap_userns { net_bind_service };
 
 allow dhcpc_t self:fifo_file rw_fifo_file_perms;
@@ -149,6 +149,7 @@ files_getattr_generic_locks(dhcpc_t)
 files_manage_var_files(dhcpc_t)
 
 fs_getattr_all_fs(dhcpc_t)
+fs_getattr_nsfs_files(dhcpc_t)
 fs_search_auto_mountpoints(dhcpc_t)
 fs_search_cgroup_dirs(dhcpc_t)
 

From 6ed9c66d6283e84170a89e0b3edb7ef4be8deb1e Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 25 Jan 2021 14:14:59 +0800
Subject: [PATCH 091/257] sysnetwork: allow dhcpcd to send and receive messages
 from systemd resolved

The dhcpcd can send DNS information to systemd-resolved to update
resolv.conf.

Fixes:
avc:  denied  { send_msg } for msgtype=method_call
interface=org.freedesktop.resolve1.Manager member=RevertLink
dest=org.freedesktop.resolve1 spid=340 tpid=345
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
tclass=dbus permissive=0

avc:  denied  { send_msg } for msgtype=method_return dest=:1.6 spid=345
tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/sysnetwork.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index fdbceafd2f..47811a5543 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -187,6 +187,10 @@ ifdef(`init_systemd',`
 	init_stream_connect(dhcpc_t)
 	init_get_all_units_status(dhcpc_t)
 	init_search_units(dhcpc_t)
+
+	optional_policy(`
+		systemd_dbus_chat_resolved(dhcpc_t)
+	')
 ')
 
 optional_policy(`

From 31a32f53ee70c9e636499ed6f1c9c5db1aa762de Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 31 Oct 2022 15:29:16 +0800
Subject: [PATCH 092/257] rpm: add label for dnf-automatic and dnf-3

Now dnf is a symlink to dnf-3, and dnf-automatic is a symlink to
dnf-automatic-3. Add rpm_exec_t label for them.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/admin/rpm.fc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index e7b3ae81b0..3f842f9427 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -3,6 +3,9 @@
 /usr/bin/bcfg2	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/debuginfo-install	--	gen_context(system_u:object_r:debuginfo_exec_t,s0)
 /usr/bin/dnf	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-[0-9]+		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-automatic	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-automatic-[0-9]+	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/online_update	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)

From c98bb9c71645c045236338953b906015eb451e33 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 31 Oct 2022 15:54:10 +0800
Subject: [PATCH 093/257] systemd: allow systemd-backlight to read kernel
 sysctl settings

Fixes:
avc:  denied  { read } for  pid=359 comm="systemd-backlig" name="osrelease"
dev="proc" ino=1457 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

avc:  denied  { open } for  pid=359 comm="systemd-backlig" path="/proc/sys/kernel/osrelease"
dev="proc" ino=1457 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

avc:  denied  { getattr } for  pid=359 comm="systemd-backlig" path="/proc/sys/kernel/osrelease"
dev="proc" ino=1457 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

avc:  denied  { ioctl } for  pid=359 comm="systemd-backlig" path="/proc/sys/kernel/osrelease"
dev="proc" ino=1457 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

avc:  denied  { getattr } for  pid=359 comm="systemd-backlig" name="/" dev="tmpfs" ino=1
scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1

avc:  denied  { search } for  pid=359 comm="systemd-backlig" name="/" dev="tmpfs" ino=1
scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=359 comm="systemd-backlig" name="/" dev="cgroup2" ino=1
scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1f59f3cc6d..8d3236867d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -360,7 +360,7 @@ systemd_log_parse_environment(systemd_backlight_t)
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
 dev_rw_sysfs(systemd_backlight_t)
 
-kernel_dontaudit_search_kernel_sysctl(systemd_backlight_t)
+kernel_read_kernel_sysctls(systemd_backlight_t)
 
 # for udev.conf
 files_read_etc_files(systemd_backlight_t)
@@ -370,6 +370,9 @@ udev_read_runtime_files(systemd_backlight_t)
 
 files_search_var_lib(systemd_backlight_t)
 
+fs_getattr_all_fs(systemd_backlight_t)
+fs_search_cgroup_dirs(systemd_backlight_t)
+
 #######################################
 #
 # Binfmt local policy

From d4b19952c24b092bcbf422bc1e0471743692072a Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 31 Oct 2022 16:25:56 +0800
Subject: [PATCH 094/257] systemd: allow systemd-rfkill to get attributes of
 all fs

Fixes:
avc:  denied  { getattr } for  pid=238 comm="systemd-rfkill" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 8d3236867d..7adab26956 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1394,8 +1394,7 @@ manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_v
 manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
 init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
 
-fs_getattr_cgroup(systemd_rfkill_t)
-fs_getattr_xattr_fs(systemd_rfkill_t)
+fs_getattr_all_fs(systemd_rfkill_t)
 
 kernel_getattr_proc(systemd_rfkill_t)
 kernel_read_kernel_sysctls(systemd_rfkill_t)

From 72399fc077915c99450b360591294c9a87afa795 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 1 Nov 2022 10:27:50 +0800
Subject: [PATCH 095/257] systemd: allow systemd-hostnamed to read selinux
 configuration files

Fixes:
systemd[1]: Starting Hostname Service...
systemd-hostnamed[395]: Failed to initialize SELinux labeling handle: No such file or directory
systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: systemd-hostnamed.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Hostname Service.

avc:  denied  { read } for  pid=341 comm="systemd-hostnam" name="config"
dev="vda" ino=345 scontext=system_u:system_r:systemd_hostnamed_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7adab26956..04d701fbb9 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -702,6 +702,7 @@ fs_getattr_all_fs(systemd_hostnamed_t)
 
 selinux_use_status_page(systemd_hostnamed_t)
 
+seutil_read_config(systemd_hostnamed_t)
 seutil_read_file_contexts(systemd_hostnamed_t)
 
 sysnet_etc_filetrans_config(systemd_hostnamed_t)

From c57259582d7cfc351abef6a99bd23599298cdcbd Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 1 Nov 2022 11:26:48 +0800
Subject: [PATCH 096/257] systemd: add capability sys_admin to
 systemd_generator_t

Fixes:
systemd-gpt-auto-generator[116]: Failed to dissect: Permission denied
systemd[112]: /lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1.

avc:  denied  { sys_admin } for  pid=116 comm="systemd-gpt-aut"
capability=21  scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
tcontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 tclass=capability permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 04d701fbb9..ef25974ac1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -472,7 +472,7 @@ seutil_search_default_contexts(systemd_coredump_t)
 #
 
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
-allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:capability { dac_override sys_admin };
 allow systemd_generator_t self:process setfscreate;
 
 corecmd_exec_shell(systemd_generator_t)

From 03d486e306555da161b653c88e804ce23f3a0ea4 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Tue, 1 Nov 2022 09:54:51 -0400
Subject: [PATCH 097/257] Update Changelog and VERSION for release 2.20221101.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---
 Changelog | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 VERSION   |   2 +-
 2 files changed, 205 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 7334e49895..76cd60fdc6 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,207 @@
+* Tue Nov 01 2022 Chris PeBenito <pebenito@ieee.org> - 2.20221101
+Chris PeBenito (46):
+      systemd: Drop systemd_detect_virt_t.
+      fstools: Handle resizes of the root filesystem.
+      mount: Get the attributes of all filesystems.
+      rpm: Add dnf and tdnf labeling.
+      logging: Change to systemd interface for tmpfilesd.
+      systemd: Remove systemd-run domain.
+      unconfined: Add missing capability2 perms.
+      lvm: Updates for multipath LVM.
+      locallogin: Use init file descriptors.
+      systemd: Misc fixes.
+      isns: Updates from testing.
+      container, docker: Fixes for containerd and kubernetes testing.
+      devices: Add type for SAS management devices.
+      devices: Add file context for /dev/vhost-vsock.
+      iptables: Ioctl cgroup dirs.
+      devices: Add type for infiniband devices.
+      storage: Add fc for /dev/ng*n* devices.
+      files: Add prerequisite access for files_mounton_non_security().
+      files: Make etc_runtime_t a config file.
+      systemd: Fixes for coredumps in containers.
+      container: Allow container engines to connect to http cache ports.
+      container: Getattr generic device nodes.
+      application: Allow apps to use init fds.
+      systemd: Misc updates.
+      filesystem: Move ecryptfs interface definitions.
+      mcs: Add additional SysV IPC constraints.
+      mcs: Collapse constraints.
+      mcs: Add additional socket constraints.
+      mcs: Add missing process permission constraints.
+      mcs: Remove duplicate node_bind constraint.
+      mcs: Reorganize file.
+      mls: Add setsockcreate constraint.
+      systemd: Add interface for systemctl exec.
+      Add cloud-init.
+      hypervkvp: Port updated module from Fedora policy.
+      init: Add tunable for systemd to create all its mountpoints.
+      Run Ci tests in parallel.
+      Revise userspace and SELint versions in CI
+      fapolicyd: Fix selint issue.
+      tests.yml: Remove irrelevant comment.
+      Drop audit_access allows.
+      sympa: Move lines.
+      sympa: Drop module version.
+      sympa, mta, exim: Revise interfaces.
+      sympa, logging; Fix lint errors.
+      container: Add missing UDP node bind access on container engines.
+
+Christian Göttsche (3):
+      Replace deprecated egrep usage
+      ci: update dependencies
+      ci: build SELint from source
+
+Daniel Burgener (1):
+      Drop explicit calls to seutil and kernel module interfaces in broad files
+         interfaces
+
+Dave Sugar (20):
+      ssh: allow ssh_keygen to read /usr/share/crypto-policies/
+      chronyd: Allow to read fips_enabled sysctl
+      chronyd: allow chronyd to read /usr/share/crypto-policies
+      systemd: init_t creates systemd-logind 'linger' directory
+      systemd: systemd-update-done fix startup issue
+      usbguard: Allow to read fips_enabled sysctl
+      firewalld: read to read fips_enabled sysctl
+      firewalld: create netfilter socket
+      firewalld: allow to load kernel modules
+      firewalld: write tmpfs files
+      firewalld: firewalld-cmd uses dbus
+      tpm2-abrmd: allow to send syslog messages
+      domain: move kernel_read_crypto_sysctls to a common location
+      fapolicyd: Initial SELinux policy
+      networkmanager: allow watch etc_t and lib_t
+      firewalld: allow watch on firewalld files
+      Seeing long delay during shutdown saying: 'A stop job is running for
+         Restore /run/initramfs on shutdown'
+      fix: issue #550 - compile failed when DIRECT_INITRC=y
+      fapolicyd: fagenrules chgrp's the compiled.rules
+      Add 'DIRECT_INITRC' config to automated tests
+
+Kenton Groombridge (95):
+      systemd: add separate type for user transient units
+      systemd: rename user runtime unit interfaces
+      docker, podman: use renamed user runtime unit status interface
+      systemd: rename status user mananger units interface
+      systemd: systemd-resolved is linked to libselinux
+      systemd: dontaudit systemd-generator getattr on all dirs
+      raid: allow mdadm to use user ptys
+      bootloader, files: allow bootloader to getattr on boot_t filesystems
+      matrixd: various fixes
+      container: add unconfined role
+      unconfined: use unconfined container role
+      podman: add interface to rangetrans when executing conmon
+      podman: rework conmon rules
+      podman: add file context for podman in /usr/libexec
+      container: rework combined role interfaces
+      podman: typealias podman_user_conmon_t to podman_conmon_user_t
+      fail2ban: allow fail2ban to getsched on its processes
+      modutils: allow kmod to write to kmsg
+      postfix: allow postfix-map to read certbot certs
+      postfix: allow postfix master to get the state of init
+      postfix: allow postfix master fsetid capability
+      bind: fixes for named working on dnssec files
+      sudo: allow sudo domains to create netlink selinux sockets
+      sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve
+      container: allow containers to manipulate own fds
+      container: allow container engines to manage tmp symlinks
+      ssh: add tunable to allow sshd to use remote port forwarding
+      systemd: minor fixes to systemd user domains
+      init, systemd: allow unpriv users to read the catalog
+      container: add separate type for container engine units
+      container, podman: allow podman to restart container units
+      spamassassin: add file context for rspamd log directory
+      term, init: allow systemd to watch and watch reads on unallocated ttys
+      certbot: various fixes
+      systemd: add file transition for systemd-networkd runtime
+      systemd: add missing file context for /run/systemd/network
+      systemd: add file contexts for systemd-network-generator
+      systemd, udev: allow udev to read systemd-networkd runtime
+      systemd: allow systemd-networkd to read init runtime files
+      podman: add alias for conmon executable
+      systemd: ensure connecting to resolved allows searching init runtime
+      ssh: allow sshd to run setfiles when polyinstantiation is enabled
+      sudo: allow sudo domains to access caller's /proc/pid/stat
+      container: add file contexts for docker home config
+      files, init: allow systemd to remount etc filesystems
+      systemd: allow systemd-logind to read localization
+      init: fix possible typo
+      corecmd: label dracut lib as bin_t
+      sudo: various fixes
+      udev: various fixes for udevadm
+      bootloader, init: various fixes for systemd-boot
+      systemd: allow systemd-generator to read etc runtime files
+      systemd: add interface to read userdb runtime files
+      logging: various fixes for auditctl
+      screen: add interface to dontaudit runtime sock file
+      systemd: dontaudit systemd-tmpfiles getattr on screen sock file
+      systemd: dontaudit systemd-tmpfiles getattr on all dirs
+      fstools: fixes for fsadm with nfs
+      various: fixes for nfs
+      init: dontaudit initrc creating /dev/console during initrd
+      storage: include chr_files in fixed_disk_dev interfaces
+      systemd: allow systemd-userdbd to search default contexts
+      logging, systemd: allow auditctl to list userdb runtime dirs
+      bootloader, userdom: minor fixes for systemd-boot
+      systemd: allow systemd-resolved to read generic certs
+      sysadm: allow sysadm to rw ipmi devices
+      zfs: initial policy module
+      fstools, mount: remove legacy zfs rules
+      files, mount: remove legacy ZFS file contexts
+      sysadm: allow admin access to zfs
+      kernel: allow kthreads to read and write the zpool cache
+      systemd, zfs: allow systemd-generator to read zfs config
+      udev: allow reading ZFS config
+      zfs: various fixes
+      mta: add support for nullmailer
+      devices: add interface to rw infiniband devices
+      xdg: add interface to dontaudit searching xdg data dirs
+      opensm: initial policy
+      sysadm: allow opensm access
+      corenet: add portcon for glusterfs
+      glusterfs: various fixes
+      glusterfs: add type for gluster bricks
+      mount: allow mounting glusterfs volumes
+      selinuxutil: allow semanage, setfiles to inherit gluster fds
+      glusterfs, selinuxutil: make modifying fcontexts a tunable
+      glusterfs: add type for glusterd hooks
+      usermanage: add file context for chpasswd in /usr/bin
+      node_exporter: add file context for node_exporter in /usr/bin
+      usbguard: add file context for usbguard in /usr/bin
+      init: add file context for systemd units in dracut modules
+      git: add file contexts for other git utilities
+      dbus, init, mount, rpc: minor fixes for mount.nfs
+      zfs: allow reading exports
+      systemd: allow systemd-generator to use dns resolution
+      rpc: allow rpc admins to rw nfsd fs
+
+Pat Riehecky (2):
+      container: Boolean for ecryptfs
+      Clone `xguest_connect_network` for guest role
+
+Russell Coker (1):
+      Sympa list server
+
+Yi Zhao (16):
+      systemd: allow systemd user to watch /etc directories
+      logwatch: fixes for logwatch
+      postfix: allow postfix_local_t to search logwatch_cache_t
+      sysnetwork: allow systemd_networkd_t to read link file
+      logging: allow systemd-journal to manage syslogd_runtime_t sock_file
+      radius: fixes for freeradius
+      udev: allow udev_read_runtime_files to read link files
+      watchdog: allow watchdog to create /var/log/watchdog directory
+      systemd: allow systemd-resolved to manage link files
+      sysnetwork: fix privilege separation functionality of dhcpcd
+      sysnetwork: allow dhcpcd to send and receive messages from systemd
+         resolved
+      rpm: add label for dnf-automatic and dnf-3
+      systemd: allow systemd-backlight to read kernel sysctl settings
+      systemd: allow systemd-rfkill to get attributes of all fs
+      systemd: allow systemd-hostnamed to read selinux configuration files
+      systemd: add capability sys_admin to systemd_generator_t
+
 * Fri May 20 2022 Chris PeBenito <pebenito@ieee.org> - 2.20220520
 Björn Esser (1):
       authlogin: add fcontext for tcb
diff --git a/VERSION b/VERSION
index b45db4e8fb..f14c5b1750 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20220520
+2.20221101

From 79aeab71c8ecdcf96d4e7c63bf3fc243261958e8 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 27 Apr 2022 11:51:19 -0400
Subject: [PATCH 098/257] corenet: add portcon for kubernetes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/corenetwork.te.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 2bc2596782..71096934f5 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -179,6 +179,7 @@ network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 network_port(kismet, tcp,2501,s0)
 network_port(kprop, tcp,754,s0)
 network_port(ktalkd, udp,517,s0, udp,518,s0)
+network_port(kubernetes, tcp,2379-2381,s0, tcp,6443,s0, tcp,10248-10250,s0, tcp,10256-10257,s0, tcp,10259,s0)
 network_port(l2tp, tcp,1701,s0, udp,1701,s0)
 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp,3269,s0)
 network_port(lirc, tcp,8765,s0)

From d3872886933bcdc33bfec88166c61a6fc29ef5a3 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 10 May 2022 13:55:10 -0400
Subject: [PATCH 099/257] kubernetes: initial policy module

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/filesystem.if   |  18 ++
 policy/modules/services/container.fc  |   6 +-
 policy/modules/services/container.if  | 368 ++++++++++++++++++++++++++
 policy/modules/services/kubernetes.fc |  19 ++
 policy/modules/services/kubernetes.if | 238 +++++++++++++++++
 policy/modules/services/kubernetes.te | 292 ++++++++++++++++++++
 policy/modules/system/iptables.if     |  18 ++
 policy/modules/system/userdomain.if   |  19 ++
 8 files changed, 976 insertions(+), 2 deletions(-)
 create mode 100644 policy/modules/services/kubernetes.fc
 create mode 100644 policy/modules/services/kubernetes.if
 create mode 100644 policy/modules/services/kubernetes.te

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 27cc4acef9..5f6ecece62 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1023,6 +1023,24 @@ interface(`fs_relabel_cgroup_symlinks',`
 	relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
 ')
 
+########################################
+## <summary>
+##	Watch cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_cgroup_dirs', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Mount on cgroup directories.
diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 7b7c8da4ef..0f6813e72d 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -83,8 +83,10 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 /var/lib/containerd/[^/]+/sandboxes(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containerd/[^/]+/snapshots(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 
-/var/lib/kubelet(/.*)?          gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/kubelet/pods(/.*)?     gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/kubelet/device-plugins(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/kubelet/pods(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/kubelet/plugins(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/kubelet/plugins_registry(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 
 /var/log/containers(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 16b1460220..ba1e56b448 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -609,6 +609,28 @@ interface(`container_domtrans',`
 	allow $1 container_domain:process transition;
 ')
 
+########################################
+## <summary>
+##	Connect to a system container engine
+##	domain over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_stream_connect_system_engine',`
+	gen_require(`
+		attribute container_engine_system_domain;
+		type container_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_engine_system_domain)
+	allow $1 container_runtime_t:sock_file read_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to a system container domain
@@ -750,6 +772,45 @@ interface(`container_mountpoint',`
 	typeattribute $1 container_mountpoint_type;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	read container config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_config',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	list_dirs_pattern($1, container_config_t, container_config_t)
+	read_files_pattern($1, container_config_t, container_config_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	watch container config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_watch_config_dirs',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	allow $1 container_config_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -847,6 +908,25 @@ interface(`container_manage_dirs',`
 	manage_dirs_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	watch container file directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_watch_dirs',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -866,6 +946,44 @@ interface(`container_manage_files',`
 	manage_files_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to relabel
+##	container file directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`container_dontaudit_relabel_dirs',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	dontaudit $1 container_file_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to relabel
+##	container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`container_dontaudit_relabel_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	dontaudit $1 container_file_t:file { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -980,6 +1098,62 @@ interface(`container_manage_chr_files',`
 	manage_chr_files_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	objects in specified directories with
+##	an automatic type transition to the
+##	container file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Directory to transition on.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_spec_filetrans_file',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	filetrans_pattern($1, $2, container_file_t, $3, $4)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to list
+##	the contents of read-only container
+##	file directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_list_ro_dirs',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+	allow $1 container_ro_file_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -1293,6 +1467,46 @@ interface(`container_search_runtime',`
 	allow $1 container_runtime_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	runtime container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_runtime_files',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	files_search_runtime($1)
+	allow $1 container_runtime_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to get
+##	the attributes runtime container of
+##	container runtime named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_getattr_runtime_sock_files',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	allow $1 container_runtime_t:sock_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -1331,6 +1545,25 @@ interface(`container_manage_runtime_fifo_files',`
 	manage_fifo_files_pattern($1, container_runtime_t, container_runtime_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	runtime container symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_runtime_lnk_files',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	manage_lnk_files_pattern($1, container_runtime_t, container_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -1408,6 +1641,46 @@ interface(`container_search_var_lib',`
 	allow $1 container_var_lib_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to list
+##	the contents of container directories
+##	in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_list_var_lib',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 container_var_lib_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	container file directories in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_var_lib_dirs',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -1498,6 +1771,101 @@ interface(`container_unlabeled_var_lib_filetrans',`
 	kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	container log file directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_log_dirs',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	allow $1 container_log_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	container log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_create_log_files',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	create_files_pattern($1, container_log_t, container_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	data to container log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_append_log_files',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	allow $1 container_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	container log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_log_files',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	manage_files_pattern($1, container_log_t, container_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	container log symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_log_symlinks',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	manage_lnk_files_pattern($1, container_log_t, container_log_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to start
diff --git a/policy/modules/services/kubernetes.fc b/policy/modules/services/kubernetes.fc
new file mode 100644
index 0000000000..dfe922e356
--- /dev/null
+++ b/policy/modules/services/kubernetes.fc
@@ -0,0 +1,19 @@
+HOME_DIR/\.kube(/.*)?		gen_context(system_u:object_r:kubernetes_home_t,s0)
+
+/etc/kubernetes(/.*)?		gen_context(system_u:object_r:kubernetes_config_t,s0)
+
+/usr/bin/kubelet	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/bin/kubeadm	--	gen_context(system_u:object_r:kubeadm_exec_t,s0)
+
+/usr/lib/systemd/system/[^/]*kubelet.*	--	gen_context(system_u:object_r:kubernetes_unit_t,s0)
+
+/var/lib/calico(/.*)?		gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
+/var/lib/etcd(/.*)?		gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
+/var/lib/kube-proxy(/.*)?		gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
+/var/lib/kubelet(/.*)?		gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
+
+/var/log/kubelet(/.*)?		gen_context(system_u:object_r:kubernetes_log_t,s0)
+/var/log/kube-apiserver(/.*)?		gen_context(system_u:object_r:kubernetes_log_t,s0)
+/var/log/kube-controller-manager(/.*)?		gen_context(system_u:object_r:kubernetes_log_t,s0)
+/var/log/kube-proxy(/.*)?		gen_context(system_u:object_r:kubernetes_log_t,s0)
+/var/log/kube-scheduler(/.*)?		gen_context(system_u:object_r:kubernetes_log_t,s0)
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
new file mode 100644
index 0000000000..a704341cb1
--- /dev/null
+++ b/policy/modules/services/kubernetes.if
@@ -0,0 +1,238 @@
+## <summary>policy for kubernetes</summary>
+
+#######################################
+## <summary>
+##	Execute kubelet in the kubelet domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_domtrans_kubelet',`
+	gen_require(`
+		type kubelet_t, kubelet_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, kubelet_exec_t, kubelet_t)
+')
+
+########################################
+## <summary>
+##	Execute kubelet in the kubelet domain,
+##	and allow the specified role the
+##	kubelet domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the kubelet domain.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_run_kubelet',`
+	gen_require(`
+		type kubelet_t;
+	')
+
+	role $2 types kubelet_t;
+
+	kubernetes_domtrans_kubelet($1)
+')
+
+#######################################
+## <summary>
+##	Execute kubeadm in the kubeadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_domtrans_kubeadm',`
+	gen_require(`
+		type kubeadm_t, kubeadm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, kubeadm_exec_t, kubeadm_t)
+')
+
+########################################
+## <summary>
+##	Execute kubeadm in the kubeadm domain,
+##	and allow the specified role the
+##	kubeadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the kubeadm domain.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_run_kubeadm',`
+	gen_require(`
+		type kubeadm_t;
+	')
+
+	role $2 types kubeadm_t;
+
+	kubernetes_domtrans_kubeadm($1)
+')
+
+########################################
+## <summary>
+##	Search kubernetes directories in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_search_var_lib',`
+	gen_require(`
+		type kubernetes_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 kubernetes_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the status of kubernetes systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_get_unit_status',`
+	gen_require(`
+		type kubernetes_unit_t;
+		class service status;
+	')
+
+	allow $1 kubernetes_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	Start kubernetes systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_start_unit',`
+	gen_require(`
+		type kubernetes_unit_t;
+		class service start;
+	')
+
+	allow $1 kubernetes_unit_t:service start;
+')
+
+########################################
+## <summary>
+##	Stop kubernetes systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_stop_unit',`
+	gen_require(`
+		type kubernetes_unit_t;
+		class service stop;
+	')
+
+	allow $1 kubernetes_unit_t:service stop;
+')
+
+########################################
+## <summary>
+##	Reload kubernetes systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_reload_unit',`
+	gen_require(`
+		type kubernetes_unit_t;
+		class service reload;
+	')
+
+	allow $1 kubernetes_unit_t:service reload;
+')
+
+#######################################
+## <summary>
+##  All of the rules required to administrate
+##  a kubernetes environment.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kubernetes_admin',`
+	gen_require(`
+		type kubeadm_t, kubelet_t;
+		type kubernetes_config_t, kubernetes_tmpfs_t;
+		type kubernetes_runtime_t, kubernetes_var_lib_t;
+		type kubernetes_log_t;
+	')
+
+	kubernetes_run_kubeadm($1, $2)
+	kubernetes_run_kubelet($1, $2)
+
+	allow $1 kubeadm_t:process { ptrace signal_perms };
+	ps_process_pattern($1, kubeadm_t)
+
+	allow $1 kubelet_t:process { ptrace signal_perms };
+	ps_process_pattern($1, kubelet_t)
+
+	files_search_etc($1)
+	admin_pattern($1, kubernetes_config_t)
+
+	fs_search_tmpfs($1)
+	admin_pattern($1, kubernetes_tmpfs_t)
+
+	files_search_runtime($1)
+	admin_pattern($1, kubernetes_runtime_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, kubernetes_var_lib_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, kubernetes_log_t)
+')
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
new file mode 100644
index 0000000000..81f5119f5f
--- /dev/null
+++ b/policy/modules/services/kubernetes.te
@@ -0,0 +1,292 @@
+policy_module(kubernetes)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role kubernetes_roles;
+roleattribute system_r kubernetes_roles;
+
+type kubelet_t;
+type kubelet_exec_t;
+domain_type(kubelet_t)
+container_engine_executable_file(kubelet_exec_t)
+init_daemon_domain(kubelet_t, kubelet_exec_t)
+role kubernetes_roles types kubelet_t;
+
+type kubeadm_t;
+type kubeadm_exec_t;
+application_domain(kubeadm_t, kubeadm_exec_t)
+role kubernetes_roles types kubeadm_t;
+
+type kubernetes_config_t;
+files_config_file(kubernetes_config_t)
+
+type kubernetes_tmpfs_t;
+files_tmpfs_file(kubernetes_tmpfs_t)
+
+type kubernetes_runtime_t;
+files_runtime_file(kubernetes_runtime_t)
+
+type kubernetes_var_lib_t;
+files_type(kubernetes_var_lib_t)
+
+type kubernetes_log_t;
+logging_log_file(kubernetes_log_t)
+
+type kubernetes_unit_t;
+init_unit_file(kubernetes_unit_t)
+
+type kubernetes_home_t;
+xdg_config_content(kubernetes_home_t)
+
+########################################
+#
+# kubelet local policy
+#
+
+allow kubelet_t self:process { getattr getsched setrlimit signal };
+allow kubelet_t self:capability { chown dac_read_search net_raw sys_ptrace sys_resource };
+dontaudit kubelet_t self:capability net_admin;
+allow kubelet_t self:cap_userns sys_ptrace;
+allow kubelet_t self:fifo_file rw_fifo_file_perms;
+allow kubelet_t self:rawip_socket create_socket_perms;
+allow kubelet_t self:tcp_socket create_stream_socket_perms;
+allow kubelet_t self:unix_dgram_socket create_socket_perms;
+allow kubelet_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+allow kubelet_t kubernetes_config_t:dir { list_dir_perms watch };
+allow kubelet_t kubernetes_config_t:file { read_file_perms watch };
+allow kubelet_t kubernetes_config_t:lnk_file read_lnk_file_perms;
+files_etc_filetrans(kubelet_t, kubernetes_config_t, dir)
+
+allow kubelet_t kubernetes_tmpfs_t:dir manage_dir_perms;
+allow kubelet_t kubernetes_tmpfs_t:file manage_file_perms;
+allow kubelet_t kubernetes_tmpfs_t:lnk_file manage_lnk_file_perms;
+fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
+
+allow kubelet_t kubernetes_runtime_t:dir manage_dir_perms;
+allow kubelet_t kubernetes_runtime_t:file manage_file_perms;
+allow kubelet_t kubernetes_runtime_t:sock_file manage_sock_file_perms;
+files_runtime_filetrans(kubelet_t, kubernetes_runtime_t, { dir file sock_file })
+
+allow kubelet_t kubernetes_var_lib_t:dir manage_dir_perms;
+allow kubelet_t kubernetes_var_lib_t:file manage_file_perms;
+allow kubelet_t kubernetes_var_lib_t:lnk_file manage_lnk_file_perms;
+allow kubelet_t kubernetes_var_lib_t:sock_file manage_sock_file_perms;
+files_var_lib_filetrans(kubelet_t, kubernetes_var_lib_t, dir)
+container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "device-plugins")
+container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "pods")
+container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "plugins")
+container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "plugins_registry")
+
+logging_log_filetrans(kubelet_t, kubernetes_log_t, { dir file })
+
+corenet_tcp_bind_generic_node(kubelet_t)
+
+corenet_tcp_bind_kubernetes_port(kubelet_t)
+corenet_tcp_connect_kubernetes_port(kubelet_t)
+
+corecmd_search_bin(kubelet_t)
+corecmd_watch_bin_dirs(kubelet_t)
+corecmd_exec_bin(kubelet_t)
+
+dev_getattr_mtrr_dev(kubelet_t)
+dev_read_kmsg(kubelet_t)
+dev_read_sysfs(kubelet_t)
+
+domain_dontaudit_read_all_domains_state(kubelet_t)
+domain_setpriority_all_domains(kubelet_t)
+
+files_dontaudit_getattr_all_dirs(kubelet_t)
+files_dontaudit_search_mnt(kubelet_t)
+files_dontaudit_search_tmp(kubelet_t)
+files_read_kernel_symbol_table(kubelet_t)
+# read /usr/share/mime/globs2
+files_read_usr_files(kubelet_t)
+
+fs_getattr_tmpfs(kubelet_t)
+fs_search_tmpfs(kubelet_t)
+fs_getattr_xattr_fs(kubelet_t)
+fs_getattr_cgroup(kubelet_t)
+fs_list_cgroup_dirs(kubelet_t)
+fs_watch_cgroup_dirs(kubelet_t)
+fs_rw_cgroup_files(kubelet_t)
+
+kernel_getattr_message_if(kubelet_t)
+kernel_read_ring_buffer(kubelet_t)
+kernel_read_irq_sysctls(kubelet_t)
+kernel_read_network_state(kubelet_t)
+kernel_read_system_state(kubelet_t)
+kernel_rw_kernel_sysctl(kubelet_t)
+kernel_rw_net_sysctls(kubelet_t)
+kernel_rw_vm_overcommit_sysctl(kubelet_t)
+kernel_dontaudit_getattr_proc(kubelet_t)
+
+storage_getattr_fixed_disk_dev(kubelet_t)
+
+auth_use_nsswitch(kubelet_t)
+
+iptables_domtrans(kubelet_t)
+iptables_getattr_runtime_files(kubelet_t)
+
+miscfiles_read_localization(kubelet_t)
+
+logging_send_syslog_msg(kubelet_t)
+
+modutils_domtrans(kubelet_t)
+
+mount_domtrans(kubelet_t)
+
+seutil_read_default_contexts(kubelet_t)
+
+userdom_dontaudit_search_user_runtime_root(kubelet_t)
+
+dbus_list_system_bus_runtime(kubelet_t)
+dbus_system_bus_client(kubelet_t)
+
+container_read_config(kubelet_t)
+container_getattr_fs(kubelet_t)
+# read /run/docker.pid
+container_read_runtime_files(kubelet_t)
+# connect to docker, podman, etc.
+container_stream_connect_system_engine(kubelet_t)
+
+container_list_var_lib(kubelet_t)
+container_manage_dirs(kubelet_t)
+container_manage_files(kubelet_t)
+container_manage_lnk_files(kubelet_t)
+container_manage_sock_files(kubelet_t)
+container_watch_dirs(kubelet_t)
+container_list_ro_dirs(kubelet_t)
+
+container_manage_log_dirs(kubelet_t)
+container_manage_log_files(kubelet_t)
+container_manage_log_symlinks(kubelet_t)
+
+# kubelet will preemptively relabel container
+# files to the same label even if the labels
+# are correct, so just dontaudit these
+container_dontaudit_relabel_dirs(kubelet_t)
+container_dontaudit_relabel_files(kubelet_t)
+
+ifdef(`init_systemd',`
+	init_dbus_chat(kubelet_t)
+
+	init_start_system(kubelet_t)
+	init_get_transient_units_status(kubelet_t)
+	init_start_transient_units(kubelet_t)
+	init_stop_transient_units(kubelet_t)
+
+	kubernetes_get_unit_status(kubelet_t)
+	kubernetes_start_unit(kubelet_t)
+	kubernetes_stop_unit(kubelet_t)
+')
+
+optional_policy(`
+	docker_read_state(kubelet_t)
+	docker_write_state(kubelet_t)
+')
+
+########################################
+#
+# kubeadm local policy
+#
+
+allow kubeadm_t self:process { getsched signal };
+dontaudit kubeadm_t self:capability net_admin;
+allow kubeadm_t self:fifo_file rw_fifo_file_perms;
+allow kubeadm_t self:netlink_route_socket create_netlink_socket_perms;
+allow kubeadm_t self:tcp_socket create_stream_socket_perms;
+allow kubeadm_t self:udp_socket create_socket_perms;
+allow kubeadm_t self:unix_dgram_socket create_socket_perms;
+
+domtrans_pattern(kubeadm_t, kubelet_exec_t, kubelet_t)
+ps_process_pattern(kubeadm_t, kubelet_t)
+
+manage_dirs_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
+manage_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
+manage_lnk_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
+
+allow kubeadm_t kubernetes_var_lib_t:dir manage_dir_perms;
+allow kubeadm_t kubernetes_var_lib_t:file manage_file_perms;
+allow kubeadm_t kubernetes_var_lib_t:lnk_file manage_lnk_file_perms;
+allow kubeadm_t kubernetes_var_lib_t:sock_file manage_sock_file_perms;
+files_var_lib_filetrans(kubeadm_t, kubernetes_var_lib_t, dir)
+
+allow kubeadm_t kubernetes_home_t:dir search_dir_perms;
+allow kubeadm_t kubernetes_home_t:file read_file_perms;
+allow kubeadm_t kubernetes_home_t:lnk_file read_lnk_file_perms;
+
+corenet_tcp_bind_generic_node(kubeadm_t)
+
+corenet_tcp_connect_http_port(kubeadm_t)
+corenet_tcp_bind_kubernetes_port(kubeadm_t)
+corenet_tcp_connect_kubernetes_port(kubeadm_t)
+
+corecmd_getattr_all_executables(kubeadm_t)
+corecmd_exec_bin(kubeadm_t)
+
+domain_use_interactive_fds(kubeadm_t)
+
+files_read_boot_files(kubeadm_t)
+files_read_etc_files(kubeadm_t)
+
+fs_getattr_tmpfs(kubeadm_t)
+fs_getattr_xattr_fs(kubeadm_t)
+fs_getattr_cgroup(kubeadm_t)
+fs_search_cgroup_dirs(kubeadm_t)
+fs_read_cgroup_files(kubeadm_t)
+
+kernel_read_network_state(kubeadm_t)
+kernel_read_system_state(kubeadm_t)
+kernel_read_net_sysctls(kubeadm_t)
+kernel_read_kernel_sysctls(kubeadm_t)
+kernel_dontaudit_getattr_proc(kubeadm_t)
+
+auth_use_nsswitch(kubeadm_t)
+
+init_read_state(kubeadm_t)
+init_write_runtime_socket(kubeadm_t)
+
+logging_search_logs(kubeadm_t)
+
+miscfiles_read_generic_certs(kubeadm_t)
+miscfiles_read_localization(kubeadm_t)
+
+userdom_search_user_home_content(kubeadm_t)
+userdom_use_user_terminals(kubeadm_t)
+userdom_lock_user_terminals(kubeadm_t)
+
+# getattr on /run/docker.sock
+container_getattr_runtime_sock_files(kubeadm_t)
+# for connecting to cri-o and maybe others
+container_stream_connect_system_engine(kubeadm_t)
+
+container_list_var_lib(kubeadm_t)
+container_manage_var_lib_dirs(kubeadm_t)
+container_manage_var_lib_files(kubeadm_t)
+container_manage_dirs(kubeadm_t)
+container_manage_files(kubeadm_t)
+container_manage_lnk_files(kubeadm_t)
+container_manage_sock_files(kubeadm_t)
+
+ifdef(`init_systemd',`
+	init_get_system_status(kubeadm_t)
+	init_reload(kubeadm_t)
+
+	init_get_generic_units_status(kubeadm_t)
+
+	kubernetes_get_unit_status(kubeadm_t)
+	kubernetes_start_unit(kubeadm_t)
+	kubernetes_stop_unit(kubeadm_t)
+
+	systemd_list_journal_dirs(kubeadm_t)
+	systemd_read_journal_files(kubeadm_t)
+')
+
+optional_policy(`
+	docker_domtrans_cli(kubeadm_t)
+	docker_read_state(kubeadm_t)
+')
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 32e1697d63..838ab2a420 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -162,6 +162,24 @@ interface(`iptables_manage_config',`
 	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of iptables runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_getattr_runtime_files',`
+	gen_require(`
+		type iptables_runtime_t;
+	')
+
+	allow $1 iptables_runtime_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	dontaudit reading iptables_runtime_t  (Deprecated)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9fcb3a09a6..5f9fb1a682 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4292,6 +4292,25 @@ interface(`userdom_dontaudit_use_user_terminals',`
 	dontaudit $1 user_devpts_t:chr_file rw_term_perms;
 ')
 
+########################################
+## <summary>
+##	Lock user TTYs and PTYs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_lock_user_terminals',`
+	gen_require(`
+		type user_tty_device_t, user_devpts_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file lock;
+	allow $1 user_devpts_t:chr_file lock;
+')
+
 ########################################
 ## <summary>
 ##	Execute a shell in all user domains.  This

From f1718529d2c7eca00725a59e9cfb012240f3296f Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 10 May 2022 14:18:34 -0400
Subject: [PATCH 100/257] sysadm: allow running kubernetes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index bb715a847f..fb34f94533 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -550,6 +550,10 @@ optional_policy(`
 	ksmtuned_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	kubernetes_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	l2tp_admin(sysadm_t, sysadm_r)
 ')

From 12590a88d654772cb98a86e0a29f27ff0b970850 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 16 May 2022 10:00:01 -0400
Subject: [PATCH 101/257] crio: new policy module

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/corecommands.if |  32 ++++--
 policy/modules/kernel/files.if        |  18 ++++
 policy/modules/services/container.fc  |   3 +
 policy/modules/services/crio.fc       |   1 +
 policy/modules/services/crio.if       |   1 +
 policy/modules/services/crio.te       | 106 +++++++++++++++++++
 policy/modules/services/kubernetes.if | 147 ++++++++++++++++++++++++++
 policy/modules/services/podman.if     |  16 ++-
 policy/modules/system/miscfiles.if    |  19 ++++
 policy/modules/system/xdg.if          |  19 ++++
 10 files changed, 345 insertions(+), 17 deletions(-)
 create mode 100644 policy/modules/services/crio.fc
 create mode 100644 policy/modules/services/crio.if
 create mode 100644 policy/modules/services/crio.te

diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 231aa69d9a..fd334915a9 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -126,25 +126,25 @@ interface(`corecmd_list_bin',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write bin directories.
+##	Watch bin directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`corecmd_dontaudit_write_bin_dirs',`
+interface(`corecmd_watch_bin_dirs', `
 	gen_require(`
 		type bin_t;
 	')
 
-	dontaudit $1 bin_t:dir write;
+	allow $1 bin_t:dir watch;
 ')
 
 ########################################
 ## <summary>
-##	Watch bin directories.
+##	Mount on bin directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -152,12 +152,30 @@ interface(`corecmd_dontaudit_write_bin_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`corecmd_watch_bin_dirs',`
+interface(`corecmd_mounton_bin_dirs', `
 	gen_require(`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir watch;
+	allow $1 bin_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_write_bin_dirs',`
+	gen_require(`
+		type bin_t;
+	')
+
+	dontaudit $1 bin_t:dir write;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f7217b2261..ab59540423 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4512,6 +4512,24 @@ interface(`files_relabel_kernel_modules',`
 	allow $1 modules_object_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Mount on kernel module directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_kernel_modules_dirs',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Create objects in the kernel module directories
diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 0f6813e72d..b8d06cd55a 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -67,6 +67,8 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 /var/lib/containers/storage/overlay2-images(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/volumes/[^/]+/.*		gen_context(system_u:object_r:container_file_t,s0)
 
+/var/lib/crio(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+
 /var/lib/docker(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/docker/.*/config\.env	--	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/docker/containers/.*/.*\.log	--	gen_context(system_u:object_r:container_log_t,s0)
@@ -89,4 +91,5 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 /var/lib/kubelet/plugins_registry(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 
 /var/log/containers(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+/var/log/crio(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
diff --git a/policy/modules/services/crio.fc b/policy/modules/services/crio.fc
new file mode 100644
index 0000000000..abc7f515a1
--- /dev/null
+++ b/policy/modules/services/crio.fc
@@ -0,0 +1 @@
+/usr/bin/crio	--	gen_context(system_u:object_r:crio_exec_t,s0)
diff --git a/policy/modules/services/crio.if b/policy/modules/services/crio.if
new file mode 100644
index 0000000000..32794faccf
--- /dev/null
+++ b/policy/modules/services/crio.if
@@ -0,0 +1 @@
+## <summary>policy for cri-o</summary>
diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te
new file mode 100644
index 0000000000..be112ea77b
--- /dev/null
+++ b/policy/modules/services/crio.te
@@ -0,0 +1,106 @@
+policy_module(crio)
+
+########################################
+#
+# Declarations
+#
+
+container_engine_domain_template(crio)
+container_system_engine(crio_t)
+type crio_exec_t;
+container_engine_executable_file(crio_exec_t)
+application_domain(crio_t, crio_exec_t)
+init_daemon_domain(crio_t, crio_exec_t)
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(crio_t, crio_exec_t, s0 - mls_systemhigh)
+')
+mls_trusted_object(crio_t)
+
+podman_conmon_domain_template(crio, crio_t)
+role system_r types crio_conmon_t;
+
+########################################
+#
+# crio local policy
+#
+
+allow crio_t crio_conmon_t:process sigkill;
+
+corecmd_mounton_bin_dirs(crio_t)
+
+dev_dontaudit_getattr_generic_chr_files(crio_t)
+
+files_mounton_kernel_modules_dirs(crio_t)
+# mounts on /etc/ca-certificates
+files_mounton_etc_dirs(crio_t)
+# watch /usr/share/containers/oci/hooks.d
+files_watch_usr_dirs(crio_t)
+
+kernel_dgram_send(crio_t)
+kernel_read_irq_sysctls(crio_t)
+
+auth_use_nsswitch(crio_t)
+
+iptables_mounton_runtime_files(crio_t)
+
+miscfiles_mounton_generic_cert_dirs(crio_t)
+
+# tries to search for /root/.config/containers/registries.conf
+xdg_dontaudit_search_config_dirs(crio_t)
+
+container_watch_config_dirs(crio_t)
+
+# Ensure conmon runs in s0 so that it can talk to the container
+podman_spec_rangetrans_conmon(crio_t, s0)
+
+kubernetes_search_var_lib(crio_t)
+kubernetes_search_config(crio_t)
+kubernetes_mounton_config_dirs(crio_t)
+kubernetes_mounton_config_files(crio_t)
+kubernetes_search_var_lib(crio_t)
+kubernetes_mounton_var_lib_dirs(crio_t)
+
+# kubelet creates tmpfs files that CRI-O will
+# relabel to container_file_t
+kubernetes_list_tmpfs(crio_t)
+kubernetes_relabelfrom_tmpfs_dirs(crio_t)
+kubernetes_relabelfrom_tmpfs_files(crio_t)
+kubernetes_relabelfrom_tmpfs_symlinks(crio_t)
+
+optional_policy(`
+	fstools_domtrans(crio_t)
+')
+
+########################################
+#
+# crio conmon local policy
+#
+
+allow crio_conmon_t self:capability { sys_ptrace sys_resource };
+
+fs_list_cgroup_dirs(crio_conmon_t)
+
+init_rw_inherited_stream_socket(crio_conmon_t)
+init_use_fds(crio_conmon_t)
+
+container_getpgid_all_containers(crio_conmon_t)
+container_kill_all_containers(crio_conmon_t)
+container_read_all_container_state(crio_conmon_t)
+
+# crio logs are tmp files
+container_manage_engine_tmp_files(crio_conmon_t)
+container_manage_engine_tmp_sock_files(crio_conmon_t)
+container_engine_tmp_filetrans(crio_conmon_t, { file sock_file })
+
+container_manage_runtime_files(crio_conmon_t)
+container_manage_runtime_lnk_files(crio_conmon_t)
+container_manage_runtime_fifo_files(crio_conmon_t)
+container_manage_runtime_sock_files(crio_conmon_t)
+
+container_search_var_lib(crio_conmon_t)
+container_manage_var_lib_files(crio_conmon_t)
+container_manage_var_lib_fifo_files(crio_conmon_t)
+container_manage_var_lib_sock_files(crio_conmon_t)
+
+container_create_log_files(crio_conmon_t)
+container_append_log_files(crio_conmon_t)
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index a704341cb1..3931d81bb1 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -92,6 +92,61 @@ interface(`kubernetes_run_kubeadm',`
 	kubernetes_domtrans_kubeadm($1)
 ')
 
+########################################
+## <summary>
+##	Search kubernetes config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_search_config',`
+	gen_require(`
+		type kubernetes_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 kubernetes_config_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mount on kubernetes config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_mounton_config_dirs',`
+	gen_require(`
+		type kubernetes_config_t;
+	')
+
+	allow $1 kubernetes_config_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Mount on kubernetes config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_mounton_config_files',`
+	gen_require(`
+		type kubernetes_config_t;
+	')
+
+	allow $1 kubernetes_config_t:file mounton;
+')
+
 ########################################
 ## <summary>
 ##	Search kubernetes directories in /var/lib.
@@ -111,6 +166,98 @@ interface(`kubernetes_search_var_lib',`
 	allow $1 kubernetes_var_lib_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Mount on kubernetes directories in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_mounton_var_lib_dirs',`
+	gen_require(`
+		type kubernetes_var_lib_t;
+	')
+
+	allow $1 kubernetes_var_lib_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	List the contents of kubernetes tmpfs
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_list_tmpfs',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel directories from the kubernetes
+##	tmpfs type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_relabelfrom_tmpfs_dirs',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
+##	Relabel files from the kubernetes tmpfs type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_relabelfrom_tmpfs_files',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:file relabelfrom;
+')
+
+########################################
+## <summary>
+##	Relabel symlinks from the kubernetes tmpfs type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_relabelfrom_tmpfs_symlinks',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:lnk_file relabelfrom;
+')
+
 ########################################
 ## <summary>
 ##	Get the status of kubernetes systemd units.
diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if
index 09b4f0318b..2fd891b544 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -261,7 +261,7 @@ interface(`podman_spec_rangetrans_conmon',`
 
 ########################################
 ## <summary>
-##	Read and write podman conmon unnamed pipes.
+##	Read and write conmon unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -271,18 +271,16 @@ interface(`podman_spec_rangetrans_conmon',`
 #
 interface(`podman_rw_conmon_pipes',`
 	gen_require(`
-		type podman_conmon_t;
-		type podman_user_conmon_t;
+		attribute conmon_domain;
 	')
 
-	allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms;
-	allow $1 podman_user_conmon_t:fifo_file rw_fifo_file_perms;
+	allow $1 conmon_domain:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Allow the specified domain to inherit
-##	file descriptors from podman conmon.
+##	and use file descriptors from conmon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -292,12 +290,10 @@ interface(`podman_rw_conmon_pipes',`
 #
 interface(`podman_use_conmon_fds',`
 	gen_require(`
-		type podman_conmon_t;
-		type podman_user_conmon_t;
+		attribute conmon_domain;
 	')
 
-	allow $1 podman_conmon_t:fd use;
-	allow $1 podman_user_conmon_t:fd use;
+	allow $1 conmon_domain:fd use;
 ')
 
 ########################################
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 1339c011eb..6a3e8cfbdf 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -190,6 +190,25 @@ interface(`miscfiles_manage_generic_cert_files',`
 	read_lnk_files_pattern($1, cert_t, cert_t)
 ')
 
+########################################
+## <summary>
+##	Mount on generic SSL/TLS certificate directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_mounton_generic_cert_dirs',`
+	gen_require(`
+		type cert_t;
+	')
+
+	allow $1 cert_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Read generic SSL/TLS private
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index f8030172ad..92f2eedf20 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -369,6 +369,25 @@ interface(`xdg_search_config_dirs',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search through the
+##	xdg config home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_dontaudit_search_config_dirs',`
+	gen_require(`
+		type xdg_config_t;
+	')
+
+	dontaudit $1 xdg_config_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Watch the xdg config home directories

From 16a928df4e53ab683aa4c4152294925e7d9bfa92 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 17 May 2022 11:14:43 -0400
Subject: [PATCH 102/257] crio, kubernetes: allow k8s admins to run CRI-O

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/crio.if       | 79 +++++++++++++++++++++++++++
 policy/modules/services/kubernetes.if |  4 ++
 2 files changed, 83 insertions(+)

diff --git a/policy/modules/services/crio.if b/policy/modules/services/crio.if
index 32794faccf..860489bcfe 100644
--- a/policy/modules/services/crio.if
+++ b/policy/modules/services/crio.if
@@ -1 +1,80 @@
 ## <summary>policy for cri-o</summary>
+
+#######################################
+## <summary>
+##	Execute CRI-O in the crio domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`crio_domtrans',`
+	gen_require(`
+		type crio_t, crio_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, crio_exec_t, crio_t)
+')
+
+########################################
+## <summary>
+##	Execute CRI-O in the crio domain,
+##	and allow the specified role the
+##	kubelet domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the crio domain.
+##	</summary>
+## </param>
+#
+interface(`crio_run',`
+	gen_require(`
+		type crio_t;
+	')
+
+	role $2 types crio_t;
+
+	crio_domtrans($1)
+')
+
+#######################################
+## <summary>
+##  All of the rules required to administrate
+##  a CRI-O environment.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`crio_admin',`
+	gen_require(`
+		type crio_t;
+		type crio_conmon_t;
+	')
+
+	allow $1 crio_t:process { ptrace signal_perms };
+	ps_process_pattern($1, crio_t)
+
+	allow $1 crio_conmon_t:process { ptrace signal_perms };
+	ps_process_pattern($1, crio_conmon_t)
+
+	# no private type for crictl, so connect directly
+	container_stream_connect_system_engine($1)
+')
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index 3931d81bb1..5520c1daf9 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -382,4 +382,8 @@ interface(`kubernetes_admin',`
 
 	logging_search_logs($1)
 	admin_pattern($1, kubernetes_log_t)
+
+	optional_policy(`
+		crio_admin($1, $2)
+	')
 ')

From 466ea4b323872072e2bbfe60c16116c0ffa4cca4 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 7 Jun 2022 16:07:58 -0400
Subject: [PATCH 103/257] container: add type for container plugins

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.fc |  2 +
 policy/modules/services/container.if | 59 ++++++++++++++++++++++++++++
 policy/modules/services/container.te |  6 +++
 3 files changed, 67 insertions(+)

diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index b8d06cd55a..feb2efd5b6 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -30,6 +30,8 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 
 /usr/sbin/runc	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 
+/opt/cni(/.*)?		gen_context(system_u:object_r:container_plugin_t,s0)
+
 /etc/containers(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /etc/cni(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /etc/docker(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index ba1e56b448..fe9010ceb7 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -772,6 +772,65 @@ interface(`container_mountpoint',`
 	typeattribute $1 container_mountpoint_type;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	list the contents of container
+##	plugin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_list_plugins',`
+	gen_require(`
+		type container_plugin_t;
+	')
+
+	allow $1 container_plugin_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	manage container plugin files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_plugin_files',`
+	gen_require(`
+		type container_plugin_t;
+	')
+
+	allow $1 container_plugin_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	execute container plugins.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_exec_plugins',`
+	gen_require(`
+		type container_plugin_t;
+	')
+
+	container_list_plugins($1)
+	can_exec($1, container_plugin_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index ac1bf04691..f02507ce2e 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -135,6 +135,12 @@ logging_log_file(container_log_t)
 type container_devpts_t;
 term_pty(container_devpts_t)
 
+type container_plugin_t;
+corecmd_executable_file(container_plugin_t)
+optional_policy(`
+	kubernetes_mountpoint(container_plugin_t)
+')
+
 type container_file_t alias svirt_lxc_file_t;
 dev_node(container_file_t)
 files_mountpoint(container_file_t)

From 141971a2910835c6c3b975389a4c5ebb8034131b Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 7 Jun 2022 16:05:26 -0400
Subject: [PATCH 104/257] various: fixes for kubernetes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/corecommands.if |  36 +++
 policy/modules/kernel/devices.te      |   4 +
 policy/modules/kernel/filesystem.if   |  72 +++++
 policy/modules/kernel/filesystem.te   |   4 +
 policy/modules/kernel/kernel.if       |  19 ++
 policy/modules/services/container.fc  |  21 +-
 policy/modules/services/container.if  | 371 +++++++++++++++++++++++++-
 policy/modules/services/container.te  |  74 ++++-
 policy/modules/services/crio.if       |  19 ++
 policy/modules/services/crio.te       |   9 +-
 policy/modules/services/docker.te     |   3 +
 policy/modules/services/kubernetes.fc |  13 +-
 policy/modules/services/kubernetes.if | 313 ++++++++++++++++++++--
 policy/modules/services/kubernetes.te | 156 ++++++++---
 policy/modules/system/init.te         |  12 +
 policy/modules/system/iptables.if     |  55 ++++
 policy/modules/system/iptables.te     |   1 +
 policy/modules/system/mount.te        |   5 +
 policy/modules/system/udev.te         |   3 +
 19 files changed, 1119 insertions(+), 71 deletions(-)

diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index fd334915a9..9458fddc81 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -407,6 +407,42 @@ interface(`corecmd_mmap_bin_files',`
 	mmap_exec_files_pattern($1, bin_t, bin_t)
 ')
 
+########################################
+## <summary>
+##	Create objects in bin directories
+##	with an automatic transition to a
+##	private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object being created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`corecmd_bin_filetrans',`
+	gen_require(`
+		type bin_t;
+	')
+
+	corecmd_search_bin($1)
+	filetrans_pattern($1, bin_t, $2, $3, $4)
+')
+
 ########################################
 ## <summary>
 ##	Execute a file in a bin directory
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 5e2c77cbb4..e899362d06 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -22,6 +22,10 @@ files_associate_tmp(device_t)
 fs_xattr_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
+optional_policy(`
+	container_mountpoint(device_t)
+')
+
 optional_policy(`
 	systemd_tmpfilesd_managed(device_t)
 ')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5f6ecece62..9a30e95140 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -659,6 +659,60 @@ interface(`fs_register_binary_executable_type',`
 	rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
 ')
 
+########################################
+## <summary>
+##	Mount a bpf filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_bpf',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	allow $1 bpf_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Create bpf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_bpf_dirs',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	create_dirs_pattern($1, bpf_t, bpf_t)
+')
+
+########################################
+## <summary>
+##	Manage bpf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_bpf_files',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	manage_files_pattern($1, bpf_t, bpf_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount cgroup filesystems.
@@ -5085,6 +5139,24 @@ interface(`fs_relabel_tmpfs_dirs',`
 	relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
+########################################
+## <summary>
+##	Watch directories on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Create an object in a tmpfs filesystem, with a private
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 632905dda8..c56678135b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -77,6 +77,10 @@ files_mountpoint(bpf_t)
 dev_associate_sysfs(bpf_t)
 genfscon bpf / gen_context(system_u:object_r:bpf_t,s0)
 
+optional_policy(`
+	kubernetes_mountpoint(bpf_t)
+')
+
 type capifs_t;
 fs_type(capifs_t)
 files_mountpoint(capifs_t)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 966e49b658..f35cccaff6 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -109,6 +109,25 @@ interface(`kernel_rootfs_mountpoint',`
 	allow kernel_t $1:dir mounton;
 ')
 
+########################################
+## <summary>
+##	Read the process state (/proc/pid)
+##	of kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_state',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	ps_process_pattern($1, kernel_t)
+')
+
 ########################################
 ## <summary>
 ##	Set the process group of kernel threads.
diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index feb2efd5b6..29a02b1d32 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -47,6 +47,11 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 /run/containerd(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 /run/containerd/[^/]+/sandboxes/[^/]+/shm(/.*)?		gen_context(system_u:object_r:container_engine_tmpfs_t,s0)
 
+/run/ipcns(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
+/run/pidns(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
+/run/userns(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
+/run/utsns(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
+
 /run/user/%{USERID}/netns(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 
 /var/cache/containers(/.*)?		gen_context(system_u:object_r:container_engine_cache_t,s0)
@@ -81,17 +86,29 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 /var/lib/docker/overlay2(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/docker/volumes/[^/]+/.*		gen_context(system_u:object_r:container_file_t,s0)
 
-/var/lib/etcd(/.*)?             gen_context(system_u:object_r:container_file_t,s0)
-
 /var/lib/containerd(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/containerd/[^/]+/sandboxes(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containerd/[^/]+/snapshots(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 
+/var/lib/kubelet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/kubelet/device-plugins(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kubelet/pods(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kubelet/plugins(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kubelet/plugins_registry(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 
+/var/lib/calico(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/etcd(/.*)?             gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/kube-proxy(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+
 /var/log/containers(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/crio(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+
+/var/log/kubelet(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+/var/log/kubernetes(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+
+/var/log/calico(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+/var/log/kube-apiserver(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+/var/log/kube-controller-manager(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+/var/log/kube-proxy(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+/var/log/kube-scheduler(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index fe9010ceb7..8c9f6cbe6d 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -460,6 +460,26 @@ interface(`container_runtime_named_socket_activation',`
 	init_named_socket_activation($1, container_runtime_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to search
+##	container engine temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_search_engine_tmp',`
+	gen_require(`
+		type container_engine_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 container_engine_tmp_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -476,7 +496,7 @@ interface(`container_manage_engine_tmp_files',`
 		type container_engine_tmp_t;
 	')
 
-	files_search_tmp($1)
+	container_search_engine_tmp($1)
 	allow $1 container_engine_tmp_t:file manage_file_perms;
 ')
 
@@ -496,7 +516,7 @@ interface(`container_manage_engine_tmp_sock_files',`
 		type container_engine_tmp_t;
 	')
 
-	files_search_tmp($1)
+	container_search_engine_tmp($1)
 	allow $1 container_engine_tmp_t:sock_file manage_sock_file_perms;
 ')
 
@@ -531,6 +551,25 @@ interface(`container_engine_tmp_filetrans',`
 	files_tmp_filetrans($1, container_engine_tmp_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##	Read the process state (/proc/pid)
+##	of all containers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_all_container_state',`
+	gen_require(`
+		attribute container_domain;
+	')
+
+	ps_process_pattern($1, container_domain)
+')
+
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid)
@@ -569,6 +608,25 @@ interface(`container_read_user_container_state',`
 	ps_process_pattern($1, container_user_domain)
 ')
 
+########################################
+## <summary>
+##	Read the process state (/proc/pid)
+##	of all container engines.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_all_container_engine_state',`
+	gen_require(`
+		attribute container_engine_domain;
+	')
+
+	ps_process_pattern($1, container_engine_domain)
+')
+
 ########################################
 ## <summary>
 ##	All of the permissions necessary
@@ -697,6 +755,46 @@ interface(`container_stream_connect_all_containers',`
 	allow $1 container_runtime_t:sock_file read_sock_file_perms;
 ')
 
+########################################
+## <summary>
+##	Connect to the specified container
+##	domain over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_stream_connect_spec_container',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, container_runtime_t, container_runtime_t, $2)
+	allow $1 container_runtime_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	send a kill signal to all containers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`container_kill_all_containers',`
+	gen_require(`
+		attribute container_domain;
+	')
+
+	allow $1 container_domain:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -717,6 +815,26 @@ interface(`container_signal_all_containers',`
 	allow $1 container_domain:process signal_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	get the process group ID of all
+##	containers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`container_getpgid_all_containers',`
+	gen_require(`
+		attribute container_domain;
+	')
+
+	allow $1 container_domain:process getpgid;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of container ptys.
@@ -808,7 +926,7 @@ interface(`container_manage_plugin_files',`
 		type container_plugin_t;
 	')
 
-	allow $1 container_plugin_t:file manage_file_perms;
+	manage_files_pattern($1, container_plugin_t, container_plugin_t)
 ')
 
 ########################################
@@ -889,6 +1007,25 @@ interface(`container_create_config_files',`
 	create_files_pattern($1, container_config_t, container_config_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	and write container config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_config_files',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	rw_files_pattern($1, container_config_t, container_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -1062,6 +1199,25 @@ interface(`container_manage_lnk_files',`
 	manage_lnk_files_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	read and write container fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_fifo_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	rw_fifo_files_pattern($1, container_file_t, container_file_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -1740,6 +1896,25 @@ interface(`container_manage_var_lib_dirs',`
 	manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	container files in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_var_lib_files',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	read_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -1778,6 +1953,25 @@ interface(`container_manage_var_lib_fifo_files',`
 	manage_fifo_files_pattern($1, container_var_lib_t, container_var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	container symlinks in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_var_lib_lnk_files',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	manage_lnk_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -1797,6 +1991,68 @@ interface(`container_manage_var_lib_sock_files',`
 	manage_sock_files_pattern($1, container_var_lib_t, container_var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	objects in /var/lib with an automatic
+##	transition to the container var lib type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_var_lib_filetrans',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	files_var_lib_filetrans($1, container_var_lib_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	objects in container /var/lib directories
+##	with an automatic transition to the
+##	container file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_filetrans_var_lib_file',`
+	gen_require(`
+		type container_var_lib_t;
+		type container_file_t;
+	')
+
+	filetrans_pattern($1, container_var_lib_t, container_file_t, $2, $3)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to create
@@ -1830,6 +2086,64 @@ interface(`container_unlabeled_var_lib_filetrans',`
 	kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to search
+##	container log file directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_search_logs',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 container_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to list
+##	the contents of container log directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_list_log_dirs',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	allow $1 container_log_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	container log file directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_create_log_dirs',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	allow $1 container_log_t:dir create_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -1849,6 +2163,25 @@ interface(`container_manage_log_dirs',`
 	allow $1 container_log_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to watch
+##	container log file directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_watch_log_dirs',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	allow $1 container_log_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to create
@@ -1906,6 +2239,38 @@ interface(`container_manage_log_files',`
 	manage_files_pattern($1, container_log_t, container_log_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	objects in log directories with an
+##	automatic transition to the container
+##	log type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_log_filetrans',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	logging_search_logs($1)
+	logging_log_filetrans($1, container_log_t, $2, $3)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index f02507ce2e..527e9135a9 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -112,6 +112,9 @@ init_unit_file(container_unit_t)
 
 type container_config_t;
 files_config_file(container_config_t)
+optional_policy(`
+	kubernetes_mountpoint(container_config_t)
+')
 
 type container_var_lib_t;
 files_type(container_var_lib_t)
@@ -131,6 +134,9 @@ container_mountpoint(container_runtime_t)
 
 type container_log_t;
 logging_log_file(container_log_t)
+optional_policy(`
+	kubernetes_mountpoint(container_log_t)
+')
 
 type container_devpts_t;
 term_pty(container_devpts_t)
@@ -299,6 +305,14 @@ tunable_policy(`container_use_samba',`
 	fs_exec_cifs_files(container_domain)
 ')
 
+optional_policy(`
+	kubernetes_list_tmpfs(container_domain)
+	kubernetes_watch_tmpfs_dirs(container_domain)
+	kubernetes_watch_tmpfs_files(container_domain)
+	kubernetes_read_tmpfs_files(container_domain)
+	kubernetes_read_tmpfs_symlinks(container_domain)
+')
+
 optional_policy(`
 	podman_rw_conmon_pipes(container_domain)
 	podman_use_conmon_fds(container_domain)
@@ -756,11 +770,58 @@ domtrans_pattern(container_engine_system_domain, container_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_var_lib_t, spc_t)
 
+allow spc_t self:process setrlimit;
+allow spc_t self:capability { sys_admin sys_resource };
+allow spc_t self:capability2 { bpf perfmon };
+allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow spc_t self:netlink_generic_socket create_socket_perms;
+allow spc_t self:netlink_netfilter_socket create_socket_perms;
+allow spc_t self:netlink_xfrm_socket create_socket_perms;
+
 allow container_engine_system_domain spc_t:process { setsched signal_perms };
 
 allow spc_t container_engine_system_domain:fifo_file rw_fifo_file_perms;
 
+allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
+allow spc_t container_runtime_t:file manage_file_perms;
+allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
+
+dev_mounton_sysfs_dirs(spc_t)
+dev_read_sysfs(spc_t)
+
+fs_read_nsfs_files(spc_t)
+fs_mount_cgroup(spc_t)
+fs_list_cgroup_dirs(spc_t)
+fs_mount_bpf(spc_t)
+fs_create_bpf_dirs(spc_t)
+fs_manage_bpf_files(spc_t)
+fs_list_tmpfs(spc_t)
+fs_watch_tmpfs_dirs(spc_t)
+
+kernel_load_module(spc_t)
+kernel_request_load_module(spc_t)
+kernel_read_network_state(spc_t)
+
 init_dbus_chat(spc_t)
+init_run_bpf(spc_t)
+
+iptables_read_runtime_files(spc_t)
+
+modutils_read_module_deps(spc_t)
+
+container_list_plugins(spc_t)
+container_manage_plugin_files(spc_t)
+
+container_create_config_files(spc_t)
+container_rw_config_files(spc_t)
+
+container_list_log_dirs(spc_t)
+container_create_log_dirs(spc_t)
+container_manage_log_files(spc_t)
+
+container_manage_var_lib_dirs(spc_t)
+container_manage_var_lib_files(spc_t)
+allow spc_t container_var_lib_t:file map;
 
 optional_policy(`
 	dbus_system_bus_client(spc_t)
@@ -768,7 +829,18 @@ optional_policy(`
 ')
 
 optional_policy(`
-# If unconfined domains are enabled, spc is also unconfined
+	# various kubernetes control plane pods run as privileged containers
+	kubernetes_watch_config_dirs(spc_t)
+	kubernetes_watch_config_files(spc_t)
+	kubernetes_list_plugins(spc_t)
+	kubernetes_watch_plugin_dirs(spc_t)
+	kubernetes_manage_plugin_files(spc_t)
+
+	kubernetes_run_engine_bpf(spc_t)
+')
+
+optional_policy(`
+	# If unconfined domains are enabled, spc is also unconfined
 	unconfined_domain_noaudit(spc_t)
 	domain_ptrace_all_domains(spc_t)
 ')
diff --git a/policy/modules/services/crio.if b/policy/modules/services/crio.if
index 860489bcfe..bdcf6dad7e 100644
--- a/policy/modules/services/crio.if
+++ b/policy/modules/services/crio.if
@@ -46,6 +46,25 @@ interface(`crio_run',`
 	crio_domtrans($1)
 ')
 
+########################################
+## <summary>
+##	Read the process state (/proc/pid)
+##	of CRI-O conmon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`crio_read_conmon_state',`
+	gen_require(`
+		type crio_conmon_t;
+	')
+
+	ps_process_pattern($1, crio_conmon_t)
+')
+
 #######################################
 ## <summary>
 ##  All of the rules required to administrate
diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te
index be112ea77b..dfe1ee5db1 100644
--- a/policy/modules/services/crio.te
+++ b/policy/modules/services/crio.te
@@ -7,6 +7,7 @@ policy_module(crio)
 
 container_engine_domain_template(crio)
 container_system_engine(crio_t)
+kubernetes_container_engine(crio_t)
 type crio_exec_t;
 container_engine_executable_file(crio_exec_t)
 application_domain(crio_t, crio_exec_t)
@@ -53,12 +54,9 @@ container_watch_config_dirs(crio_t)
 # Ensure conmon runs in s0 so that it can talk to the container
 podman_spec_rangetrans_conmon(crio_t, s0)
 
-kubernetes_search_var_lib(crio_t)
 kubernetes_search_config(crio_t)
 kubernetes_mounton_config_dirs(crio_t)
 kubernetes_mounton_config_files(crio_t)
-kubernetes_search_var_lib(crio_t)
-kubernetes_mounton_var_lib_dirs(crio_t)
 
 # kubelet creates tmpfs files that CRI-O will
 # relabel to container_file_t
@@ -78,6 +76,8 @@ optional_policy(`
 
 allow crio_conmon_t self:capability { sys_ptrace sys_resource };
 
+files_search_tmp(crio_conmon_t)
+
 fs_list_cgroup_dirs(crio_conmon_t)
 
 init_rw_inherited_stream_socket(crio_conmon_t)
@@ -102,5 +102,4 @@ container_manage_var_lib_files(crio_conmon_t)
 container_manage_var_lib_fifo_files(crio_conmon_t)
 container_manage_var_lib_sock_files(crio_conmon_t)
 
-container_create_log_files(crio_conmon_t)
-container_append_log_files(crio_conmon_t)
+container_manage_log_files(crio_conmon_t)
diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
index cb59476023..d2b4e30e5c 100644
--- a/policy/modules/services/docker.te
+++ b/policy/modules/services/docker.te
@@ -7,6 +7,9 @@ policy_module(docker)
 
 container_engine_domain_template(dockerd)
 container_system_engine(dockerd_t)
+optional_policy(`
+	kubernetes_container_engine(dockerd_t)
+')
 type dockerd_exec_t;
 container_engine_executable_file(dockerd_exec_t)
 application_domain(dockerd_t, dockerd_exec_t)
diff --git a/policy/modules/services/kubernetes.fc b/policy/modules/services/kubernetes.fc
index dfe922e356..e6e3574389 100644
--- a/policy/modules/services/kubernetes.fc
+++ b/policy/modules/services/kubernetes.fc
@@ -5,15 +5,6 @@ HOME_DIR/\.kube(/.*)?		gen_context(system_u:object_r:kubernetes_home_t,s0)
 /usr/bin/kubelet	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/bin/kubeadm	--	gen_context(system_u:object_r:kubeadm_exec_t,s0)
 
-/usr/lib/systemd/system/[^/]*kubelet.*	--	gen_context(system_u:object_r:kubernetes_unit_t,s0)
-
-/var/lib/calico(/.*)?		gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
-/var/lib/etcd(/.*)?		gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
-/var/lib/kube-proxy(/.*)?		gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
-/var/lib/kubelet(/.*)?		gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
+/usr/libexec/kubernetes(/.*)?		gen_context(system_u:object_r:kubernetes_plugin_t,s0)
 
-/var/log/kubelet(/.*)?		gen_context(system_u:object_r:kubernetes_log_t,s0)
-/var/log/kube-apiserver(/.*)?		gen_context(system_u:object_r:kubernetes_log_t,s0)
-/var/log/kube-controller-manager(/.*)?		gen_context(system_u:object_r:kubernetes_log_t,s0)
-/var/log/kube-proxy(/.*)?		gen_context(system_u:object_r:kubernetes_log_t,s0)
-/var/log/kube-scheduler(/.*)?		gen_context(system_u:object_r:kubernetes_log_t,s0)
+/usr/lib/systemd/system/[^/]*kubelet.*	--	gen_context(system_u:object_r:kubernetes_unit_t,s0)
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index 5520c1daf9..b446b5bb32 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -46,6 +46,25 @@ interface(`kubernetes_run_kubelet',`
 	kubernetes_domtrans_kubelet($1)
 ')
 
+#######################################
+## <summary>
+##	Read the process state (/proc/pid)
+##	of kubelet.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_read_kubelet_state',`
+	gen_require(`
+		type kubelet_t;
+	')
+
+	ps_process_pattern($1, kubelet_t)
+')
+
 #######################################
 ## <summary>
 ##	Execute kubeadm in the kubeadm domain.
@@ -92,6 +111,65 @@ interface(`kubernetes_run_kubeadm',`
 	kubernetes_domtrans_kubeadm($1)
 ')
 
+########################################
+## <summary>
+##	Associated the specified domain to
+##	be a domain which is capable of
+##	operating as a kubernetes container
+##	engine.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_container_engine',`
+	gen_require(`
+		attribute kubernetes_container_engine_domain;
+	')
+
+	typeattribute $1 kubernetes_container_engine_domain;
+')
+
+########################################
+## <summary>
+##	Allow the specified file type to be
+##	mounted on by kubernetes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_mountpoint',`
+	gen_require(`
+		attribute kubernetes_mountpoint_type;
+	')
+
+	typeattribute $1 kubernetes_mountpoint_type;
+')
+
+########################################
+## <summary>
+##	Run kubernetes container engine bpf
+##	programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_run_engine_bpf',`
+	gen_require(`
+		attribute kubernetes_container_engine_domain;
+	')
+
+	allow $1 kubernetes_container_engine_domain:bpf prog_run;
+')
+
 ########################################
 ## <summary>
 ##	Search kubernetes config directories.
@@ -111,6 +189,26 @@ interface(`kubernetes_search_config',`
 	allow $1 kubernetes_config_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Read kubernetes config files and symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_read_config',`
+	gen_require(`
+		type kubernetes_config_t;
+	')
+
+	kubernetes_search_config($1)
+	allow $1 kubernetes_config_t:file read_file_perms;
+	allow $1 kubernetes_config_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mount on kubernetes config directories.
@@ -129,6 +227,25 @@ interface(`kubernetes_mounton_config_dirs',`
 	allow $1 kubernetes_config_t:dir mounton;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to watch
+##	kubernetes config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_watch_config_dirs',`
+	gen_require(`
+		type kubernetes_config_t;
+	')
+
+	allow $1 kubernetes_config_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Mount on kubernetes config files.
@@ -149,7 +266,28 @@ interface(`kubernetes_mounton_config_files',`
 
 ########################################
 ## <summary>
-##	Search kubernetes directories in /var/lib.
+##	Allow the specified domain to watch
+##	kubernetes config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_watch_config_files',`
+	gen_require(`
+		type kubernetes_config_t;
+	')
+
+	allow $1 kubernetes_config_t:file watch;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to list
+##	the contents of kubernetes plugin
+##	directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -157,18 +295,18 @@ interface(`kubernetes_mounton_config_files',`
 ##	</summary>
 ## </param>
 #
-interface(`kubernetes_search_var_lib',`
+interface(`kubernetes_list_plugins',`
 	gen_require(`
-		type kubernetes_var_lib_t;
+		type kubernetes_plugin_t;
 	')
 
-	files_search_var_lib($1)
-	allow $1 kubernetes_var_lib_t:dir search_dir_perms;
+	allow $1 kubernetes_plugin_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Mount on kubernetes directories in /var/lib.
+##	Allow the specified domain to watch
+##	kubernetes plugin directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -176,18 +314,36 @@ interface(`kubernetes_search_var_lib',`
 ##	</summary>
 ## </param>
 #
-interface(`kubernetes_mounton_var_lib_dirs',`
+interface(`kubernetes_watch_plugin_dirs',`
 	gen_require(`
-		type kubernetes_var_lib_t;
+		type kubernetes_plugin_t;
 	')
 
-	allow $1 kubernetes_var_lib_t:dir mounton;
+	allow $1 kubernetes_plugin_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	kubernetes plugin files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_manage_plugin_files',`
+	gen_require(`
+		type kubernetes_plugin_t;
+	')
+
+	manage_files_pattern($1, kubernetes_plugin_t, kubernetes_plugin_t)
 ')
 
 ########################################
 ## <summary>
 ##	List the contents of kubernetes tmpfs
-##	directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -203,6 +359,132 @@ interface(`kubernetes_list_tmpfs',`
 	allow $1 kubernetes_tmpfs_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Manage kubernetes tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_manage_tmpfs_dirs',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Watch kubernetes tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_watch_tmpfs_dirs',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Read kubernetes tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_read_tmpfs_files',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage kubernetes tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_manage_tmpfs_files',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Watch kubernetes tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_watch_tmpfs_files',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:file watch;
+')
+
+########################################
+## <summary>
+##	Read kubernetes tmpfs symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_read_tmpfs_symlinks',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage kubernetes tmpfs symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_manage_tmpfs_symlinks',`
+	gen_require(`
+		type kubernetes_tmpfs_t;
+	')
+
+	allow $1 kubernetes_tmpfs_t:lnk_file manage_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Relabel directories from the kubernetes
@@ -355,10 +637,11 @@ interface(`kubernetes_admin',`
 	gen_require(`
 		type kubeadm_t, kubelet_t;
 		type kubernetes_config_t, kubernetes_tmpfs_t;
-		type kubernetes_runtime_t, kubernetes_var_lib_t;
-		type kubernetes_log_t;
+		type kubernetes_runtime_t;
 	')
 
+	container_admin($1, $2)
+
 	kubernetes_run_kubeadm($1, $2)
 	kubernetes_run_kubelet($1, $2)
 
@@ -377,12 +660,6 @@ interface(`kubernetes_admin',`
 	files_search_runtime($1)
 	admin_pattern($1, kubernetes_runtime_t)
 
-	files_search_var_lib($1)
-	admin_pattern($1, kubernetes_var_lib_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, kubernetes_log_t)
-
 	optional_policy(`
 		crio_admin($1, $2)
 	')
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 81f5119f5f..6cf1a09fbb 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -8,6 +8,18 @@ policy_module(kubernetes)
 attribute_role kubernetes_roles;
 roleattribute system_r kubernetes_roles;
 
+# common attribute for all container engines
+# that may be used with kubernetes
+attribute kubernetes_container_engine_domain;
+
+# common attribute for all container domains
+# that may be used with kubernetes
+attribute kubernetes_container_domain;
+
+# attribute for all objects that may be mounted
+# on by kubernetes containers
+attribute kubernetes_mountpoint_type;
+
 type kubelet_t;
 type kubelet_exec_t;
 domain_type(kubelet_t)
@@ -20,20 +32,20 @@ type kubeadm_exec_t;
 application_domain(kubeadm_t, kubeadm_exec_t)
 role kubernetes_roles types kubeadm_t;
 
+type kubernetes_plugin_t;
+corecmd_executable_file(kubernetes_plugin_t)
+kubernetes_mountpoint(kubernetes_plugin_t)
+
 type kubernetes_config_t;
 files_config_file(kubernetes_config_t)
-
-type kubernetes_tmpfs_t;
-files_tmpfs_file(kubernetes_tmpfs_t)
+kubernetes_mountpoint(kubernetes_config_t)
 
 type kubernetes_runtime_t;
 files_runtime_file(kubernetes_runtime_t)
+kubernetes_mountpoint(kubernetes_runtime_t)
 
-type kubernetes_var_lib_t;
-files_type(kubernetes_var_lib_t)
-
-type kubernetes_log_t;
-logging_log_file(kubernetes_log_t)
+type kubernetes_tmpfs_t;
+files_type(kubernetes_tmpfs_t)
 
 type kubernetes_unit_t;
 init_unit_file(kubernetes_unit_t)
@@ -41,14 +53,51 @@ init_unit_file(kubernetes_unit_t)
 type kubernetes_home_t;
 xdg_config_content(kubernetes_home_t)
 
+########################################
+#
+# common kubernetes container engine policy
+#
+
+allow kubernetes_container_engine_domain kubernetes_mountpoint_type:dir_file_class_set { getattr mounton };
+
+files_getattr_kernel_modules(kubernetes_container_engine_domain)
+
+fs_mounton_tmpfs(kubernetes_container_engine_domain)
+
+iptables_getattr_runtime_files(kubernetes_container_engine_domain)
+
+corecmd_search_bin(kubernetes_container_engine_domain)
+allow kubernetes_container_engine_domain kubernetes_plugin_t:dir search_dir_perms;
+
+container_use_container_ptys(kubernetes_container_engine_domain)
+
+container_exec_plugins(kubernetes_container_engine_domain)
+
+container_search_logs(kubernetes_container_engine_domain)
+container_watch_log_dirs(kubernetes_container_engine_domain)
+
+container_filetrans_var_lib_file(kubernetes_container_engine_domain, dir, "calico")
+container_filetrans_var_lib_file(kubernetes_container_engine_domain, dir, "etcd")
+
+ifdef(`init_systemd',`
+	init_dbus_chat(kubernetes_container_engine_domain)
+
+	init_get_system_status(kubernetes_container_engine_domain)
+	init_start_system(kubernetes_container_engine_domain)
+	init_stop_system(kubernetes_container_engine_domain)
+
+	init_get_transient_units_status(kubernetes_container_engine_domain)
+	init_start_transient_units(kubernetes_container_engine_domain)
+	init_stop_transient_units(kubernetes_container_engine_domain)
+')
+
 ########################################
 #
 # kubelet local policy
 #
 
 allow kubelet_t self:process { getattr getsched setrlimit signal };
-allow kubelet_t self:capability { chown dac_read_search net_raw sys_ptrace sys_resource };
-dontaudit kubelet_t self:capability net_admin;
+allow kubelet_t self:capability { chown dac_override dac_read_search net_admin net_raw sys_ptrace sys_resource };
 allow kubelet_t self:cap_userns sys_ptrace;
 allow kubelet_t self:fifo_file rw_fifo_file_perms;
 allow kubelet_t self:rawip_socket create_socket_perms;
@@ -56,6 +105,12 @@ allow kubelet_t self:tcp_socket create_stream_socket_perms;
 allow kubelet_t self:unix_dgram_socket create_socket_perms;
 allow kubelet_t self:unix_stream_socket { connectto create_stream_socket_perms };
 
+allow kubelet_t kubernetes_plugin_t:dir { create_dir_perms list_dir_perms watch };
+allow kubelet_t kubernetes_plugin_t:file { create_file_perms rw_file_perms };
+can_exec(kubelet_t, kubernetes_plugin_t)
+# kubelet drops plugins in /usr/libexec/kubernetes
+corecmd_bin_filetrans(kubelet_t, kubernetes_plugin_t, dir, "kubernetes")
+
 allow kubelet_t kubernetes_config_t:dir { list_dir_perms watch };
 allow kubelet_t kubernetes_config_t:file { read_file_perms watch };
 allow kubelet_t kubernetes_config_t:lnk_file read_lnk_file_perms;
@@ -71,22 +126,17 @@ allow kubelet_t kubernetes_runtime_t:file manage_file_perms;
 allow kubelet_t kubernetes_runtime_t:sock_file manage_sock_file_perms;
 files_runtime_filetrans(kubelet_t, kubernetes_runtime_t, { dir file sock_file })
 
-allow kubelet_t kubernetes_var_lib_t:dir manage_dir_perms;
-allow kubelet_t kubernetes_var_lib_t:file manage_file_perms;
-allow kubelet_t kubernetes_var_lib_t:lnk_file manage_lnk_file_perms;
-allow kubelet_t kubernetes_var_lib_t:sock_file manage_sock_file_perms;
-files_var_lib_filetrans(kubelet_t, kubernetes_var_lib_t, dir)
-container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "device-plugins")
-container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "pods")
-container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "plugins")
-container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "plugins_registry")
-
-logging_log_filetrans(kubelet_t, kubernetes_log_t, { dir file })
+kubernetes_manage_tmpfs_dirs(kubelet_t)
+kubernetes_manage_tmpfs_files(kubelet_t)
+kubernetes_manage_tmpfs_symlinks(kubelet_t)
+fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
 
 corenet_tcp_bind_generic_node(kubelet_t)
 
+corenet_tcp_connect_http_port(kubelet_t)
 corenet_tcp_bind_kubernetes_port(kubelet_t)
 corenet_tcp_connect_kubernetes_port(kubelet_t)
+corenet_tcp_connect_all_unreserved_ports(kubelet_t)
 
 corecmd_search_bin(kubelet_t)
 corecmd_watch_bin_dirs(kubelet_t)
@@ -102,6 +152,7 @@ domain_setpriority_all_domains(kubelet_t)
 files_dontaudit_getattr_all_dirs(kubelet_t)
 files_dontaudit_search_mnt(kubelet_t)
 files_dontaudit_search_tmp(kubelet_t)
+files_search_tmp(kubelet_t)
 files_read_kernel_symbol_table(kubelet_t)
 # read /usr/share/mime/globs2
 files_read_usr_files(kubelet_t)
@@ -123,18 +174,23 @@ kernel_rw_kernel_sysctl(kubelet_t)
 kernel_rw_net_sysctls(kubelet_t)
 kernel_rw_vm_overcommit_sysctl(kubelet_t)
 kernel_dontaudit_getattr_proc(kubelet_t)
+kernel_read_state(kubelet_t)
 
-storage_getattr_fixed_disk_dev(kubelet_t)
+storage_dontaudit_getattr_fixed_disk_dev(kubelet_t)
 
 auth_use_nsswitch(kubelet_t)
 
+init_read_state(kubelet_t)
+
 iptables_domtrans(kubelet_t)
 iptables_getattr_runtime_files(kubelet_t)
-
-miscfiles_read_localization(kubelet_t)
+iptables_read_state(kubelet_t)
 
 logging_send_syslog_msg(kubelet_t)
 
+miscfiles_read_generic_certs(kubelet_t)
+miscfiles_read_localization(kubelet_t)
+
 modutils_domtrans(kubelet_t)
 
 mount_domtrans(kubelet_t)
@@ -142,6 +198,7 @@ mount_domtrans(kubelet_t)
 seutil_read_default_contexts(kubelet_t)
 
 userdom_dontaudit_search_user_runtime_root(kubelet_t)
+userdom_use_user_terminals(kubelet_t)
 
 dbus_list_system_bus_runtime(kubelet_t)
 dbus_system_bus_client(kubelet_t)
@@ -152,12 +209,19 @@ container_getattr_fs(kubelet_t)
 container_read_runtime_files(kubelet_t)
 # connect to docker, podman, etc.
 container_stream_connect_system_engine(kubelet_t)
+# connect to privileged static pods
+container_stream_connect_spec_container(kubelet_t, kubernetes_container_domain)
+
+# kubelet monitors open fds in its cgroups
+container_read_all_container_state(kubelet_t)
+container_read_all_container_engine_state(kubelet_t)
 
 container_list_var_lib(kubelet_t)
 container_manage_dirs(kubelet_t)
 container_manage_files(kubelet_t)
 container_manage_lnk_files(kubelet_t)
 container_manage_sock_files(kubelet_t)
+container_rw_fifo_files(kubelet_t)
 container_watch_dirs(kubelet_t)
 container_list_ro_dirs(kubelet_t)
 
@@ -171,10 +235,23 @@ container_manage_log_symlinks(kubelet_t)
 container_dontaudit_relabel_dirs(kubelet_t)
 container_dontaudit_relabel_files(kubelet_t)
 
+container_log_filetrans(kubelet_t, { dir file })
+
+container_manage_var_lib_dirs(kubelet_t)
+container_manage_var_lib_files(kubelet_t)
+container_manage_var_lib_lnk_files(kubelet_t)
+container_manage_var_lib_sock_files(kubelet_t)
+container_var_lib_filetrans(kubelet_t, dir)
+container_filetrans_var_lib_file(kubelet_t, dir, "device-plugins")
+container_filetrans_var_lib_file(kubelet_t, dir, "pods")
+container_filetrans_var_lib_file(kubelet_t, dir, "plugins")
+container_filetrans_var_lib_file(kubelet_t, dir, "plugins_registry")
+
 ifdef(`init_systemd',`
 	init_dbus_chat(kubelet_t)
 
 	init_start_system(kubelet_t)
+	init_stop_system(kubelet_t)
 	init_get_transient_units_status(kubelet_t)
 	init_start_transient_units(kubelet_t)
 	init_stop_transient_units(kubelet_t)
@@ -189,13 +266,18 @@ optional_policy(`
 	docker_write_state(kubelet_t)
 ')
 
+optional_policy(`
+	crio_read_conmon_state(kubelet_t)
+')
+
 ########################################
 #
 # kubeadm local policy
 #
 
 allow kubeadm_t self:process { getsched signal };
-dontaudit kubeadm_t self:capability net_admin;
+# cap_sysadmin is required to unmount volumes in /var/lib/kubelet
+allow kubeadm_t self:capability { dac_override dac_read_search net_admin sys_admin };
 allow kubeadm_t self:fifo_file rw_fifo_file_perms;
 allow kubeadm_t self:netlink_route_socket create_netlink_socket_perms;
 allow kubeadm_t self:tcp_socket create_stream_socket_perms;
@@ -209,12 +291,6 @@ manage_dirs_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
 manage_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
 manage_lnk_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
 
-allow kubeadm_t kubernetes_var_lib_t:dir manage_dir_perms;
-allow kubeadm_t kubernetes_var_lib_t:file manage_file_perms;
-allow kubeadm_t kubernetes_var_lib_t:lnk_file manage_lnk_file_perms;
-allow kubeadm_t kubernetes_var_lib_t:sock_file manage_sock_file_perms;
-files_var_lib_filetrans(kubeadm_t, kubernetes_var_lib_t, dir)
-
 allow kubeadm_t kubernetes_home_t:dir search_dir_perms;
 allow kubeadm_t kubernetes_home_t:file read_file_perms;
 allow kubeadm_t kubernetes_home_t:lnk_file read_lnk_file_perms;
@@ -232,8 +308,14 @@ domain_use_interactive_fds(kubeadm_t)
 
 files_read_boot_files(kubeadm_t)
 files_read_etc_files(kubeadm_t)
+files_search_kernel_modules(kubeadm_t)
+files_search_src(kubeadm_t)
+files_read_usr_files(kubeadm_t)
+files_read_usr_src_files(kubeadm_t)
 
 fs_getattr_tmpfs(kubeadm_t)
+fs_list_tmpfs(kubeadm_t)
+fs_unmount_tmpfs(kubeadm_t)
 fs_getattr_xattr_fs(kubeadm_t)
 fs_getattr_cgroup(kubeadm_t)
 fs_search_cgroup_dirs(kubeadm_t)
@@ -255,6 +337,10 @@ logging_search_logs(kubeadm_t)
 miscfiles_read_generic_certs(kubeadm_t)
 miscfiles_read_localization(kubeadm_t)
 
+modutils_exec(kubeadm_t)
+modutils_read_module_config(kubeadm_t)
+modutils_read_module_deps(kubeadm_t)
+
 userdom_search_user_home_content(kubeadm_t)
 userdom_use_user_terminals(kubeadm_t)
 userdom_lock_user_terminals(kubeadm_t)
@@ -267,11 +353,19 @@ container_stream_connect_system_engine(kubeadm_t)
 container_list_var_lib(kubeadm_t)
 container_manage_var_lib_dirs(kubeadm_t)
 container_manage_var_lib_files(kubeadm_t)
+container_filetrans_var_lib_file(kubeadm_t, dir, "etcd")
+
 container_manage_dirs(kubeadm_t)
 container_manage_files(kubeadm_t)
 container_manage_lnk_files(kubeadm_t)
 container_manage_sock_files(kubeadm_t)
 
+container_manage_var_lib_dirs(kubeadm_t)
+container_manage_var_lib_files(kubeadm_t)
+container_manage_var_lib_lnk_files(kubeadm_t)
+container_manage_var_lib_sock_files(kubeadm_t)
+container_var_lib_filetrans(kubeadm_t, dir)
+
 ifdef(`init_systemd',`
 	init_get_system_status(kubeadm_t)
 	init_reload(kubeadm_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 97a75cf86f..030b5f55d2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -63,6 +63,11 @@ domain_entry_file(init_t, init_exec_t)
 kernel_domtrans_to(init_t, init_exec_t)
 role system_r types init_t;
 
+optional_policy(`
+	# required by calico
+	kubernetes_mountpoint(init_t)
+')
+
 #
 # init_runtime_t is the type for /var/run/shutdown.pid and /var/run/systemd.
 #
@@ -590,6 +595,13 @@ ifdef(`init_systemd',`
 		dbus_connect_system_bus(init_t)
 	')
 
+	optional_policy(`
+		# kubelet systemd unit reads env files in
+		# /etc/kubernetes and /var/lib/kubelet
+		container_read_var_lib_files(init_t)
+		kubernetes_read_config(init_t)
+	')
+
 	optional_policy(`
 		# var-lib-nfs-rpc_pipefs.mount creates /var/lib/nfs/rpc_pipefs
 		# if it does not exist
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 838ab2a420..af9c54632d 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -66,6 +66,25 @@ interface(`iptables_exec',`
 	can_exec($1, iptables_exec_t)
 ')
 
+########################################
+## <summary>
+##	Read the process state (/proc/pid)
+##	of iptables.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_read_state',`
+	gen_require(`
+		type iptables_t;
+	')
+
+	ps_process_pattern($1, iptables_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute iptables init scripts in
@@ -180,6 +199,42 @@ interface(`iptables_getattr_runtime_files',`
 	allow $1 iptables_runtime_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Read iptables runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_read_runtime_files',`
+	gen_require(`
+		type iptables_runtime_t;
+	')
+
+	read_files_pattern($1, iptables_runtime_t, iptables_runtime_t)
+')
+
+########################################
+## <summary>
+##	Mount on iptables runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_mounton_runtime_files',`
+	gen_require(`
+		type iptables_runtime_t;
+	')
+
+	allow $1 iptables_runtime_t:file mounton;
+')
+
 ########################################
 ## <summary>
 ##	dontaudit reading iptables_runtime_t  (Deprecated)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 9b0565b45e..aa657ee031 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -74,6 +74,7 @@ dev_dontaudit_write_mtrr(iptables_t)
 
 fs_getattr_xattr_fs(iptables_t)
 fs_search_auto_mountpoints(iptables_t)
+fs_list_cgroup_dirs(iptables_t)
 fs_list_inotifyfs(iptables_t)
 fs_ioctl_cgroup_dirs(iptables_t)
 
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index d028723ce6..c66c5ca8a7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -208,6 +208,11 @@ optional_policy(`
 	corecmd_exec_shell(mount_t)
 ')
 
+optional_policy(`
+	# kubelet bind-mounts its own fds into containers
+	kubernetes_read_kubelet_state(mount_t)
+')
+
 optional_policy(`
 	modutils_read_module_deps(mount_t)
 ')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 7d38af4964..f1e8cd265e 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -29,6 +29,9 @@ files_type(udev_rules_t)
 type udev_runtime_t alias { udev_tbl_t udev_var_run_t };
 files_runtime_file(udev_runtime_t)
 init_daemon_runtime_file(udev_runtime_t, dir, "udev")
+optional_policy(`
+	kubernetes_mountpoint(udev_runtime_t)
+')
 
 ########################################
 #

From 1512723b3623759d68f65f7807227022de53a545 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 8 Jun 2022 16:30:20 -0400
Subject: [PATCH 105/257] kubernetes: add policy for kubectl

Add a private type for kubectl because kubectl edit will invoke a text
editor for editing. This execution should transition back to the user
domain.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/kubernetes.fc |  1 +
 policy/modules/services/kubernetes.if | 92 ++++++++++++++++++++++++++-
 policy/modules/services/kubernetes.te | 53 +++++++++++++++
 3 files changed, 143 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/kubernetes.fc b/policy/modules/services/kubernetes.fc
index e6e3574389..9764fdb873 100644
--- a/policy/modules/services/kubernetes.fc
+++ b/policy/modules/services/kubernetes.fc
@@ -2,6 +2,7 @@ HOME_DIR/\.kube(/.*)?		gen_context(system_u:object_r:kubernetes_home_t,s0)
 
 /etc/kubernetes(/.*)?		gen_context(system_u:object_r:kubernetes_config_t,s0)
 
+/usr/bin/kubectl	--	gen_context(system_u:object_r:kubectl_exec_t,s0)
 /usr/bin/kubelet	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/bin/kubeadm	--	gen_context(system_u:object_r:kubeadm_exec_t,s0)
 
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index b446b5bb32..3c8640e1c9 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -1,5 +1,73 @@
 ## <summary>policy for kubernetes</summary>
 
+########################################
+## <summary>
+##	Role access for kubectl.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+template(`kubernetes_kubectl_role',`
+	gen_require(`
+		attribute kubectl_domain;
+		type kubectl_exec_t;
+		type kubernetes_conf_home_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_kubectl_t, kubectl_domain;
+	userdom_user_application_domain($1_kubectl_t, kubectl_exec_t)
+	role $4 types $1_kubectl_t;
+
+	########################################
+	#
+	# Policy
+	#
+
+	domtrans_pattern($3, kubectl_exec_t, $1_kubectl_t)
+
+	allow $2 kubernetes_conf_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 kubernetes_conf_home_t:file { manage_file_perms relabel_file_perms };
+	allow $2 kubernetes_conf_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	userdom_user_home_dir_filetrans($2, kubernetes_conf_home_t, dir, ".kube")
+
+	allow $3 $1_kubectl_t:process { ptrace signal_perms };
+	ps_process_pattern($3, $1_kubectl_t)
+
+	auth_use_nsswitch($1_kubectl_t)
+
+	# kubectl executes an editor when editing files
+	# transition back to the user domain when running them
+	corecmd_bin_domtrans($1_kubectl_t, $2)
+
+	optional_policy(`
+		systemd_user_app_status($1, $1_kubectl_t)
+	')
+')
+
 #######################################
 ## <summary>
 ##	Execute kubelet in the kubelet domain.
@@ -635,9 +703,11 @@ interface(`kubernetes_reload_unit',`
 #
 interface(`kubernetes_admin',`
 	gen_require(`
-		type kubeadm_t, kubelet_t;
-		type kubernetes_config_t, kubernetes_tmpfs_t;
-		type kubernetes_runtime_t;
+		type kubeadm_t, kubelet_t, kubectl_t;
+		type kubectl_exec_t;
+		type kubernetes_config_t, kubernetes_tmp_t;
+		type kubernetes_tmpfs_t, kubernetes_runtime_t;
+		type kubernetes_conf_home_t;
 	')
 
 	container_admin($1, $2)
@@ -645,21 +715,37 @@ interface(`kubernetes_admin',`
 	kubernetes_run_kubeadm($1, $2)
 	kubernetes_run_kubelet($1, $2)
 
+	role $2 types kubectl_t;
+	domtrans_pattern($1, kubectl_exec_t, kubectl_t)
+
+	# kubectl executes an editor when editing files
+	# transition back to the user domain when running them
+	corecmd_bin_domtrans(kubectl_t, $1)
+
 	allow $1 kubeadm_t:process { ptrace signal_perms };
 	ps_process_pattern($1, kubeadm_t)
 
 	allow $1 kubelet_t:process { ptrace signal_perms };
 	ps_process_pattern($1, kubelet_t)
 
+	allow $1 kubectl_t:process { ptrace signal_perms };
+	ps_process_pattern($1, kubectl_t)
+
 	files_search_etc($1)
 	admin_pattern($1, kubernetes_config_t)
 
+	files_search_tmp($1)
+	admin_pattern($1, kubernetes_tmp_t)
+
 	fs_search_tmpfs($1)
 	admin_pattern($1, kubernetes_tmpfs_t)
 
 	files_search_runtime($1)
 	admin_pattern($1, kubernetes_runtime_t)
 
+	admin_pattern($1, kubernetes_conf_home_t)
+	userdom_user_home_dir_filetrans($1, kubernetes_conf_home_t, dir, ".kube")
+
 	optional_policy(`
 		crio_admin($1, $2)
 	')
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 6cf1a09fbb..79e32292dd 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -20,6 +20,9 @@ attribute kubernetes_container_domain;
 # on by kubernetes containers
 attribute kubernetes_mountpoint_type;
 
+# common attribute for all kubectl domains
+attribute kubectl_domain;
+
 type kubelet_t;
 type kubelet_exec_t;
 domain_type(kubelet_t)
@@ -32,6 +35,10 @@ type kubeadm_exec_t;
 application_domain(kubeadm_t, kubeadm_exec_t)
 role kubernetes_roles types kubeadm_t;
 
+type kubectl_t, kubectl_domain;
+type kubectl_exec_t;
+application_domain(kubectl_t, kubectl_exec_t)
+
 type kubernetes_plugin_t;
 corecmd_executable_file(kubernetes_plugin_t)
 kubernetes_mountpoint(kubernetes_plugin_t)
@@ -44,6 +51,10 @@ type kubernetes_runtime_t;
 files_runtime_file(kubernetes_runtime_t)
 kubernetes_mountpoint(kubernetes_runtime_t)
 
+# files created in /tmp by kubectl for editing
+type kubernetes_tmp_t;
+files_tmp_file(kubernetes_tmp_t)
+
 type kubernetes_tmpfs_t;
 files_type(kubernetes_tmpfs_t)
 
@@ -384,3 +395,45 @@ optional_policy(`
 	docker_domtrans_cli(kubeadm_t)
 	docker_read_state(kubeadm_t)
 ')
+
+########################################
+#
+# common kubectl local policy
+#
+
+allow kubectl_domain self:process { getsched signal };
+allow kubectl_domain self:fifo_file rw_fifo_file_perms;
+allow kubectl_domain self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(kubectl_domain, kubernetes_conf_home_t, kubernetes_conf_home_t)
+manage_files_pattern(kubectl_domain, kubernetes_conf_home_t, kubernetes_conf_home_t)
+read_lnk_files_pattern(kubectl_domain, kubernetes_conf_home_t, kubernetes_conf_home_t)
+
+files_search_tmp(kubectl_domain)
+manage_files_pattern(kubectl_domain, kubernetes_tmp_t, kubernetes_tmp_t)
+files_tmp_filetrans(kubectl_domain, kubernetes_tmp_t, file)
+
+# binds to 8001 for proxy
+corenet_tcp_bind_all_unreserved_ports(kubectl_domain)
+corenet_tcp_bind_generic_node(kubectl_domain)
+corenet_tcp_connect_http_port(kubectl_domain)
+corenet_tcp_connect_kubernetes_port(kubectl_domain)
+
+domain_use_interactive_fds(kubectl_domain)
+
+files_read_etc_files(kubectl_domain)
+files_read_usr_files(kubectl_domain)
+
+kernel_dontaudit_search_network_sysctl(kubectl_domain)
+
+miscfiles_read_generic_certs(kubectl_domain)
+miscfiles_read_localization(kubectl_domain)
+
+userdom_use_user_terminals(kubectl_domain)
+
+########################################
+#
+# kubectl local policy
+#
+
+auth_use_nsswitch(kubectl_t)

From cd929e846ba8123c7d82846e58516f413ea00e6c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 17 Jun 2022 13:14:49 -0400
Subject: [PATCH 106/257] various: fixes for kubernetes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.if  | 131 ++++++++++-----
 policy/modules/services/container.te  |  79 +++++++--
 policy/modules/services/crio.te       |  10 +-
 policy/modules/services/kubernetes.if | 146 +++++++++++++++--
 policy/modules/services/kubernetes.te | 220 ++++++++++++++++++--------
 policy/modules/services/podman.te     |   6 +-
 policy/modules/services/rpc.te        |   6 +
 policy/modules/system/miscfiles.if    |  60 +++++++
 policy/modules/system/mount.if        |  18 +++
 policy/modules/system/selinuxutil.te  |   4 +
 10 files changed, 545 insertions(+), 135 deletions(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 8c9f6cbe6d..ec8b0c81d6 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -815,26 +815,6 @@ interface(`container_signal_all_containers',`
 	allow $1 container_domain:process signal_perms;
 ')
 
-########################################
-## <summary>
-##	Allow the specified domain to
-##	get the process group ID of all
-##	containers.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`container_getpgid_all_containers',`
-	gen_require(`
-		attribute container_domain;
-	')
-
-	allow $1 container_domain:process getpgid;
-')
-
 ########################################
 ## <summary>
 ##	Set the attributes of container ptys.
@@ -902,7 +882,7 @@ interface(`container_mountpoint',`
 ##	</summary>
 ## </param>
 #
-interface(`container_list_plugins',`
+interface(`container_list_plugin_dirs',`
 	gen_require(`
 		type container_plugin_t;
 	')
@@ -910,6 +890,26 @@ interface(`container_list_plugins',`
 	allow $1 container_plugin_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	add a watch on container plugin
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_watch_plugin_dirs',`
+	gen_require(`
+		type container_plugin_t;
+	')
+
+	allow $1 container_plugin_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -945,7 +945,7 @@ interface(`container_exec_plugins',`
 		type container_plugin_t;
 	')
 
-	container_list_plugins($1)
+	container_list_plugin_dirs($1)
 	can_exec($1, container_plugin_t)
 ')
 
@@ -1026,25 +1026,6 @@ interface(`container_rw_config_files',`
 	rw_files_pattern($1, container_config_t, container_config_t)
 ')
 
-########################################
-## <summary>
-##	Allow the specified domain to
-##	write container config files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`container_write_config_files',`
-	gen_require(`
-		type container_config_t;
-	')
-
-	write_files_pattern($1, container_config_t, container_config_t)
-')
-
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -1934,6 +1915,25 @@ interface(`container_manage_var_lib_files',`
 	manage_files_pattern($1, container_var_lib_t, container_var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to memory
+##	map container files in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_map_var_lib_files',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	allow $1 container_var_lib_t:file map;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -2021,6 +2021,36 @@ interface(`container_var_lib_filetrans',`
 	files_var_lib_filetrans($1, container_var_lib_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	objects in /var/lib with an automatic
+##	transition to the container file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_var_lib_filetrans_file',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	files_var_lib_filetrans($1, container_file_t, $2, $3)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to create
@@ -2239,6 +2269,25 @@ interface(`container_manage_log_files',`
 	manage_files_pattern($1, container_log_t, container_log_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to watch
+##	container log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_watch_log_files',`
+	gen_require(`
+		type container_log_t;
+	')
+
+	allow $1 container_log_t:file watch;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to create
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 527e9135a9..92dc11c3e8 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -86,6 +86,9 @@ roleattribute system_r container_roles;
 container_domain_template(container)
 typealias container_t alias svirt_lxc_net_t;
 typeattribute container_t container_system_domain, container_user_domain, container_net_domain;
+optional_policy(`
+	kubernetes_container(container_t)
+')
 
 container_engine_domain_template(container_engine)
 typeattribute container_engine_t container_engine_system_domain;
@@ -100,6 +103,9 @@ mls_trusted_object(container_engine_t)
 type spc_t, container_domain, container_net_domain, container_system_domain, privileged_container_domain;
 domain_type(spc_t)
 role system_r types spc_t;
+optional_policy(`
+	kubernetes_container(spc_t)
+')
 
 type spc_user_t, container_domain, container_net_domain, container_user_domain, privileged_container_domain;
 domain_type(spc_user_t)
@@ -153,6 +159,9 @@ files_mountpoint(container_file_t)
 files_associate_rootfs(container_file_t)
 term_pty(container_file_t)
 container_mountpoint(container_file_t)
+optional_policy(`
+	kubernetes_mountpoint(container_file_t)
+')
 
 type container_ro_file_t;
 files_mountpoint(container_ro_file_t)
@@ -204,6 +213,7 @@ manage_fifo_files_pattern(container_domain, container_file_t, container_file_t)
 rw_chr_files_pattern(container_domain, container_file_t, container_file_t)
 rw_blk_files_pattern(container_domain, container_file_t, container_file_t)
 allow container_domain container_file_t:dir_file_class_set watch;
+allow container_domain container_file_t:file { entrypoint map };
 
 allow container_domain container_ro_file_t:blk_file read_blk_file_perms;
 allow container_domain container_ro_file_t:dir list_dir_perms;
@@ -283,10 +293,10 @@ tunable_policy(`container_read_public_content',`
 ')
 
 tunable_policy(`container_use_ecryptfs',`
-        fs_manage_ecryptfs_dirs(container_domain)
-        fs_manage_ecryptfs_files(container_domain)
-        fs_manage_ecryptfs_named_sockets(container_domain)
-        fs_list_ecryptfs(container_domain)
+	fs_manage_ecryptfs_dirs(container_domain)
+	fs_manage_ecryptfs_files(container_domain)
+	fs_manage_ecryptfs_named_sockets(container_domain)
+	fs_list_ecryptfs(container_domain)
 ')
 
 tunable_policy(`container_use_nfs',`
@@ -307,10 +317,10 @@ tunable_policy(`container_use_samba',`
 
 optional_policy(`
 	kubernetes_list_tmpfs(container_domain)
-	kubernetes_watch_tmpfs_dirs(container_domain)
-	kubernetes_watch_tmpfs_files(container_domain)
 	kubernetes_read_tmpfs_files(container_domain)
 	kubernetes_read_tmpfs_symlinks(container_domain)
+	kubernetes_watch_tmpfs_dirs(container_domain)
+	kubernetes_watch_tmpfs_files(container_domain)
 ')
 
 optional_policy(`
@@ -382,7 +392,6 @@ allow container_t self:capability { chown dac_override dac_read_search fowner fs
 dontaudit container_t self:capability2 block_suspend;
 allow container_t self:process setrlimit;
 
-allow container_t container_file_t:file entrypoint;
 allow container_t container_file_t:filesystem getattr;
 
 kernel_read_network_state(container_t)
@@ -437,7 +446,8 @@ allow container_engine_domain container_port_t:tcp_socket name_bind;
 dontaudit container_engine_domain container_domain:process { noatsecure rlimitinh siginh };
 allow container_engine_domain container_domain:process2 { nnp_transition nosuid_transition };
 
-allow container_engine_domain container_mountpoint_type:dir_file_class_set mounton;
+allow container_engine_domain container_mountpoint_type:dir search_dir_perms;
+allow container_engine_domain container_mountpoint_type:dir_file_class_set { getattr mounton };
 
 corecmd_bin_entry_type(container_engine_domain)
 corecmd_exec_bin(container_engine_domain)
@@ -644,6 +654,11 @@ ps_process_pattern(container_engine_system_domain, container_system_domain)
 allow container_system_domain container_engine_system_domain:fd use;
 allow container_system_domain container_engine_system_domain:fifo_file rw_fifo_file_perms;
 
+# for managing container storage on ZFS volumes
+fstools_exec(container_engine_system_domain)
+
+logging_send_syslog_msg(container_engine_system_domain)
+
 create_dirs_pattern(container_engine_system_domain, container_config_t, container_config_t)
 files_etc_filetrans(container_engine_system_domain, container_config_t, dir)
 
@@ -683,6 +698,13 @@ allow container_engine_system_domain container_engine_cache_t:dir manage_dir_per
 allow container_engine_system_domain container_engine_cache_t:file manage_file_perms;
 files_var_filetrans(container_engine_system_domain, container_engine_cache_t, { dir file })
 
+container_exec_plugins(container_engine_system_domain)
+container_watch_plugin_dirs(container_engine_system_domain)
+
+optional_policy(`
+	zfs_domtrans(container_engine_system_domain)
+')
+
 ########################################
 #
 # Common user container engine local policy
@@ -770,10 +792,11 @@ domtrans_pattern(container_engine_system_domain, container_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_var_lib_t, spc_t)
 
-allow spc_t self:process setrlimit;
-allow spc_t self:capability { sys_admin sys_resource };
+allow spc_t self:process { getcap setrlimit };
+allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid sys_admin sys_ptrace sys_rawio sys_resource };
 allow spc_t self:capability2 { bpf perfmon };
 allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow spc_t self:netlink_generic_socket create_socket_perms;
 allow spc_t self:netlink_netfilter_socket create_socket_perms;
 allow spc_t self:netlink_xfrm_socket create_socket_perms;
@@ -782,6 +805,19 @@ allow container_engine_system_domain spc_t:process { setsched signal_perms };
 
 allow spc_t container_engine_system_domain:fifo_file rw_fifo_file_perms;
 
+# for kubernetes debug pods - for some reason,
+# cri-o does not relabel the container's /dev
+# when a debug pod is created, so the user will
+# be unable to attach to its terminal unless
+# this is allowed
+allow spc_t container_engine_tmpfs_t:dir list_dir_perms;
+allow spc_t container_engine_tmpfs_t:chr_file rw_chr_file_perms;
+allow spc_t container_engine_tmpfs_t:lnk_file read_lnk_file_perms;
+
+# for kubernetes storage class providers
+allow spc_t container_file_t:{ dir file } mounton;
+allow spc_t container_file_t:dir_file_class_set { relabelfrom relabelto };
+
 allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
 allow spc_t container_runtime_t:file manage_file_perms;
 allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
@@ -790,7 +826,10 @@ dev_mounton_sysfs_dirs(spc_t)
 dev_read_sysfs(spc_t)
 
 fs_read_nsfs_files(spc_t)
+fs_mount_xattr_fs(spc_t)
+fs_unmount_xattr_fs(spc_t)
 fs_mount_cgroup(spc_t)
+fs_mounton_cgroup(spc_t)
 fs_list_cgroup_dirs(spc_t)
 fs_mount_bpf(spc_t)
 fs_create_bpf_dirs(spc_t)
@@ -801,15 +840,21 @@ fs_watch_tmpfs_dirs(spc_t)
 kernel_load_module(spc_t)
 kernel_request_load_module(spc_t)
 kernel_read_network_state(spc_t)
+kernel_read_vm_overcommit_sysctl(spc_t)
+kernel_dontaudit_list_unlabeled(spc_t)
 
-init_dbus_chat(spc_t)
-init_run_bpf(spc_t)
+storage_raw_rw_fixed_disk(spc_t)
+
+init_read_state(spc_t)
 
 iptables_read_runtime_files(spc_t)
 
 modutils_read_module_deps(spc_t)
 
-container_list_plugins(spc_t)
+# for kubernetes debug pods
+term_use_generic_ptys(spc_t)
+
+container_list_plugin_dirs(spc_t)
 container_manage_plugin_files(spc_t)
 
 container_create_config_files(spc_t)
@@ -821,7 +866,12 @@ container_manage_log_files(spc_t)
 
 container_manage_var_lib_dirs(spc_t)
 container_manage_var_lib_files(spc_t)
-allow spc_t container_var_lib_t:file map;
+container_map_var_lib_files(spc_t)
+
+ifdef(`init_systemd',`
+	init_dbus_chat(spc_t)
+	init_run_bpf(spc_t)
+')
 
 optional_policy(`
 	dbus_system_bus_client(spc_t)
@@ -836,6 +886,7 @@ optional_policy(`
 	kubernetes_watch_plugin_dirs(spc_t)
 	kubernetes_manage_plugin_files(spc_t)
 
+	# Calico runs as a privileged container
 	kubernetes_run_engine_bpf(spc_t)
 ')
 
diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te
index dfe1ee5db1..8ac9e9fdbd 100644
--- a/policy/modules/services/crio.te
+++ b/policy/modules/services/crio.te
@@ -10,7 +10,6 @@ container_system_engine(crio_t)
 kubernetes_container_engine(crio_t)
 type crio_exec_t;
 container_engine_executable_file(crio_exec_t)
-application_domain(crio_t, crio_exec_t)
 init_daemon_domain(crio_t, crio_exec_t)
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(crio_t, crio_exec_t, s0 - mls_systemhigh)
@@ -74,7 +73,7 @@ optional_policy(`
 # crio conmon local policy
 #
 
-allow crio_conmon_t self:capability { sys_ptrace sys_resource };
+allow crio_conmon_t self:capability { kill sys_ptrace sys_resource };
 
 files_search_tmp(crio_conmon_t)
 
@@ -83,10 +82,12 @@ fs_list_cgroup_dirs(crio_conmon_t)
 init_rw_inherited_stream_socket(crio_conmon_t)
 init_use_fds(crio_conmon_t)
 
-container_getpgid_all_containers(crio_conmon_t)
 container_kill_all_containers(crio_conmon_t)
 container_read_all_container_state(crio_conmon_t)
 
+# for kubernetes debug pods
+container_use_container_ptys(crio_conmon_t)
+
 # crio logs are tmp files
 container_manage_engine_tmp_files(crio_conmon_t)
 container_manage_engine_tmp_sock_files(crio_conmon_t)
@@ -103,3 +104,6 @@ container_manage_var_lib_fifo_files(crio_conmon_t)
 container_manage_var_lib_sock_files(crio_conmon_t)
 
 container_manage_log_files(crio_conmon_t)
+
+kubernetes_getpgid_containers(crio_conmon_t)
+kubernetes_kubelet_kill(crio_conmon_t)
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index 3c8640e1c9..2b1a67809a 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -30,7 +30,7 @@ template(`kubernetes_kubectl_role',`
 	gen_require(`
 		attribute kubectl_domain;
 		type kubectl_exec_t;
-		type kubernetes_conf_home_t;
+		type kubernetes_home_t;
 	')
 
 	########################################
@@ -49,17 +49,17 @@ template(`kubernetes_kubectl_role',`
 
 	domtrans_pattern($3, kubectl_exec_t, $1_kubectl_t)
 
-	allow $2 kubernetes_conf_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 kubernetes_conf_home_t:file { manage_file_perms relabel_file_perms };
-	allow $2 kubernetes_conf_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	userdom_user_home_dir_filetrans($2, kubernetes_conf_home_t, dir, ".kube")
+	allow $2 kubernetes_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 kubernetes_home_t:file { manage_file_perms relabel_file_perms };
+	allow $2 kubernetes_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	userdom_user_home_dir_filetrans($2, kubernetes_home_t, dir, ".kube")
 
 	allow $3 $1_kubectl_t:process { ptrace signal_perms };
 	ps_process_pattern($3, $1_kubectl_t)
 
 	auth_use_nsswitch($1_kubectl_t)
 
-	# kubectl executes an editor when editing files
+	# kubectl executes an editor when editing files.
 	# transition back to the user domain when running them
 	corecmd_bin_domtrans($1_kubectl_t, $2)
 
@@ -133,6 +133,44 @@ interface(`kubernetes_read_kubelet_state',`
 	ps_process_pattern($1, kubelet_t)
 ')
 
+#######################################
+## <summary>
+##	Inherit and use file descriptors from
+##	kubelet.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_use_kubelet_fds',`
+	gen_require(`
+		type kubelet_t;
+	')
+
+	allow $1 kubelet_t:fd use;
+')
+
+#######################################
+## <summary>
+##	Allow kubelet to send a kill signal
+##	to the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_kubelet_kill',`
+	gen_require(`
+		type kubelet_t;
+	')
+
+	allow kubelet_t $1:process sigkill;
+')
+
 #######################################
 ## <summary>
 ##	Execute kubeadm in the kubeadm domain.
@@ -200,6 +238,28 @@ interface(`kubernetes_container_engine',`
 	typeattribute $1 kubernetes_container_engine_domain;
 ')
 
+########################################
+## <summary>
+##	Associated the specified domain to
+##	be a domain which is capable of
+##	operating as a container domain
+##	which can be spawned by kubernetes.
+##	engine.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_container',`
+	gen_require(`
+		attribute kubernetes_container_domain;
+	')
+
+	typeattribute $1 kubernetes_container_domain;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified file type to be
@@ -219,6 +279,26 @@ interface(`kubernetes_mountpoint',`
 	typeattribute $1 kubernetes_mountpoint_type;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	get the process group ID of all
+##	kubernetes containers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_getpgid_containers',`
+	gen_require(`
+		attribute kubernetes_container_domain;
+	')
+
+	allow $1 kubernetes_container_domain:process getpgid;
+')
+
 ########################################
 ## <summary>
 ##	Run kubernetes container engine bpf
@@ -314,6 +394,24 @@ interface(`kubernetes_watch_config_dirs',`
 	allow $1 kubernetes_config_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Manage kubernetes config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_manage_config_files',`
+	gen_require(`
+		type kubernetes_config_t;
+	')
+
+	manage_files_pattern($1, kubernetes_config_t, kubernetes_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount on kubernetes config files.
@@ -351,6 +449,27 @@ interface(`kubernetes_watch_config_files',`
 	allow $1 kubernetes_config_t:file watch;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to search
+##	through the contents of kubernetes plugin
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_search_plugin_dirs',`
+	gen_require(`
+		type kubernetes_plugin_t;
+	')
+
+	corecmd_search_bin($1)
+	allow $1 kubernetes_plugin_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to list
@@ -412,6 +531,7 @@ interface(`kubernetes_manage_plugin_files',`
 ########################################
 ## <summary>
 ##	List the contents of kubernetes tmpfs
+##	directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -707,7 +827,7 @@ interface(`kubernetes_admin',`
 		type kubectl_exec_t;
 		type kubernetes_config_t, kubernetes_tmp_t;
 		type kubernetes_tmpfs_t, kubernetes_runtime_t;
-		type kubernetes_conf_home_t;
+		type kubernetes_home_t;
 	')
 
 	container_admin($1, $2)
@@ -721,6 +841,8 @@ interface(`kubernetes_admin',`
 	# kubectl executes an editor when editing files
 	# transition back to the user domain when running them
 	corecmd_bin_domtrans(kubectl_t, $1)
+	allow $1 kubectl_t:fd use;
+	allow $1 kubectl_t:fifo_file rw_inherited_fifo_file_perms;
 
 	allow $1 kubeadm_t:process { ptrace signal_perms };
 	ps_process_pattern($1, kubeadm_t)
@@ -734,17 +856,17 @@ interface(`kubernetes_admin',`
 	files_search_etc($1)
 	admin_pattern($1, kubernetes_config_t)
 
+	files_search_runtime($1)
+	admin_pattern($1, kubernetes_runtime_t)
+
 	files_search_tmp($1)
 	admin_pattern($1, kubernetes_tmp_t)
 
 	fs_search_tmpfs($1)
 	admin_pattern($1, kubernetes_tmpfs_t)
 
-	files_search_runtime($1)
-	admin_pattern($1, kubernetes_runtime_t)
-
-	admin_pattern($1, kubernetes_conf_home_t)
-	userdom_user_home_dir_filetrans($1, kubernetes_conf_home_t, dir, ".kube")
+	admin_pattern($1, kubernetes_home_t)
+	userdom_user_home_dir_filetrans($1, kubernetes_home_t, dir, ".kube")
 
 	optional_policy(`
 		crio_admin($1, $2)
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 79e32292dd..558c4d4301 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -20,12 +20,11 @@ attribute kubernetes_container_domain;
 # on by kubernetes containers
 attribute kubernetes_mountpoint_type;
 
-# common attribute for all kubectl domains
+# attribute for kubectl domains
 attribute kubectl_domain;
 
-type kubelet_t;
+type kubelet_t, kubectl_domain;
 type kubelet_exec_t;
-domain_type(kubelet_t)
 container_engine_executable_file(kubelet_exec_t)
 init_daemon_domain(kubelet_t, kubelet_exec_t)
 role kubernetes_roles types kubelet_t;
@@ -51,12 +50,12 @@ type kubernetes_runtime_t;
 files_runtime_file(kubernetes_runtime_t)
 kubernetes_mountpoint(kubernetes_runtime_t)
 
-# files created in /tmp by kubectl for editing
 type kubernetes_tmp_t;
 files_tmp_file(kubernetes_tmp_t)
 
 type kubernetes_tmpfs_t;
 files_type(kubernetes_tmpfs_t)
+kubernetes_mountpoint(kubernetes_tmpfs_t)
 
 type kubernetes_unit_t;
 init_unit_file(kubernetes_unit_t)
@@ -69,16 +68,28 @@ xdg_config_content(kubernetes_home_t)
 # common kubernetes container engine policy
 #
 
+allow kubernetes_container_engine_domain kubernetes_mountpoint_type:dir search_dir_perms;
 allow kubernetes_container_engine_domain kubernetes_mountpoint_type:dir_file_class_set { getattr mounton };
 
+allow kubernetes_container_engine_domain kubernetes_container_domain:process getpgid;
+
+ps_process_pattern(kubernetes_container_engine_domain, kubernetes_container_domain)
+
+# for kubectl port-forward
+corenet_tcp_connect_all_ports(kubernetes_container_engine_domain)
+
 files_getattr_kernel_modules(kubernetes_container_engine_domain)
+# for replicated storage that may be mounted in /mnt
+files_search_mnt(kubernetes_container_engine_domain)
 
 fs_mounton_tmpfs(kubernetes_container_engine_domain)
+fs_relabelfrom_tmpfs_dirs(kubernetes_container_engine_domain)
 
-iptables_getattr_runtime_files(kubernetes_container_engine_domain)
+# for relabeling newly provisioned persistent volumes
+kernel_list_unlabeled(kubernetes_container_engine_domain)
+kernel_relabelfrom_unlabeled_dirs(kubernetes_container_engine_domain)
 
-corecmd_search_bin(kubernetes_container_engine_domain)
-allow kubernetes_container_engine_domain kubernetes_plugin_t:dir search_dir_perms;
+iptables_getattr_runtime_files(kubernetes_container_engine_domain)
 
 container_use_container_ptys(kubernetes_container_engine_domain)
 
@@ -87,8 +98,10 @@ container_exec_plugins(kubernetes_container_engine_domain)
 container_search_logs(kubernetes_container_engine_domain)
 container_watch_log_dirs(kubernetes_container_engine_domain)
 
-container_filetrans_var_lib_file(kubernetes_container_engine_domain, dir, "calico")
-container_filetrans_var_lib_file(kubernetes_container_engine_domain, dir, "etcd")
+container_var_lib_filetrans_file(kubernetes_container_engine_domain, dir, "calico")
+container_var_lib_filetrans_file(kubernetes_container_engine_domain, dir, "etcd")
+
+kubernetes_search_plugin_dirs(kubernetes_container_engine_domain)
 
 ifdef(`init_systemd',`
 	init_dbus_chat(kubernetes_container_engine_domain)
@@ -102,13 +115,49 @@ ifdef(`init_systemd',`
 	init_stop_transient_units(kubernetes_container_engine_domain)
 ')
 
+tunable_policy(`container_manage_public_content',`
+	miscfiles_mounton_all_public_dirs(kubernetes_container_engine_domain)
+	miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
+')
+
+tunable_policy(`container_read_public_content',`
+	miscfiles_mounton_all_public_dirs(kubernetes_container_engine_domain)
+	miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
+')
+
+########################################
+#
+# common kubernetes container policy
+#
+
+allow kubernetes_container_domain kubernetes_container_engine_domain:fd use;
+
+# for control plane IPC
+container_stream_connect_spec_container(kubernetes_container_domain, kubernetes_container_domain)
+
+container_manage_var_lib_dirs(kubernetes_container_domain)
+container_manage_var_lib_files(kubernetes_container_domain)
+container_map_var_lib_files(kubernetes_container_domain)
+
+# for kube-apiserver if using an volume for storing logs
+container_list_log_dirs(kubernetes_container_domain)
+container_create_log_dirs(kubernetes_container_domain)
+container_manage_log_files(kubernetes_container_domain)
+
+kubernetes_watch_config_dirs(kubernetes_container_domain)
+kubernetes_watch_config_files(kubernetes_container_domain)
+
+kubernetes_list_plugins(kubernetes_container_domain)
+kubernetes_watch_plugin_dirs(kubernetes_container_domain)
+kubernetes_manage_plugin_files(kubernetes_container_domain)
+
 ########################################
 #
 # kubelet local policy
 #
 
 allow kubelet_t self:process { getattr getsched setrlimit signal };
-allow kubelet_t self:capability { chown dac_override dac_read_search net_admin net_raw sys_ptrace sys_resource };
+allow kubelet_t self:capability { chown dac_override dac_read_search fowner fsetid kill net_admin net_raw sys_ptrace sys_resource };
 allow kubelet_t self:cap_userns sys_ptrace;
 allow kubelet_t self:fifo_file rw_fifo_file_perms;
 allow kubelet_t self:rawip_socket create_socket_perms;
@@ -116,13 +165,18 @@ allow kubelet_t self:tcp_socket create_stream_socket_perms;
 allow kubelet_t self:unix_dgram_socket create_socket_perms;
 allow kubelet_t self:unix_stream_socket { connectto create_stream_socket_perms };
 
+allow kubelet_t kubernetes_container_engine_domain:process sigkill;
+allow kubelet_t kubernetes_container_domain:process sigkill;
+
+allow kubelet_t kubernetes_mountpoint_type:dir search_dir_perms;
+
 allow kubelet_t kubernetes_plugin_t:dir { create_dir_perms list_dir_perms watch };
-allow kubelet_t kubernetes_plugin_t:file { create_file_perms rw_file_perms };
+manage_files_pattern(kubelet_t, kubernetes_plugin_t, kubernetes_plugin_t)
 can_exec(kubelet_t, kubernetes_plugin_t)
 # kubelet drops plugins in /usr/libexec/kubernetes
 corecmd_bin_filetrans(kubelet_t, kubernetes_plugin_t, dir, "kubernetes")
 
-allow kubelet_t kubernetes_config_t:dir { list_dir_perms watch };
+allow kubelet_t kubernetes_config_t:dir { create_dir_perms list_dir_perms watch };
 allow kubelet_t kubernetes_config_t:file { read_file_perms watch };
 allow kubelet_t kubernetes_config_t:lnk_file read_lnk_file_perms;
 files_etc_filetrans(kubelet_t, kubernetes_config_t, dir)
@@ -137,6 +191,10 @@ allow kubelet_t kubernetes_runtime_t:file manage_file_perms;
 allow kubelet_t kubernetes_runtime_t:sock_file manage_sock_file_perms;
 files_runtime_filetrans(kubelet_t, kubernetes_runtime_t, { dir file sock_file })
 
+# kubelet detects unsafe mount behavior in /tmp by creating and unmounting a dir
+manage_dirs_pattern(kubelet_t, kubernetes_tmp_t, kubernetes_tmp_t)
+files_tmp_filetrans(kubelet_t, kubernetes_tmp_t, dir)
+
 kubernetes_manage_tmpfs_dirs(kubelet_t)
 kubernetes_manage_tmpfs_files(kubelet_t)
 kubernetes_manage_tmpfs_symlinks(kubelet_t)
@@ -149,9 +207,8 @@ corenet_tcp_bind_kubernetes_port(kubelet_t)
 corenet_tcp_connect_kubernetes_port(kubelet_t)
 corenet_tcp_connect_all_unreserved_ports(kubelet_t)
 
-corecmd_search_bin(kubelet_t)
-corecmd_watch_bin_dirs(kubelet_t)
 corecmd_exec_bin(kubelet_t)
+corecmd_watch_bin_dirs(kubelet_t)
 
 dev_getattr_mtrr_dev(kubelet_t)
 dev_read_kmsg(kubelet_t)
@@ -161,33 +218,34 @@ domain_dontaudit_read_all_domains_state(kubelet_t)
 domain_setpriority_all_domains(kubelet_t)
 
 files_dontaudit_getattr_all_dirs(kubelet_t)
-files_dontaudit_search_mnt(kubelet_t)
 files_dontaudit_search_tmp(kubelet_t)
-files_search_tmp(kubelet_t)
+# search mnt for using persistent storage, if mounted there
+files_search_mnt(kubelet_t)
 files_read_kernel_symbol_table(kubelet_t)
 # read /usr/share/mime/globs2
 files_read_usr_files(kubelet_t)
 
 fs_getattr_tmpfs(kubelet_t)
 fs_search_tmpfs(kubelet_t)
+fs_setattr_tmpfs_dirs(kubelet_t)
 fs_getattr_xattr_fs(kubelet_t)
 fs_getattr_cgroup(kubelet_t)
-fs_list_cgroup_dirs(kubelet_t)
+fs_manage_cgroup_dirs(kubelet_t)
+fs_manage_cgroup_files(kubelet_t)
 fs_watch_cgroup_dirs(kubelet_t)
-fs_rw_cgroup_files(kubelet_t)
 
+kernel_dontaudit_getattr_proc(kubelet_t)
 kernel_getattr_message_if(kubelet_t)
 kernel_read_ring_buffer(kubelet_t)
 kernel_read_irq_sysctls(kubelet_t)
 kernel_read_network_state(kubelet_t)
 kernel_read_system_state(kubelet_t)
+kernel_read_state(kubelet_t)
 kernel_rw_kernel_sysctl(kubelet_t)
 kernel_rw_net_sysctls(kubelet_t)
 kernel_rw_vm_overcommit_sysctl(kubelet_t)
-kernel_dontaudit_getattr_proc(kubelet_t)
-kernel_read_state(kubelet_t)
 
-storage_dontaudit_getattr_fixed_disk_dev(kubelet_t)
+storage_getattr_fixed_disk_dev(kubelet_t)
 
 auth_use_nsswitch(kubelet_t)
 
@@ -205,6 +263,13 @@ miscfiles_read_localization(kubelet_t)
 modutils_domtrans(kubelet_t)
 
 mount_domtrans(kubelet_t)
+# for kubelet's metrics gathering
+mount_read_state(kubelet_t)
+
+# kubelet performs CSI driver actions. At startup, kubelet determines
+# if SELinux is enabled in order to relabel newly provisioned volumes
+selinux_get_fs_mount(kubelet_t)
+selinux_get_enforce_mode(kubelet_t)
 
 seutil_read_default_contexts(kubelet_t)
 
@@ -227,19 +292,6 @@ container_stream_connect_spec_container(kubelet_t, kubernetes_container_domain)
 container_read_all_container_state(kubelet_t)
 container_read_all_container_engine_state(kubelet_t)
 
-container_list_var_lib(kubelet_t)
-container_manage_dirs(kubelet_t)
-container_manage_files(kubelet_t)
-container_manage_lnk_files(kubelet_t)
-container_manage_sock_files(kubelet_t)
-container_rw_fifo_files(kubelet_t)
-container_watch_dirs(kubelet_t)
-container_list_ro_dirs(kubelet_t)
-
-container_manage_log_dirs(kubelet_t)
-container_manage_log_files(kubelet_t)
-container_manage_log_symlinks(kubelet_t)
-
 # kubelet will preemptively relabel container
 # files to the same label even if the labels
 # are correct, so just dontaudit these
@@ -258,9 +310,30 @@ container_filetrans_var_lib_file(kubelet_t, dir, "pods")
 container_filetrans_var_lib_file(kubelet_t, dir, "plugins")
 container_filetrans_var_lib_file(kubelet_t, dir, "plugins_registry")
 
+container_manage_dirs(kubelet_t)
+container_manage_files(kubelet_t)
+container_manage_lnk_files(kubelet_t)
+container_manage_sock_files(kubelet_t)
+container_rw_fifo_files(kubelet_t)
+container_watch_dirs(kubelet_t)
+container_list_ro_dirs(kubelet_t)
+container_relabel_all_content(kubelet_t)
+
+container_manage_log_dirs(kubelet_t)
+container_manage_log_files(kubelet_t)
+container_manage_log_symlinks(kubelet_t)
+container_watch_log_files(kubelet_t)
+container_log_filetrans(kubelet_t, { dir file })
+
+kubernetes_manage_tmpfs_dirs(kubelet_t)
+kubernetes_manage_tmpfs_files(kubelet_t)
+kubernetes_manage_tmpfs_symlinks(kubelet_t)
+fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
+
 ifdef(`init_systemd',`
 	init_dbus_chat(kubelet_t)
 
+	init_get_system_status(kubelet_t)
 	init_start_system(kubelet_t)
 	init_stop_system(kubelet_t)
 	init_get_transient_units_status(kubelet_t)
@@ -272,9 +345,21 @@ ifdef(`init_systemd',`
 	kubernetes_stop_unit(kubelet_t)
 ')
 
-optional_policy(`
-	docker_read_state(kubelet_t)
-	docker_write_state(kubelet_t)
+tunable_policy(`container_manage_public_content',`
+	miscfiles_search_public_dirs(kubelet_t)
+')
+
+tunable_policy(`container_read_public_content',`
+	miscfiles_search_public_dirs(kubelet_t)
+')
+
+tunable_policy(`container_use_nfs',`
+	fs_getattr_nfs(kubelet_t)
+	fs_getattr_nfsd_fs(kubelet_t)
+	fs_search_nfsd_fs(kubelet_t)
+	fs_manage_nfs_dirs(kubelet_t)
+	fs_manage_nfs_files(kubelet_t)
+	fs_manage_nfs_symlinks(kubelet_t)
 ')
 
 optional_policy(`
@@ -298,13 +383,14 @@ allow kubeadm_t self:unix_dgram_socket create_socket_perms;
 domtrans_pattern(kubeadm_t, kubelet_exec_t, kubelet_t)
 ps_process_pattern(kubeadm_t, kubelet_t)
 
+allow kubeadm_t kubernetes_mountpoint_type:dir search_dir_perms;
+
 manage_dirs_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
 manage_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
 manage_lnk_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
 
-allow kubeadm_t kubernetes_home_t:dir search_dir_perms;
-allow kubeadm_t kubernetes_home_t:file read_file_perms;
-allow kubeadm_t kubernetes_home_t:lnk_file read_lnk_file_perms;
+read_files_pattern(kubeadm_t, kubernetes_home_t, kubernetes_home_t)
+read_lnk_files_pattern(kubeadm_t, kubernetes_home_t, kubernetes_home_t)
 
 corenet_tcp_bind_generic_node(kubeadm_t)
 
@@ -318,24 +404,27 @@ corecmd_exec_bin(kubeadm_t)
 domain_use_interactive_fds(kubeadm_t)
 
 files_read_boot_files(kubeadm_t)
-files_read_etc_files(kubeadm_t)
 files_search_kernel_modules(kubeadm_t)
 files_search_src(kubeadm_t)
 files_read_usr_files(kubeadm_t)
 files_read_usr_src_files(kubeadm_t)
+# not actually required, but useful for reading manifests copied to /tmp
+files_search_tmp(kubeadm_t)
 
 fs_getattr_tmpfs(kubeadm_t)
 fs_list_tmpfs(kubeadm_t)
 fs_unmount_tmpfs(kubeadm_t)
+fs_manage_tmpfs_dirs(kubeadm_t)
 fs_getattr_xattr_fs(kubeadm_t)
+fs_unmount_xattr_fs(kubeadm_t)
 fs_getattr_cgroup(kubeadm_t)
 fs_search_cgroup_dirs(kubeadm_t)
 fs_read_cgroup_files(kubeadm_t)
 
 kernel_read_network_state(kubeadm_t)
 kernel_read_system_state(kubeadm_t)
-kernel_read_net_sysctls(kubeadm_t)
 kernel_read_kernel_sysctls(kubeadm_t)
+kernel_read_net_sysctls(kubeadm_t)
 kernel_dontaudit_getattr_proc(kubeadm_t)
 
 auth_use_nsswitch(kubeadm_t)
@@ -356,26 +445,23 @@ userdom_search_user_home_content(kubeadm_t)
 userdom_use_user_terminals(kubeadm_t)
 userdom_lock_user_terminals(kubeadm_t)
 
-# getattr on /run/docker.sock
-container_getattr_runtime_sock_files(kubeadm_t)
-# for connecting to cri-o and maybe others
 container_stream_connect_system_engine(kubeadm_t)
 
-container_list_var_lib(kubeadm_t)
 container_manage_var_lib_dirs(kubeadm_t)
 container_manage_var_lib_files(kubeadm_t)
-container_filetrans_var_lib_file(kubeadm_t, dir, "etcd")
+container_manage_var_lib_lnk_files(kubeadm_t)
+container_manage_var_lib_sock_files(kubeadm_t)
+container_var_lib_filetrans_file(kubeadm_t, dir)
 
 container_manage_dirs(kubeadm_t)
 container_manage_files(kubeadm_t)
+container_manage_chr_files(kubeadm_t)
+container_manage_fifo_files(kubeadm_t)
 container_manage_lnk_files(kubeadm_t)
 container_manage_sock_files(kubeadm_t)
 
-container_manage_var_lib_dirs(kubeadm_t)
-container_manage_var_lib_files(kubeadm_t)
-container_manage_var_lib_lnk_files(kubeadm_t)
-container_manage_var_lib_sock_files(kubeadm_t)
-container_var_lib_filetrans(kubeadm_t, dir)
+kubernetes_list_tmpfs(kubeadm_t)
+kubernetes_read_tmpfs_symlinks(kubeadm_t)
 
 ifdef(`init_systemd',`
 	init_get_system_status(kubeadm_t)
@@ -391,9 +477,8 @@ ifdef(`init_systemd',`
 	systemd_read_journal_files(kubeadm_t)
 ')
 
-optional_policy(`
-	docker_domtrans_cli(kubeadm_t)
-	docker_read_state(kubeadm_t)
+tunable_policy(`container_use_nfs',`
+	fs_unmount_nfs(kubeadm_t)
 ')
 
 ########################################
@@ -405,30 +490,36 @@ allow kubectl_domain self:process { getsched signal };
 allow kubectl_domain self:fifo_file rw_fifo_file_perms;
 allow kubectl_domain self:tcp_socket create_stream_socket_perms;
 
-manage_dirs_pattern(kubectl_domain, kubernetes_conf_home_t, kubernetes_conf_home_t)
-manage_files_pattern(kubectl_domain, kubernetes_conf_home_t, kubernetes_conf_home_t)
-read_lnk_files_pattern(kubectl_domain, kubernetes_conf_home_t, kubernetes_conf_home_t)
+manage_dirs_pattern(kubectl_domain, kubernetes_home_t, kubernetes_home_t)
+manage_files_pattern(kubectl_domain, kubernetes_home_t, kubernetes_home_t)
+read_lnk_files_pattern(kubectl_domain, kubernetes_home_t, kubernetes_home_t)
 
-files_search_tmp(kubectl_domain)
+manage_dirs_pattern(kubectl_domain, kubernetes_tmp_t, kubernetes_tmp_t)
 manage_files_pattern(kubectl_domain, kubernetes_tmp_t, kubernetes_tmp_t)
-files_tmp_filetrans(kubectl_domain, kubernetes_tmp_t, file)
+manage_lnk_files_pattern(kubectl_domain, kubernetes_tmp_t, kubernetes_tmp_t)
+files_tmp_filetrans(kubectl_domain, kubernetes_tmp_t, { dir file })
+
+corenet_tcp_bind_generic_node(kubectl_domain)
 
 # binds to 8001 for proxy
 corenet_tcp_bind_all_unreserved_ports(kubectl_domain)
-corenet_tcp_bind_generic_node(kubectl_domain)
 corenet_tcp_connect_http_port(kubectl_domain)
+corenet_tcp_connect_http_cache_port(kubectl_domain)
 corenet_tcp_connect_kubernetes_port(kubectl_domain)
 
 domain_use_interactive_fds(kubectl_domain)
 
-files_read_etc_files(kubectl_domain)
 files_read_usr_files(kubectl_domain)
+files_search_tmp(kubectl_domain)
 
 kernel_dontaudit_search_network_sysctl(kubectl_domain)
 
 miscfiles_read_generic_certs(kubectl_domain)
 miscfiles_read_localization(kubectl_domain)
 
+# allow users to store manifests in their home directories
+userdom_manage_user_home_content_files(kubectl_domain)
+
 userdom_use_user_terminals(kubectl_domain)
 
 ########################################
@@ -437,3 +528,8 @@ userdom_use_user_terminals(kubectl_domain)
 #
 
 auth_use_nsswitch(kubectl_t)
+
+# not required, but convenient for using config commands
+# in the config directory
+kubernetes_read_config(kubectl_t)
+kubernetes_manage_config_files(kubectl_t)
diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 24c7092f54..5cc13da706 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -39,9 +39,9 @@ userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
 
 allow podman_t podman_conmon_t:process setsched;
 
-# podman 4.0.0 now creates OCI networking configs
-container_create_config_files(podman_t)
-container_write_config_files(podman_t)
+# podman creates OCI networking configs and will
+# remove them when running podman system reset
+container_manage_config_files(podman_t)
 
 logging_send_syslog_msg(podman_t)
 
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 37d2b7ae02..e6eea666e2 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -284,6 +284,12 @@ ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcd_t)
 ')
 
+optional_policy(`
+	tunable_policy(`container_use_nfs',`
+		kubernetes_use_kubelet_fds(rpcd_t)
+	')
+')
+
 optional_policy(`
 	automount_signal(rpcd_t)
 	automount_dontaudit_write_pipes(rpcd_t)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 6a3e8cfbdf..1ad6442f7d 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -839,6 +839,26 @@ interface(`miscfiles_relabel_man_cache',`
 	relabel_files_pattern($1, man_cache_t, man_cache_t)
 ')
 
+########################################
+## <summary>
+##	Search public directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_search_public_dirs',`
+	gen_require(`
+		type public_content_t;
+		type public_content_rw_t;
+	')
+
+	allow $1 public_content_t:dir search_dir_perms;
+	allow $1 public_content_rw_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read public files used for file
@@ -901,6 +921,46 @@ interface(`miscfiles_watch_public_dirs',`
 	allow $1 public_content_rw_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Mount on all public content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_mounton_all_public_dirs',`
+	gen_require(`
+		type public_content_t;
+		type public_content_rw_t;
+	')
+
+	allow $1 public_content_t:dir mounton;
+	allow $1 public_content_rw_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Mount on all public content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_mounton_all_public_files',`
+	gen_require(`
+		type public_content_t;
+		type public_content_rw_t;
+	')
+
+	allow $1 public_content_t:file mounton;
+	allow $1 public_content_rw_t:file mounton;
+')
+
 ########################################
 ## <summary>
 ##	Read TeX data
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 975c461dd9..17cc7aafdd 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -69,6 +69,24 @@ interface(`mount_exec',`
 	can_exec($1, mount_exec_t)
 ')
 
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of mount.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_read_state',`
+	gen_require(`
+		type mount_t;
+	')
+
+	ps_process_pattern($1, mount_t)
+')
+
 ########################################
 ## <summary>
 ##	Send a generic signal to mount.
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index d7f047c2dc..cfb0e2f19f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -697,6 +697,10 @@ optional_policy(`
 	apt_use_fds(setfiles_t)
 ')
 
+optional_policy(`
+	container_getattr_fs(setfiles_t)
+')
+
 optional_policy(`
         # leaked file descriptors
         udev_dontaudit_rw_dgram_sockets(setfiles_t)

From dc66fd7238ac781bd312969e5274c1394aeb2d3c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 31 Jul 2022 21:37:40 -0400
Subject: [PATCH 107/257] container, kernel: add tunable to allow spc to create
 NFS servers

OpenEBS' dynamic NFS provisioner uses a privileged container to
dynamically provision persistent volumes and create an NFS server for it
so that it can be served across different nodes. Add a tunable to allow
this access.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/kernel.te      | 14 ++++++++++
 policy/modules/services/container.if | 41 ++++++++++++++++++++++++++++
 policy/modules/services/container.te | 19 +++++++++++++
 3 files changed, 74 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5124ae016c..b47fa6e04e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -392,6 +392,20 @@ ifdef(`init_systemd',`
 	')
 ')
 
+optional_policy(`
+	tunable_policy(`container_spc_create_nfs_servers',`
+		container_stream_connect_spc(kernel_t)
+		container_rw_spc_tcp_sockets(kernel_t)
+
+		container_manage_dirs(kernel_t)
+		container_manage_files(kernel_t)
+		container_manage_chr_files(kernel_t)
+		container_manage_fifo_files(kernel_t)
+		container_manage_lnk_files(kernel_t)
+		container_manage_sock_files(kernel_t)
+	')
+')
+
 optional_policy(`
 	# loop devices
 	fstools_use_fds(kernel_t)
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index ec8b0c81d6..88f4c635d0 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -733,6 +733,47 @@ interface(`container_stream_connect_user_containers',`
 	allow $1 container_runtime_t:sock_file read_sock_file_perms;
 ')
 
+########################################
+## <summary>
+##	Connect to super privileged containers
+##	over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_stream_connect_spc',`
+	gen_require(`
+		type container_runtime_t;
+		type spc_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, container_runtime_t, container_runtime_t, spc_t)
+	allow $1 container_runtime_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write super privileged
+##	container TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_spc_tcp_sockets',`
+	gen_require(`
+		type spc_t;
+	')
+
+	allow $1 spc_t:tcp_socket rw_stream_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to a container domain
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 92dc11c3e8..43f3472d57 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -30,6 +30,13 @@ gen_tunable(container_manage_public_content, false)
 ## </desc>
 gen_tunable(container_read_public_content, false)
 
+## <desc>
+##	<p>
+##	Allow super privileged containers to create NFS servers.
+##	</p>
+## </desc>
+gen_tunable(container_spc_create_nfs_servers, false)
+
 ## <desc>
 ##      <p>
 ##      Allow containers to use eCryptfs filesystems.
@@ -617,6 +624,7 @@ tunable_policy(`container_use_nfs',`
 	fs_read_nfs_symlinks(container_engine_domain)
 	fs_mount_nfs(container_engine_domain)
 	fs_unmount_nfs(container_engine_domain)
+	fs_mounton_nfs(container_engine_domain)
 	fs_exec_nfs_files(container_engine_domain)
 	kernel_rw_fs_sysctls(container_engine_domain)
 ',`
@@ -873,6 +881,17 @@ ifdef(`init_systemd',`
 	init_run_bpf(spc_t)
 ')
 
+optional_policy(`
+	tunable_policy(`container_spc_create_nfs_servers',`
+		fs_mount_nfsd_fs(spc_t)
+		fs_rw_nfsd_fs(spc_t)
+		kernel_mounton_proc_dirs(spc_t)
+		kernel_rw_rpc_sysctls(spc_t)
+		kernel_rw_fs_sysctls(spc_t)
+		rpc_manage_nfs_state_data(spc_t)
+	')
+')
+
 optional_policy(`
 	dbus_system_bus_client(spc_t)
 	dbus_all_session_bus_client(spc_t)

From 9216a7a7f1162d1ac6db74d6401f9ac71b2ba51f Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 1 Oct 2022 13:58:49 -0400
Subject: [PATCH 108/257] container: add tunable to allow containers to use
 huge pages

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 43f3472d57..ea64ae3669 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -44,6 +44,13 @@ gen_tunable(container_spc_create_nfs_servers, false)
 ## </desc>
 gen_tunable(container_use_ecryptfs, false)
 
+## <desc>
+##	<p>
+##	Allow containers to use huge pages.
+##	</p>
+## </desc>
+gen_tunable(container_use_hugetlbfs, false)
+
 ## <desc>
 ##	<p>
 ##	Allow containers to use NFS filesystems.
@@ -306,6 +313,10 @@ tunable_policy(`container_use_ecryptfs',`
 	fs_list_ecryptfs(container_domain)
 ')
 
+tunable_policy(`container_use_hugetlbfs',`
+	fs_mmap_rw_hugetlbfs_files(container_t)
+')
+
 tunable_policy(`container_use_nfs',`
 	fs_manage_nfs_dirs(container_domain)
 	fs_manage_nfs_files(container_domain)

From 3ae057511428ba26f4fcf6ff8b97749625af42b3 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 1 Oct 2022 22:02:10 -0400
Subject: [PATCH 109/257] container, kubernetes: add private type for generic
 container devices

/dev/termination-log is one such generic file created in containers'
/dev filesystems. Add a private type for objects created in /dev for
containers instead of using the generic device type.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.if  | 83 +++++++++++++++++++++++++++
 policy/modules/services/container.te  |  5 ++
 policy/modules/services/kubernetes.te |  5 ++
 3 files changed, 93 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 88f4c635d0..d18320b8ba 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -856,6 +856,89 @@ interface(`container_signal_all_containers',`
 	allow $1 container_domain:process signal_perms;
 ')
 
+########################################
+## <summary>
+##	Create objects in /dev with an automatic
+##	transition to the container device type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_dev_filetrans',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	dev_filetrans($1, container_device_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Read and write container device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_device_files',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	allow $1 container_device_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage container device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_device_files',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	allow $1 container_device_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Mount on all container devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_mounton_all_devices',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	allow $1 container_device_t:dir_file_class_set mounton;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of container ptys.
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index ea64ae3669..c37b4a211f 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -158,6 +158,10 @@ optional_policy(`
 	kubernetes_mountpoint(container_log_t)
 ')
 
+# generic devices created in container /dev filesystems
+type container_device_t;
+dev_node(container_device_t)
+
 type container_devpts_t;
 term_pty(container_devpts_t)
 
@@ -289,6 +293,7 @@ miscfiles_read_fonts(container_domain)
 
 mta_dontaudit_read_spool_symlinks(container_domain)
 
+container_rw_device_files(container_domain)
 container_use_container_ptys(container_domain)
 
 tunable_policy(`container_manage_cgroup',`
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 558c4d4301..d8360fe32c 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -91,6 +91,11 @@ kernel_relabelfrom_unlabeled_dirs(kubernetes_container_engine_domain)
 
 iptables_getattr_runtime_files(kubernetes_container_engine_domain)
 
+# for /dev/termination-log and maybe other device types
+container_dev_filetrans(kubernetes_container_engine_domain, file)
+container_manage_device_files(kubernetes_container_engine_domain)
+container_mounton_all_devices(kubernetes_container_engine_domain)
+
 container_use_container_ptys(kubernetes_container_engine_domain)
 
 container_exec_plugins(kubernetes_container_engine_domain)

From 6c2124d5ae40aa1d8fd23c9fc4a0cd84bfd7d05c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 2 Oct 2022 01:44:03 -0400
Subject: [PATCH 110/257] container: add tunable to use dri devices

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index c37b4a211f..cd5551e143 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -38,9 +38,16 @@ gen_tunable(container_read_public_content, false)
 gen_tunable(container_spc_create_nfs_servers, false)
 
 ## <desc>
-##      <p>
-##      Allow containers to use eCryptfs filesystems.
-##      </p>
+##	<p>
+##	Allow containers to use direct rendering devices.
+##	</p>
+## </desc>
+gen_tunable(container_use_dri, false)
+
+## <desc>
+##	<p>
+##	Allow containers to use eCryptfs filesystems.
+##	</p>
 ## </desc>
 gen_tunable(container_use_ecryptfs, false)
 
@@ -311,6 +318,10 @@ tunable_policy(`container_read_public_content',`
 	miscfiles_watch_public_dirs(container_domain)
 ')
 
+tunable_policy(`container_use_dri',`
+	dev_rw_dri(container_domain)
+')
+
 tunable_policy(`container_use_ecryptfs',`
 	fs_manage_ecryptfs_dirs(container_domain)
 	fs_manage_ecryptfs_files(container_domain)

From 3b3d3715c9b47b7efb57a76595c16381b98b862d Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 2 Oct 2022 01:44:13 -0400
Subject: [PATCH 111/257] container, kubernetes: add rules for device plugins
 running as spc

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te  |  6 +++++-
 policy/modules/services/kubernetes.if | 21 +++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index cd5551e143..1e67e0b2fe 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -865,7 +865,8 @@ fs_mount_xattr_fs(spc_t)
 fs_unmount_xattr_fs(spc_t)
 fs_mount_cgroup(spc_t)
 fs_mounton_cgroup(spc_t)
-fs_list_cgroup_dirs(spc_t)
+fs_manage_cgroup_dirs(spc_t)
+fs_manage_cgroup_files(spc_t)
 fs_mount_bpf(spc_t)
 fs_create_bpf_dirs(spc_t)
 fs_manage_bpf_files(spc_t)
@@ -934,6 +935,9 @@ optional_policy(`
 
 	# Calico runs as a privileged container
 	kubernetes_run_engine_bpf(spc_t)
+
+	# for device plugins
+	kubernetes_stream_connect_kubelet(spc_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index 2b1a67809a..2b5ac31448 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -114,6 +114,27 @@ interface(`kubernetes_run_kubelet',`
 	kubernetes_domtrans_kubelet($1)
 ')
 
+########################################
+## <summary>
+##	Connect to kubelet over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_stream_connect_kubelet',`
+	gen_require(`
+		type kubelet_t;
+		type kubernetes_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, kubernetes_runtime_t, kubernetes_runtime_t, kubelet_t)
+	allow $1 kubernetes_runtime_t:sock_file read_sock_file_perms;
+')
+
 #######################################
 ## <summary>
 ##	Read the process state (/proc/pid)

From d4c5bd96c86a2ac6c2d26693c737286df383c3ce Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 2 Oct 2022 15:49:55 -0400
Subject: [PATCH 112/257] various: allow using glusterfs as backing storage for
 k8s

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/filesystem.if   | 337 ++++++++++++++++++++++++++
 policy/modules/services/container.te  |   9 +-
 policy/modules/services/glusterfs.if  |  19 ++
 policy/modules/services/glusterfs.te  |   2 +-
 policy/modules/services/kubernetes.te |  38 ++-
 policy/modules/services/rpc.if        |  19 ++
 6 files changed, 420 insertions(+), 4 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 9a30e95140..173dcbdc73 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2583,6 +2583,26 @@ interface(`fs_search_fusefs',`
 	allow $1 fusefs_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	List the contents of directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_list_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to list the contents
@@ -2602,6 +2622,26 @@ interface(`fs_dontaudit_list_fusefs',`
 	dontaudit $1 fusefs_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Set the attributes of directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_setattr_fusefs_dirs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir setattr_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
@@ -2642,6 +2682,26 @@ interface(`fs_dontaudit_manage_fusefs_dirs',`
 	dontaudit $1 fusefs_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of files on a
+##	FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	getattr_files_pattern($1, fusefs_t, fusefs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read, a FUSEFS filesystem.
@@ -2680,6 +2740,26 @@ interface(`fs_exec_fusefs_files',`
 	exec_files_pattern($1, fusefs_t, fusefs_t)
 ')
 
+########################################
+## <summary>
+##	Set the attributes of files on a
+##	FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_setattr_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:file setattr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
@@ -2720,6 +2800,26 @@ interface(`fs_dontaudit_manage_fusefs_files',`
 	dontaudit $1 fusefs_t:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of symlinks
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_fusefs_symlinks',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:lnk_file getattr_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links on a FUSEFS filesystem.
@@ -2739,6 +2839,26 @@ interface(`fs_read_fusefs_symlinks',`
 	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
 ')
 
+########################################
+## <summary>
+##	Set the attributes of symlinks
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_setattr_fusefs_symlinks',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:lnk_file setattr_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Manage symlinks on a FUSEFS filesystem.
@@ -2758,6 +2878,186 @@ interface(`fs_manage_fusefs_symlinks',`
 	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of named pipes
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_fusefs_fifo_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:fifo_file getattr_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Set the attributes of named pipes
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_setattr_fusefs_fifo_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:fifo_file setattr_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage named pipes on a FUSEFS
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_fifo_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:fifo_file manage_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of named sockets
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_fusefs_sock_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Set the attributes of named sockets
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_setattr_fusefs_sock_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:sock_file setattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage named sockets on a FUSEFS
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_sock_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of character files
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_fusefs_chr_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:chr_file getattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Set the attributes of character files
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_setattr_fusefs_chr_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:chr_file setattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage character files on a FUSEFS
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_chr_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:chr_file manage_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of an hugetlbfs
@@ -3242,6 +3542,25 @@ interface(`fs_dontaudit_list_nfs',`
 	dontaudit $1 nfs_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Add a watch on directories on an NFS
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_nfs_dirs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Mounton a NFS filesystem.
@@ -3397,6 +3716,24 @@ interface(`fs_dontaudit_rw_nfs_files',`
 	dontaudit $1 nfs_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Add a watch on files on an NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:file watch;
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links on a NFS filesystem.
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 1e67e0b2fe..d96ac9fd1d 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -276,9 +276,12 @@ files_read_usr_symlinks(container_domain)
 
 fs_getattr_all_fs(container_domain)
 fs_list_inotifyfs(container_domain)
-# for rootless containers
+# for rootless containers and containers using fusefs mounts
 fs_manage_fusefs_dirs(container_domain)
 fs_manage_fusefs_files(container_domain)
+fs_manage_fusefs_chr_files(container_domain)
+fs_manage_fusefs_fifo_files(container_domain)
+fs_manage_fusefs_sock_files(container_domain)
 fs_manage_fusefs_symlinks(container_domain)
 fs_exec_fusefs_files(container_domain)
 fs_fusefs_entry_type(container_domain)
@@ -339,6 +342,8 @@ tunable_policy(`container_use_nfs',`
 	fs_manage_nfs_named_sockets(container_domain)
 	fs_read_nfs_symlinks(container_domain)
 	fs_exec_nfs_files(container_domain)
+	fs_watch_nfs_dirs(container_domain)
+	fs_watch_nfs_files(container_domain)
 ')
 
 tunable_policy(`container_use_samba',`
@@ -480,7 +485,7 @@ allow container_engine_domain container_port_t:tcp_socket name_bind;
 dontaudit container_engine_domain container_domain:process { noatsecure rlimitinh siginh };
 allow container_engine_domain container_domain:process2 { nnp_transition nosuid_transition };
 
-allow container_engine_domain container_mountpoint_type:dir search_dir_perms;
+allow container_engine_domain container_mountpoint_type:dir list_dir_perms;
 allow container_engine_domain container_mountpoint_type:dir_file_class_set { getattr mounton };
 
 corecmd_bin_entry_type(container_engine_domain)
diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index ab5c8a4da8..396fa05a46 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -84,6 +84,25 @@ interface(`glusterfs_use_daemon_fds',`
 	allow $1 glusterd_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Search through the contents of gluster brick
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterfs_search_bricks',`
+	gen_require(`
+		type glusterd_brick_t;
+	')
+
+	allow $1 glusterd_brick_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index c46215be15..d9c77d3846 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -48,7 +48,7 @@ files_type(glusterd_hook_t)
 # Local policy
 #
 
-allow glusterd_t self:capability { chown dac_override dac_read_search fowner ipc_lock sys_admin sys_resource };
+allow glusterd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock sys_admin sys_ptrace sys_resource };
 allow glusterd_t self:process { getsched setrlimit signal signull };
 allow glusterd_t self:fifo_file rw_fifo_file_perms;
 allow glusterd_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index d8360fe32c..b89ffb1bc9 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -82,6 +82,12 @@ files_getattr_kernel_modules(kubernetes_container_engine_domain)
 # for replicated storage that may be mounted in /mnt
 files_search_mnt(kubernetes_container_engine_domain)
 
+fs_manage_fusefs_dirs(kubernetes_container_engine_domain)
+fs_manage_fusefs_files(kubernetes_container_engine_domain)
+fs_manage_fusefs_chr_files(kubernetes_container_engine_domain)
+fs_manage_fusefs_fifo_files(kubernetes_container_engine_domain)
+fs_manage_fusefs_sock_files(kubernetes_container_engine_domain)
+fs_manage_fusefs_symlinks(kubernetes_container_engine_domain)
 fs_mounton_tmpfs(kubernetes_container_engine_domain)
 fs_relabelfrom_tmpfs_dirs(kubernetes_container_engine_domain)
 
@@ -130,6 +136,11 @@ tunable_policy(`container_read_public_content',`
 	miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
 ')
 
+tunable_policy(`container_use_nfs',`
+	fs_getattr_nfs(kubernetes_container_engine_domain)
+	fs_remount_nfs(kubernetes_container_engine_domain)
+')
+
 ########################################
 #
 # common kubernetes container policy
@@ -238,6 +249,20 @@ fs_getattr_cgroup(kubelet_t)
 fs_manage_cgroup_dirs(kubelet_t)
 fs_manage_cgroup_files(kubelet_t)
 fs_watch_cgroup_dirs(kubelet_t)
+# setattr on fusefs needed to chown on persistent storage
+fs_getattr_fusefs(kubelet_t)
+fs_list_fusefs(kubelet_t)
+fs_setattr_fusefs_dirs(kubelet_t)
+fs_getattr_fusefs_files(kubelet_t)
+fs_setattr_fusefs_files(kubelet_t)
+fs_getattr_fusefs_chr_files(kubelet_t)
+fs_setattr_fusefs_chr_files(kubelet_t)
+fs_getattr_fusefs_fifo_files(kubelet_t)
+fs_setattr_fusefs_fifo_files(kubelet_t)
+fs_getattr_fusefs_sock_files(kubelet_t)
+fs_setattr_fusefs_sock_files(kubelet_t)
+fs_getattr_fusefs_symlinks(kubelet_t)
+fs_setattr_fusefs_symlinks(kubelet_t)
 
 kernel_dontaudit_getattr_proc(kubelet_t)
 kernel_getattr_message_if(kubelet_t)
@@ -319,7 +344,7 @@ container_manage_dirs(kubelet_t)
 container_manage_files(kubelet_t)
 container_manage_lnk_files(kubelet_t)
 container_manage_sock_files(kubelet_t)
-container_rw_fifo_files(kubelet_t)
+container_manage_fifo_files(kubelet_t)
 container_watch_dirs(kubelet_t)
 container_list_ro_dirs(kubelet_t)
 container_relabel_all_content(kubelet_t)
@@ -367,10 +392,21 @@ tunable_policy(`container_use_nfs',`
 	fs_manage_nfs_symlinks(kubelet_t)
 ')
 
+optional_policy(`
+	tunable_policy(`container_use_nfs',`
+		rpc_read_rpcd_state(kubelet_t)
+	')
+')
+
 optional_policy(`
 	crio_read_conmon_state(kubelet_t)
 ')
 
+optional_policy(`
+	# for mounting volumes on bricks
+	glusterfs_search_bricks(kubelet_t)
+')
+
 ########################################
 #
 # kubeadm local policy
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 482f89f44c..d28dc353cf 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -181,6 +181,25 @@ interface(`rpc_initrc_domtrans_rpcd',`
 	init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of
+##	rpcd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_read_rpcd_state',`
+	gen_require(`
+		type rpcd_t;
+	')
+
+	ps_process_pattern($1, rpcd_t)
+')
+
 #######################################
 ## <summary>
 ##	Inherit and use file descriptors from

From d9314aeb2499e6de02be70d1f5af54936d8a4e7a Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 25 Oct 2022 17:20:14 -0400
Subject: [PATCH 113/257] container, miscfiles: transition to s0 for public
 content created by containers

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te |  4 ++++
 policy/modules/system/miscfiles.if   | 27 +++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index d96ac9fd1d..bc9879ca2c 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -315,6 +315,10 @@ tunable_policy(`container_manage_public_content',`
 	miscfiles_manage_public_files(container_domain)
 	miscfiles_watch_public_dirs(container_domain)
 ')
+optional_policy(`
+	# range_transition is not valid in a tunable
+	miscfiles_rangetrans_all_public_content(container_domain, s0)
+')
 
 tunable_policy(`container_read_public_content',`
 	miscfiles_read_public_files(container_domain)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 1ad6442f7d..c68d11ba0d 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -961,6 +961,33 @@ interface(`miscfiles_mounton_all_public_files',`
 	allow $1 public_content_rw_t:file mounton;
 ')
 
+########################################
+## <summary>
+##	Transition to the specified sensitivity
+##	when creating all public content objects.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_rangetrans_all_public_content',`
+	gen_require(`
+		type public_content_t;
+		type public_content_rw_t;
+	')
+
+	ifdef(`enable_mcs',`
+		range_transition $1 public_content_t:dir_file_class_set $2;
+		range_transition $1 public_content_rw_t:dir_file_class_set $2;
+	')
+	ifdef(`enable_mls',`
+		range_transition $1 public_content_t:dir_file_class_set $2;
+		range_transition $1 public_content_rw_t:dir_file_class_set $2;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Read TeX data

From c7a0cc0cd2854685c2e840da4b827cf4b2b7c4c5 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 10 Oct 2022 12:13:17 -0400
Subject: [PATCH 114/257] container: add tunable to allow spc to use tun-tap
 devices

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index bc9879ca2c..458e392d98 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -37,6 +37,13 @@ gen_tunable(container_read_public_content, false)
 ## </desc>
 gen_tunable(container_spc_create_nfs_servers, false)
 
+## <desc>
+##	<p>
+##	Allow super privileged containers to use tun-tap devices.
+##	</p>
+## </desc>
+gen_tunable(container_spc_use_tun_tap_dev, false)
+
 ## <desc>
 ##	<p>
 ##	Allow containers to use direct rendering devices.
@@ -918,6 +925,10 @@ ifdef(`init_systemd',`
 	init_run_bpf(spc_t)
 ')
 
+tunable_policy(`container_spc_use_tun_tap_dev',`
+	corenet_rw_tun_tap_dev(spc_t)
+')
+
 optional_policy(`
 	tunable_policy(`container_spc_create_nfs_servers',`
 		fs_mount_nfsd_fs(spc_t)

From fb835d04d3f1f463a0047e5b19e8f66c7b75ba0f Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 4 Nov 2022 13:30:46 -0400
Subject: [PATCH 115/257] container: correct admin_pattern() usage

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.if | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index d18320b8ba..55f8e4f3dd 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1600,7 +1600,7 @@ interface(`container_admin_all_files',`
 		type container_file_t;
 	')
 
-	admin_pattern($1, container_file_t, container_file_t)
+	admin_pattern($1, container_file_t)
 	allow $1 container_file_t:chr_file manage_chr_file_perms;
 	allow $1 container_file_t:blk_file manage_blk_file_perms;
 ')
@@ -1620,7 +1620,7 @@ interface(`container_admin_all_ro_files',`
 		type container_ro_file_t;
 	')
 
-	admin_pattern($1, container_ro_file_t, container_ro_file_t)
+	admin_pattern($1, container_ro_file_t)
 	allow $1 container_ro_file_t:chr_file manage_chr_file_perms;
 	allow $1 container_ro_file_t:blk_file manage_blk_file_perms;
 ')
@@ -1642,7 +1642,7 @@ interface(`container_admin_all_user_runtime_content',`
 		type container_user_runtime_t;
 	')
 
-	admin_pattern($1, container_user_runtime_t, container_user_runtime_t)
+	admin_pattern($1, container_user_runtime_t)
 ')
 
 ########################################

From ef6857944dd0dcdf7eccc27ff2708e907e5dbd75 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Wed, 23 Nov 2022 08:17:41 -0500
Subject: [PATCH 116/257] rng-tools updated to 6.15 (on RHEL9) seeing the
 following denials:

node=localhost type=AVC msg=audit(1669206851.792:438): avc:  denied  { getattr } for  pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1669206851.792:439): avc:  denied  { read } for  pid=1008 comm="rngd" name="opensslcnf.config" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1669206851.792:439): avc:  denied  { open } for  pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

rngd now drops privlidges rather than having user/group set in .service file:
node=localhost type=AVC msg=audit(1669206851.856:440): avc:  denied  { setgid } for  pid=1008 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1
node=localhost type=AVC msg=audit(1669206851.881:441): avc:  denied  { setuid } for  pid=1008 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1
node=localhost type=AVC msg=audit(1669206851.910:442): avc:  denied  { setcap } for  pid=1008 comm="rngd" scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/rngd.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
index f33d6a401e..d317520eea 100644
--- a/policy/modules/services/rngd.te
+++ b/policy/modules/services/rngd.te
@@ -20,8 +20,8 @@ files_runtime_file(rngd_runtime_t)
 # Local policy
 #
 
-allow rngd_t self:capability { ipc_lock sys_admin };
-allow rngd_t self:process { setsched getsched signal };
+allow rngd_t self:capability { ipc_lock setgid setuid sys_admin };
+allow rngd_t self:process { getsched setcap setsched signal };
 allow rngd_t self:fifo_file rw_fifo_file_perms;
 allow rngd_t self:unix_stream_socket { accept listen };
 
@@ -37,6 +37,7 @@ dev_rw_tpm(rngd_t)
 dev_write_rand(rngd_t)
 
 files_read_etc_files(rngd_t)
+files_read_usr_files(rngd_t)
 
 logging_send_syslog_msg(rngd_t)
 

From 090f4ca18e0374cef6562a9bb08225b0a4696787 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Thu, 1 Dec 2022 07:30:48 +0100
Subject: [PATCH 117/257] udev: permit to read hwdb

On a gentoo with openRC, udev is denied to read hwdb.
On current policy, reading hwdb is only allowed for system with systemd.

In fact it is a common action (beyond openrc/systemd) so rules for reading it must be global.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/system/udev.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f1e8cd265e..c86fa6d4d1 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -201,6 +201,9 @@ sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
+systemd_map_hwdb(udev_t)
+systemd_read_hwdb(udev_t)
+
 userdom_dontaudit_getattr_user_home_dirs(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)
 
@@ -265,8 +268,6 @@ ifdef(`init_systemd',`
 	init_stream_connect(udev_t)
 	init_start_system(udev_t)
 
-	systemd_map_hwdb(udev_t)
-	systemd_read_hwdb(udev_t)
 	systemd_read_logind_sessions_files(udev_t)
 	systemd_read_logind_runtime_files(udev_t)
 	# udev searches for .link files and applies custom udev rules

From 3ca0cd59d7a9b531dd3620a02940396343fe2ed5 Mon Sep 17 00:00:00 2001
From: Russell Coker <russell@coker.com.au>
Date: Thu, 8 Dec 2022 18:35:27 +1100
Subject: [PATCH 118/257] This patch removes deprecated interfaces that were
 deprecated in the 20210203 release.  I think that 2 years of support for a
 deprecated interface is enough and by the time we have the next release out
 it will probably be more than 2 years since 20210203.

I think this is ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>
---
 policy/modules/admin/kismet.if            |  31 --
 policy/modules/admin/rpm.if               |  55 ---
 policy/modules/admin/samhain.if           |  15 -
 policy/modules/admin/sblim.if             |  14 -
 policy/modules/apps/qemu.if               |  17 +-
 policy/modules/kernel/corenetwork.if.m4   | 106 -----
 policy/modules/kernel/devices.if          |  45 --
 policy/modules/kernel/files.if            | 528 ----------------------
 policy/modules/kernel/filesystem.if       |  30 --
 policy/modules/kernel/selinux.if          |  22 -
 policy/modules/services/abrt.if           |  30 --
 policy/modules/services/amavis.if         |  30 --
 policy/modules/services/apcupsd.if        |  14 -
 policy/modules/services/asterisk.if       |  15 -
 policy/modules/services/avahi.if          |  87 ----
 policy/modules/services/bind.if           |  14 -
 policy/modules/services/certmonger.if     |  14 -
 policy/modules/services/clamav.if         |  15 -
 policy/modules/services/consolesetup.if   |  17 -
 policy/modules/services/couchdb.if        |  15 -
 policy/modules/services/cron.if           |  15 -
 policy/modules/services/cups.if           |  15 -
 policy/modules/services/devicekit.if      |  31 --
 policy/modules/services/dnsmasq.if        |  95 ----
 policy/modules/services/exim.if           |  14 -
 policy/modules/services/fail2ban.if       |  14 -
 policy/modules/services/glance.if         |  29 --
 policy/modules/services/gssproxy.if       |  14 -
 policy/modules/services/icecast.if        |  14 -
 policy/modules/services/ifplugd.if        |  14 -
 policy/modules/services/inn.if            |  18 -
 policy/modules/services/memcached.if      |  30 --
 policy/modules/services/mysql.if          |  29 --
 policy/modules/services/networkmanager.if |  15 -
 policy/modules/services/nis.if            |  29 --
 policy/modules/services/nscd.if           |  31 --
 policy/modules/services/nslcd.if          |  14 -
 policy/modules/services/openct.if         |  15 -
 policy/modules/services/openvswitch.if    |  15 -
 policy/modules/services/pcscd.if          |  15 -
 policy/modules/services/plymouthd.if      |  30 --
 policy/modules/services/ppp.if            |  57 ---
 policy/modules/services/psad.if           |  28 --
 policy/modules/services/qpid.if           |  14 -
 policy/modules/services/rhsmcertd.if      |  14 -
 policy/modules/services/rpcbind.if        |  14 -
 policy/modules/services/samba.if          |  15 -
 policy/modules/services/sanlock.if        |  15 -
 policy/modules/services/smokeping.if      |  29 --
 policy/modules/services/spamassassin.if   |  15 -
 policy/modules/services/sssd.if           |  30 --
 policy/modules/services/tuned.if          |  29 --
 policy/modules/services/uuidd.if          |  14 -
 policy/modules/services/vdagent.if        |  14 -
 policy/modules/services/vhostmd.if        |  29 --
 policy/modules/services/virt.if           |  62 ---
 policy/modules/services/xserver.if        |  15 -
 policy/modules/services/zabbix.if         |  14 -
 policy/modules/system/authlogin.if        | 117 -----
 policy/modules/system/init.if             | 148 ------
 policy/modules/system/ipsec.if            |  31 --
 policy/modules/system/iptables.if         |  15 -
 policy/modules/system/logging.if          |  15 -
 policy/modules/system/lvm.if              |  14 -
 policy/modules/system/modutils.if         |  15 -
 policy/modules/system/raid.if             |  31 --
 policy/modules/system/sysnetwork.if       |  30 --
 policy/modules/system/systemd.if          |  60 ---
 policy/modules/system/udev.if             | 239 ----------
 policy/modules/system/userdomain.if       |  27 --
 policy/modules/system/xen.if              |  40 --
 71 files changed, 1 insertion(+), 2799 deletions(-)

diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if
index 4c3c0d2853..6c62e57af1 100644
--- a/policy/modules/admin/kismet.if
+++ b/policy/modules/admin/kismet.if
@@ -82,37 +82,6 @@ interface(`kismet_run',`
 	roleattribute $2 kismet_roles;
 ')
 
-########################################
-## <summary>
-##	Read kismet pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`kismet_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use kismet_read_runtime_files() instead.')
-	kismet_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	kismet pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`kismet_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use kismet_manage_runtime_files() instead.')
-	kismet_manage_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read kismet runtime files.
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 2b5e0768e3..4abe1b6fbf 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -525,61 +525,6 @@ interface(`rpm_dontaudit_manage_db',`
 	dontaudit $1 rpm_var_lib_t:file map;
 ')
 
-#####################################
-## <summary>
-##	Read rpm pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rpm_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-#####################################
-## <summary>
-##	Create, read, write, and delete
-##	rpm pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rpm_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use rpm_manage_runtime_files() instead.')
-	rpm_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create specified objects in pid directories
-##	with the rpm pid file type.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`rpm_pid_filetrans_rpm_pid',`
-	refpolicywarn(`$0($*) has been deprecated')
-')
-
 #####################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/admin/samhain.if b/policy/modules/admin/samhain.if
index 7aa0c8197c..1618eaca85 100644
--- a/policy/modules/admin/samhain.if
+++ b/policy/modules/admin/samhain.if
@@ -173,21 +173,6 @@ interface(`samhain_manage_log_files',`
 	manage_files_pattern($1, samhain_log_t, samhain_log_t)
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	samhain pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`samhain_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 #######################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/admin/sblim.if b/policy/modules/admin/sblim.if
index 42b31f8f3f..9c1994c162 100644
--- a/policy/modules/admin/sblim.if
+++ b/policy/modules/admin/sblim.if
@@ -19,20 +19,6 @@ interface(`sblim_domtrans_gatherd',`
 	domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t)
 ')
 
-########################################
-## <summary>
-##	Read gatherd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sblim_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index a8570a252d..e9704a63d8 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -89,7 +89,7 @@ template(`qemu_domain_template',`
 	optional_policy(`
 		xserver_stream_connect($1_t)
 		xserver_read_xdm_tmp_files($1_t)
-		xserver_read_xdm_pid($1_t)
+		xserver_read_xdm_runtime_files($1_t)
 #		xserver_xdm_rw_shm($1_t)
 	')
 ')
@@ -280,21 +280,6 @@ interface(`qemu_stream_connect',`
 	stream_connect_pattern($1, qemu_runtime_t, qemu_runtime_t, qemu_t)
 ')
 
-########################################
-## <summary>
-##	Unlink qemu socket  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`qemu_delete_pid_sock_file',`
-	refpolicywarn(`$0($*) has been deprecated, please use qemu_delete_runtime_sock_files() instead.')
-	qemu_delete_runtime_sock_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Unlink qemu runtime sockets.
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index 5ef0b4e0df..372ad89358 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -461,112 +461,6 @@ interface(`corenet_udp_bind_$1_node',`
 ########################################
 
 define(`create_port_interfaces',``
-########################################
-## <summary>
-##	Send and receive TCP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_tcp_sendrecv_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Send UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`corenet_udp_send_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to send UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`corenet_dontaudit_udp_send_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Receive UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <infoflow type="read" weight="10"/>
-#
-interface(`corenet_udp_receive_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to receive UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`corenet_dontaudit_udp_receive_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Send and receive UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_udp_sendrecv_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to send and receive
-##	UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`corenet_dontaudit_udp_sendrecv_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
 ########################################
 ## <summary>
 ##	Bind TCP sockets to the $1 port.
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 4239ba1f32..2fa4b69561 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3382,51 +3382,6 @@ interface(`dev_rw_mtrr',`
 	rw_chr_files_pattern($1, device_t, mtrr_device_t)
 ')
 
-########################################
-## <summary>
-##	Get the attributes of the network control device  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dev_getattr_netcontrol_dev',`
-	refpolicywarn(`$0() has been deprecated, use dev_getattr_pmqos_dev() instead.')
-	dev_getattr_pmqos_dev($1)
-')
-
-########################################
-## <summary>
-##	Read the network control identity.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dev_read_netcontrol',`
-	refpolicywarn(`$0() has been deprecated, use dev_read_pmqos() instead.')
-	dev_read_pmqos($1)
-')
-
-########################################
-## <summary>
-##	Read and write the the network control device.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dev_rw_netcontrol',`
-	refpolicywarn(`$0() has been deprecated, use dev_rw_pmqos() instead.')
-	dev_rw_pmqos($1)
-')
-
 ########################################
 ## <summary>
 ##	Get the attributes of the null device nodes.
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ab59540423..c386d19dc2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -189,50 +189,6 @@ interface(`files_security_mountpoint',`
 	typeattribute $1 mountpoint;
 ')
 
-########################################
-## <summary>
-##	Make the specified type usable for
-##	runtime process ID files.  (Deprecated)
-## </summary>
-## <desc>
-##	<p>
-##	Make the specified type usable for runtime process ID files,
-##	typically found in /var/run.
-##	This will also make the type usable for files, making
-##	calls to files_type() redundant.  Failure to use this interface
-##	for a PID file type may result in problems with starting
-##	or stopping services.
-##	</p>
-##	<p>
-##	Related interfaces:
-##	</p>
-##	<ul>
-##		<li>files_runtime_filetrans()</li>
-##	</ul>
-##	<p>
-##	Example usage with a domain that can create and
-##	write its PID file with a private PID file type in the
-##	/var/run directory:
-##	</p>
-##	<p>
-##	type mypidfile_t;
-##	files_runtime_file(mypidfile_t)
-##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-##	files_runtime_filetrans(mydomain_t, mypidfile_t, file)
-##	</p>
-## </desc>
-## <param name="type">
-##	<summary>
-##	Type to be used for PID files.
-##	</summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`files_pid_file',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_runtime_file() instead.')
-	files_runtime_file($1)
-')
-
 ########################################
 ## <summary>
 ##	Make the specified type usable for
@@ -6668,130 +6624,6 @@ interface(`files_lock_filetrans',`
 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
 ')
 
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of the /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_getattr_runtime_dirs() instead.')
-	files_dontaudit_getattr_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	mounton a /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_mounton_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_mounton_runtime_dirs() instead.')
-	files_mounton_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Set the attributes of the /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_setattr_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_setattr_runtime_dirs() instead.')
-	files_setattr_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Search the contents of runtime process
-##	ID directories (/var/run).  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_search_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_search_runtime() instead.')
-	files_search_runtime($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search
-##	the /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_search_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_search_runtime() instead.')
-	files_dontaudit_search_runtime($1)
-')
-
-########################################
-## <summary>
-##	List the contents of the runtime process
-##	ID directories (/var/run).  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_list_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_list_runtime() instead.')
-	files_list_runtime($1)
-')
-
-########################################
-## <summary>
-##	Check write access on /var/run directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_check_write_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_check_write_runtime_dirs() instead.')
-	files_check_write_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Create a /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_create_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_create_runtime_dirs() instead.')
-	files_create_runtime_dirs($1)
-')
-
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@@ -6963,286 +6795,6 @@ interface(`files_watch_runtime_dirs',`
 	allow $1 var_run_t:dir watch;
 ')
 
-########################################
-## <summary>
-##	Read generic process ID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_read_generic_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_read_runtime_files() instead.')
-	files_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Write named generic process ID pipes.   (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_write_generic_pid_pipes',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_write_runtime_pipes() instead.')
-	files_write_runtime_pipes($1)
-')
-
-########################################
-## <summary>
-##	Create an object in the process ID directory, with a private type.  (Deprecated)
-## </summary>
-## <desc>
-##	<p>
-##	Create an object in the process ID directory (e.g., /var/run)
-##	with a private type.  Typically this is used for creating
-##	private PID files in /var/run with the private type instead
-##	of the general PID file type. To accomplish this goal,
-##	either the program must be SELinux-aware, or use this interface.
-##	</p>
-##	<p>
-##	Related interfaces:
-##	</p>
-##	<ul>
-##		<li>files_runtime_file()</li>
-##	</ul>
-##	<p>
-##	Example usage with a domain that can create and
-##	write its PID file with a private PID file type in the
-##	/var/run directory:
-##	</p>
-##	<p>
-##	type mypidfile_t;
-##	files_runtime_file(mypidfile_t)
-##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-##	files_runtime_filetrans(mydomain_t, mypidfile_t, file)
-##	</p>
-## </desc>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`files_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_runtime_filetrans() instead.')
-	files_runtime_filetrans($1, $2, $3, $4)
-')
-
-########################################
-## <summary>
-## 	Create a generic lock directory within the run directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`files_pid_filetrans_lock_dir',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_runtime_filetrans_lock_dir() instead.')
-	files_runtime_filetrans_lock_dir($1, $2)
-')
-
-########################################
-## <summary>
-##	Read and write generic process ID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_rw_generic_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_rw_runtime_files() instead.')
-	files_rw_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes of
-##	daemon runtime data files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_getattr_all_runtime_files() instead.')
-	files_dontaudit_getattr_all_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to write to daemon runtime data files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_write_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_write_all_runtime_files() instead.')
-	files_dontaudit_write_all_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to ioctl daemon runtime data files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_ioctl_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_ioctl_all_runtime_files() instead.')
-	files_dontaudit_ioctl_all_runtime_files($1)
-')
-
-########################################
-## <summary>
-##     manage all pidfile directories
-##     in the /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_manage_all_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_manage_all_runtime_dirs() instead.')
-	files_manage_all_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Read all process ID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`files_read_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_read_all_runtime_files() instead.')
-	files_read_all_runtime_files($1)
-')
-
-########################################
-## <summary>
-##     Execute generic programs in /var/run in the caller domain.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_exec_generic_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_exec_runtime() instead.')
-	files_exec_runtime($1)
-')
-
-########################################
-## <summary>
-##     Relabel all pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_relabel_all_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_relabel_all_runtime_files() instead.')
-	files_relabel_all_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Delete all process IDs.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`files_delete_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_delete_runtime_symlinks(); files_delete_all_runtime_files(); files_delete_all_runtime_dirs(); files_delete_all_runtime_sockets(); files_delete_all_runtime_pipes(); instead.')
-	files_delete_runtime_symlinks($1)
-	files_delete_all_runtime_files($1)
-	files_delete_all_runtime_dirs($1)
-	files_delete_all_runtime_sockets($1)
-	files_delete_all_runtime_pipes($1)
-')
-
-########################################
-## <summary>
-##     Create all pid sockets.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_create_all_pid_sockets',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_create_all_runtime_sockets() instead.')
-	files_create_all_runtime_sockets($1)
-')
-
-########################################
-## <summary>
-##     Create all pid named pipes.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_create_all_pid_pipes',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_create_all_runtime_pipes() instead.')
-	files_create_all_runtime_pipes($1)
-')
-
 ########################################
 ## <summary>
 ##	Read generic runtime files.
@@ -7801,86 +7353,6 @@ interface(`files_delete_all_spool_sockets',`
         allow $1 spoolfile:sock_file delete_sock_file_perms;
 ')
 
-########################################
-## <summary>
-##	Delete all process ID directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_delete_all_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_delete_all_runtime_dirs() instead.')
-	files_delete_all_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write and delete all
-##	var_run (pid) content  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_manage_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_manage_all_runtime_dirs(); files_manage_all_runtime_files(); files_manage_all_runtime_symlinks() instead.')
-	files_manage_all_runtime_dirs($1)
-	files_manage_all_runtime_files($1)
-	files_manage_all_runtime_symlinks($1)
-')
-
-########################################
-## <summary>
-##	Relabel to/from all var_run (pid) directories  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_relabel_all_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_relabel_all_runtime_dirs() instead.')
-	files_relabel_all_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Relabel to/from all var_run (pid) socket files  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_relabel_all_pid_sock_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_relabel_all_runtime_sockets() instead.')
-	files_relabel_all_runtime_sockets($1)
-')
-
-########################################
-## <summary>
-##	Relabel to/from all var_run (pid) files and directories  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_relabel_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_relabel_all_runtime_dirs(); files_relabel_all_runtime_files(); files_relabel_all_runtime_symlinks() instead.')
-	files_relabel_all_runtime_dirs($1)
-	files_relabel_all_runtime_files($1)
-	files_relabel_all_runtime_symlinks($1)
-')
-
 ########################################
 ## <summary>
 ##	Mount filesystems on all polyinstantiation
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 173dcbdc73..9dedaddd59 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -5769,21 +5769,6 @@ interface(`fs_relabel_tmpfs_chr_files',`
 	relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
-########################################
-## <summary>
-##	Relabel character nodes on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_relabel_tmpfs_chr_file',`
-	refpolicywarn(`$0($*) has been deprecated, please use fs_relabel_tmpfs_chr_files() instead.')
-	fs_relabel_tmpfs_chr_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read and write block nodes on tmpfs filesystems.
@@ -5822,21 +5807,6 @@ interface(`fs_relabel_tmpfs_blk_files',`
 	relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
-########################################
-## <summary>
-##	Relabel block nodes on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_relabel_tmpfs_blk_file',`
-	refpolicywarn(`$0($*) has been deprecated, please use fs_relabel_tmpfs_blk_files() instead.')
-	fs_relabel_tmpfs_blk_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Relabel named pipes on tmpfs filesystems.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 13aa1e0525..19ffa640f9 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -697,28 +697,6 @@ interface(`selinux_use_status_page',`
 	allow $1 security_t:file mmap_read_file_perms;
 ')
 
-########################################
-## <summary>
-##	Allows caller to map secuirty_t files. (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-
-interface(`selinux_map_security_files',`
-	gen_require(`
-		type security_t;
-	')
-
-	refpolicywarn(`$0() has been deprecated, use selinux_use_status_page() instead.')
-
-	dev_search_sysfs($1)
-	allow $1 security_t:file map;
-')
-
 ########################################
 ## <summary>
 ##	Unconfined access to the SELinux kernel security server.
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index e763b4b9f6..75753ed862 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -221,36 +221,6 @@ interface(`abrt_read_log',`
 	read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
 ')
 
-######################################
-## <summary>
-##	Read abrt PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`abrt_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-######################################
-## <summary>
-##	Create, read, write, and delete
-##	abrt PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`abrt_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use abrt_manage_runtime_files() instead.')
-	abrt_manage_runtime_files($1)
-')
-
 ######################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index f0944bceb2..ebd5638e3a 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -171,36 +171,6 @@ interface(`amavis_manage_lib_files',`
 	files_search_var_lib($1)
 ')
 
-########################################
-## <summary>
-##	Set attributes of amavis pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`amavis_setattr_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use amavis_setattr_runtime_files() instead.')
-	amavis_setattr_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create amavis pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`amavis_create_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use amavis_create_runtime_files() instead.')
-	amavis_create_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Set attributes of amavis runtime files.
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index 5077cf4648..e0eeff71f7 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -39,20 +39,6 @@ interface(`apcupsd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read apcupsd PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`apcupsd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read apcupsd log files.
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
index 31f446c66f..a1a74b1bea 100644
--- a/policy/modules/services/asterisk.if
+++ b/policy/modules/services/asterisk.if
@@ -79,21 +79,6 @@ interface(`asterisk_setattr_logs',`
 	logging_search_logs($1)
 ')
 
-#######################################
-## <summary>
-##	Set attributes of the asterisk
-##	PID content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`asterisk_setattr_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index c223e8b3ae..fe9f460e33 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -133,36 +133,6 @@ interface(`avahi_stream_connect',`
 	stream_connect_pattern($1, avahi_runtime_t, avahi_runtime_t, avahi_t)
 ')
 
-########################################
-## <summary>
-##	Create avahi pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`avahi_create_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use avahi_create_runtime_dirs() instead.')
-	avahi_create_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Set attributes of avahi pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`avahi_setattr_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use avahi_setattr_runtime_dirs() instead.')
-	avahi_setattr_runtime_dirs($1)
-')
-
 ########################################
 ## <summary>
 ##	Set attributes of avahi runtime directories.
@@ -201,63 +171,6 @@ interface(`avahi_create_runtime_dirs',`
 	allow $1 avahi_runtime_t:dir create_dir_perms;
 ')
 
-########################################
-## <summary>
-##	Create, read, and write avahi pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`avahi_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use avahi_manage_runtime_files() instead.')
-	avahi_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search
-##	avahi pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`avahi_dontaudit_search_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use avahi_dontaudit_search_runtime() instead.')
-	avahi_dontaudit_search_runtime($1)
-')
-
-########################################
-## <summary>
-##	Create specified objects in generic
-##	pid directories with the avahi pid file type.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`avahi_filetrans_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use avahi_filetrans_runtime() instead.')
-	avahi_filetrans_runtime($*)
-')
-
 ########################################
 ## <summary>
 ##	Create, read, and write avahi runtime files.
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 25ba4d1190..7c252d9aba 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -254,20 +254,6 @@ interface(`bind_manage_cache',`
 	manage_lnk_files_pattern($1, named_cache_t, named_cache_t)
 ')
 
-########################################
-## <summary>
-##	Set attributes of bind pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`bind_setattr_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Set attributes of bind zone directories.
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
index 1b89f9bbb3..5d4cf96155 100644
--- a/policy/modules/services/certmonger.if
+++ b/policy/modules/services/certmonger.if
@@ -59,20 +59,6 @@ interface(`certmonger_initrc_domtrans',`
 	init_labeled_script_domtrans($1, certmonger_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read certmonger PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`certmonger_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Search certmonger lib directories.
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 29d00c98f0..f59ce107c2 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -87,21 +87,6 @@ interface(`clamav_append_log',`
 	append_files_pattern($1, clamd_var_log_t, clamd_var_log_t)
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	clamav pid content.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`clamav_manage_pid_content',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read clamav configuration files.
diff --git a/policy/modules/services/consolesetup.if b/policy/modules/services/consolesetup.if
index f5f766f03c..d9b65ddbff 100644
--- a/policy/modules/services/consolesetup.if
+++ b/policy/modules/services/consolesetup.if
@@ -83,23 +83,6 @@ interface(`consolesetup_manage_runtime', `
     manage_files_pattern($1, consolesetup_runtime_t, consolesetup_runtime_t)
 ')
 
-########################################
-## <summary>
-##  Create a console-setup directory in
-##  the runtime directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`consolesetup_pid_filetrans_runtime', `
-	refpolicywarn(`$0($*) has been deprecated, please use consolesetup_runtime_filetrans_runtime_dir() instead.')
-	consolesetup_runtime_filetrans_runtime_dir($1)
-')
-
 ########################################
 ## <summary>
 ##  Create a console-setup directory in
diff --git a/policy/modules/services/couchdb.if b/policy/modules/services/couchdb.if
index cc925162c1..1be0403ba7 100644
--- a/policy/modules/services/couchdb.if
+++ b/policy/modules/services/couchdb.if
@@ -57,21 +57,6 @@ interface(`couchdb_read_conf_files',`
 	read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
 ')
 
-########################################
-## <summary>
-##	Read couchdb pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`couchdb_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use couchdb_read_runtime_files() instead.')
-	couchdb_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read couchdb runtime files.
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index ecf8952169..78de1d27ca 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -663,21 +663,6 @@ interface(`cron_search_spool',`
 	allow $1 cron_spool_t:dir search_dir_perms;
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	crond pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cron_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Execute anacron in the cron
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index c8c50c399b..852db3d673 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -94,21 +94,6 @@ interface(`cups_dbus_chat',`
 	allow cupsd_t $1:dbus send_msg;
 ')
 
-########################################
-## <summary>
-##	Read cups PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cups_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use cups_read_runtime_files() instead.')
-	cups_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read cups runtime files.
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
index 17862b6b80..58c82ab1f0 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -199,37 +199,6 @@ interface(`devicekit_relabel_log_files',`
 	relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
 ')
 
-########################################
-## <summary>
-##	Read devicekit PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`devicekit_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use devicekit_read_runtime_files() instead.')
-	devicekit_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	devicekit PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`devicekit_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use devicekit_manage_runtime_files() instead.')
-	devicekit_manage_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read devicekit runtime files.
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
index c0b4bc2824..5bf375b185 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -135,101 +135,6 @@ interface(`dnsmasq_write_config',`
 	files_search_etc($1)
 ')
 
-########################################
-## <summary>
-##	Delete dnsmasq pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-#
-interface(`dnsmasq_delete_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_delete_runtime_files() instead.')
-	dnsmasq_delete_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	dnsmasq pid files  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dnsmasq_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_manage_runtime_files() instead.')
-	dnsmasq_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Read dnsmasq pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-#
-interface(`dnsmasq_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_read_runtime_files() instead.')
-	dnsmasq_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create dnsmasq pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dnsmasq_create_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_create_runtime_dirs() instead.')
-	dnsmasq_create_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Create specified objects in specified
-##	directories with a type transition to
-##	the dnsmasq pid file type.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="file_type">
-##	<summary>
-##	Directory to transition on.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`dnsmasq_spec_filetrans_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_virt_runtime_filetrans_runtime() instead.')
-	dnsmasq_virt_runtime_filetrans_runtime($1, $3, $4)
-')
-
 ########################################
 ## <summary>
 ##	Create dnsmasq runtime directories.
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
index ceff9d87b0..66dc62452e 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -103,20 +103,6 @@ interface(`exim_read_tmp_files',`
 	files_search_tmp($1)
 ')
 
-########################################
-## <summary>
-##	Read exim pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`exim_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read exim log files.
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
index d270e693a5..c5884093ae 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -220,20 +220,6 @@ interface(`fail2ban_append_log',`
 	allow $1 fail2ban_log_t:file append_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read fail2ban pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fail2ban_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if
index 7098328519..eff86ff1b1 100644
--- a/policy/modules/services/glance.if
+++ b/policy/modules/services/glance.if
@@ -179,35 +179,6 @@ interface(`glance_manage_lib_dirs',`
 	manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read glance pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`glance_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	glance pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`glance_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/gssproxy.if b/policy/modules/services/gssproxy.if
index 27d9d9f813..693d5228e3 100644
--- a/policy/modules/services/gssproxy.if
+++ b/policy/modules/services/gssproxy.if
@@ -95,20 +95,6 @@ interface(`gssproxy_manage_lib_dirs',`
 	manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read gssproxy PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gssproxy_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to gssproxy over an unix
diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
index 0d3cc58fcd..65fbd96a88 100644
--- a/policy/modules/services/icecast.if
+++ b/policy/modules/services/icecast.if
@@ -55,20 +55,6 @@ interface(`icecast_initrc_domtrans',`
 	init_labeled_script_domtrans($1, icecast_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read icecast pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`icecast_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if
index 3e75f24ae2..8e9bd02328 100644
--- a/policy/modules/services/ifplugd.if
+++ b/policy/modules/services/ifplugd.if
@@ -77,20 +77,6 @@ interface(`ifplugd_manage_config',`
 	manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
 ')
 
-########################################
-## <summary>
-##	Read ifplugd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ifplugd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index 2f5cc3e8fb..7a4343b729 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -86,24 +86,6 @@ interface(`inn_generic_log_filetrans_innd_log',`
 	logging_log_filetrans($1, innd_log_t, $2, $3)
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	innd pid content.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`inn_manage_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use inn_manage_runtime_dirs(); inn_manage_runtime_files()inn_manage_runtime_sockets() instead.')
-	inn_manage_runtime_dirs($1)
-	inn_manage_runtime_files($1)
-	inn_manage_runtime_sockets($1)
-')
-
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
index 34423fcf1f..9644187746 100644
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
@@ -19,36 +19,6 @@ interface(`memcached_domtrans',`
 	domtrans_pattern($1, memcached_exec_t, memcached_t)
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	memcached pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`memcached_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use memcached_manage_runtime_files() instead.')
-	memcached_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Read memcached pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`memcached_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index f8d7c373d2..ea50660ce2 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -386,35 +386,6 @@ interface(`mysql_domtrans_mysql_safe',`
 	domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
 ')
 
-#####################################
-## <summary>
-##	Read mysqld pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`mysql_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-#####################################
-## <summary>
-##	Search mysqld pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-##
-#
-interface(`mysql_search_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 88d2fa6e20..59ce01ce58 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -271,21 +271,6 @@ interface(`networkmanager_append_log_files',`
 	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
 ')
 
-########################################
-## <summary>
-##	Read networkmanager pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`networkmanager_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use networkmanager_read_runtime_files() instead.')
-	networkmanager_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read networkmanager runtime files.
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index 4c6724b576..ba5c6a9d93 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -210,21 +210,6 @@ interface(`nis_list_var_yp',`
 	allow $1 var_yp_t:dir list_dir_perms;
 ')
 
-########################################
-## <summary>
-##	Read ypbind pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`nis_read_ypbind_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use nis_read_ypbind_runtime_files() instead.')
-	nis_read_ypbind_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read ypbind runtime files.
@@ -244,20 +229,6 @@ interface(`nis_read_ypbind_runtime_files',`
 	allow $1 ypbind_runtime_t:file read_file_perms;
 ')
 
-########################################
-## <summary>
-##	Delete ypbind pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`nis_delete_ypbind_pid',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read ypserv configuration files.
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 790e8a5f42..3f87cc461a 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -172,37 +172,6 @@ interface(`nscd_use',`
 	')
 ')
 
-########################################
-## <summary>
-##	Do not audit attempts to search
-##	nscd pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`nscd_dontaudit_search_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use nscd_dontaudit_search_runtime() instead.')
-	nscd_dontaudit_search_runtime($1)
-')
-
-########################################
-## <summary>
-##	Read nscd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`nscd_read_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use nscd_read_runtime_files() instead.')
-	nscd_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
index df0e05059a..5858ef9e83 100644
--- a/policy/modules/services/nslcd.if
+++ b/policy/modules/services/nslcd.if
@@ -37,20 +37,6 @@ interface(`nslcd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, nslcd_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read nslcd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`nslcd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to nslcd over an unix
diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
index f6ced13a92..3199d585df 100644
--- a/policy/modules/services/openct.if
+++ b/policy/modules/services/openct.if
@@ -56,21 +56,6 @@ interface(`openct_domtrans',`
 	domtrans_pattern($1, openct_exec_t, openct_t)
 ')
 
-########################################
-## <summary>
-##	Read openct pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`openct_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use openct_read_runtime_files() instead.')
-	openct_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read openct runtime files.
diff --git a/policy/modules/services/openvswitch.if b/policy/modules/services/openvswitch.if
index 73bbb6d697..e7af2589a9 100644
--- a/policy/modules/services/openvswitch.if
+++ b/policy/modules/services/openvswitch.if
@@ -19,21 +19,6 @@ interface(`openvswitch_domtrans',`
 	domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
 ')
 
-########################################
-## <summary>
-##	Read openvswitch pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`openvswitch_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use openvswitch_read_runtime_files() instead.')
-	openvswitch_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read openvswitch runtime files.
diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
index 219161c2a4..d6f652360b 100644
--- a/policy/modules/services/pcscd.if
+++ b/policy/modules/services/pcscd.if
@@ -19,21 +19,6 @@ interface(`pcscd_domtrans',`
 	domtrans_pattern($1, pcscd_exec_t, pcscd_t)
 ')
 
-########################################
-## <summary>
-##	Read pcscd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`pcscd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use pcscd_read_runtime_files() instead.')
-	pcscd_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read pcscd runtime files.
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
index b0a3999359..74539d062f 100644
--- a/policy/modules/services/plymouthd.if
+++ b/policy/modules/services/plymouthd.if
@@ -231,36 +231,6 @@ interface(`plymouthd_manage_lib_files',`
 	manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read plymouthd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`plymouthd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use plymouthd_read_runtime_files() instead.')
-	plymouthd_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Delete the plymouthd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`plymouthd_delete_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use plymouthd_delete_runtime_files() instead.')
-	plymouthd_delete_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read plymouthd runtime files.
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index dd09fa9543..cf7f567db8 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -353,63 +353,6 @@ interface(`ppp_read_secrets',`
 	allow $1 pppd_etc_t:lnk_file read_lnk_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read ppp pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ppp_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use ppp_read_runtime_files() instead.')
-	ppp_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	ppp pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ppp_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use ppp_manage_runtime_files() instead.')
-	ppp_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create specified pppd pid objects
-##	with a type transition.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`ppp_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, please use ppp_runtime_filetrans() instead.')
-	ppp_runtime_filetrans($1, $2, $3)
-')
-
 ########################################
 ## <summary>
 ##	Read ppp runtime files.
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
index fe191f52fb..1193f97ca4 100644
--- a/policy/modules/services/psad.if
+++ b/policy/modules/services/psad.if
@@ -98,34 +98,6 @@ interface(`psad_manage_config',`
 	allow $1 psad_etc_t:lnk_file manage_lnk_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read psad pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`psad_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Read and write psad pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`psad_rw_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read psad log content.
diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if
index 9b0dd4abfa..375bc7cbc3 100644
--- a/policy/modules/services/qpid.if
+++ b/policy/modules/services/qpid.if
@@ -74,20 +74,6 @@ interface(`qpidd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read qpidd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`qpidd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Search qpidd lib directories.
diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if
index dbc8a61c09..673ae1986f 100644
--- a/policy/modules/services/rhsmcertd.if
+++ b/policy/modules/services/rhsmcertd.if
@@ -177,20 +177,6 @@ interface(`rhsmcertd_manage_lib_dirs',`
 	manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read rhsmcertd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhsmcertd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ####################################
 ## <summary>
 ##	Connect to rhsmcertd with a
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
index b815d02dee..0938487d22 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -39,20 +39,6 @@ interface(`rpcbind_stream_connect',`
 	stream_connect_pattern($1, rpcbind_runtime_t, rpcbind_runtime_t, rpcbind_t)
 ')
 
-########################################
-## <summary>
-##	Read rpcbind pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rpcbind_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Search rpcbind lib directories.
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 92eab06d7b..05e713672e 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -705,21 +705,6 @@ interface(`samba_run_winbind_helper',`
 	roleattribute $2 winbind_helper_roles;
 ')
 
-########################################
-## <summary>
-##	Read winbind pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`samba_read_winbind_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use samba_read_winbind_runtime_files() instead.')
-	samba_read_winbind_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read winbind runtime files.
diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if
index 2fe384a521..d6c94ecc6e 100644
--- a/policy/modules/services/sanlock.if
+++ b/policy/modules/services/sanlock.if
@@ -38,21 +38,6 @@ interface(`sanlock_initrc_domtrans',`
 	init_labeled_script_domtrans($1, sanlock_initrc_exec_t)
 ')
 
-######################################
-## <summary>
-##	Create, read, write, and delete
-##	sanlock pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sanlock_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to sanlock with a unix
diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
index 83c55e2798..27b89ed7f4 100644
--- a/policy/modules/services/smokeping.if
+++ b/policy/modules/services/smokeping.if
@@ -38,35 +38,6 @@ interface(`smokeping_initrc_domtrans',`
 	init_labeled_script_domtrans($1, smokeping_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read smokeping pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`smokeping_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	smokeping pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`smokeping_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Get attributes of smokeping lib files.
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index b530a76f8d..86afba2d0e 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -363,21 +363,6 @@ interface(`spamassassin_manage_lib_files',`
 	manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read spamd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`spamassassin_read_spamd_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use spamassassin_read_spamd_runtime_files() instead.')
-	spamassassin_read_spamd_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read spamd runtime files.
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 4814414512..491ff9ae5c 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -155,36 +155,6 @@ interface(`sssd_manage_public_files',`
 	manage_files_pattern($1, sssd_public_t, sssd_public_t)
 ')
 
-########################################
-## <summary>
-##	Read sssd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sssd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use sssd_read_runtime_files() instead.')
-	sssd_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	sssd pid content.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sssd_manage_pids',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read sssd runtime files.
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 6fd0f35f05..aecfe22fcf 100644
--- a/policy/modules/services/tuned.if
+++ b/policy/modules/services/tuned.if
@@ -38,35 +38,6 @@ interface(`tuned_exec',`
 	can_exec($1, tuned_exec_t)
 ')
 
-######################################
-## <summary>
-##	Read tuned pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`tuned_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-#######################################
-## <summary>
-##	Create, read, write, and delete
-##	tuned pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`tuned_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Execute tuned init scripts in
diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if
index b1469d3c15..a7868f17ad 100644
--- a/policy/modules/services/uuidd.if
+++ b/policy/modules/services/uuidd.if
@@ -116,20 +116,6 @@ interface(`uuidd_manage_lib_dirs',`
 	manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read uuidd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`uuidd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to uuidd with an unix
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
index d31894325f..73fc90d259 100644
--- a/policy/modules/services/vdagent.if
+++ b/policy/modules/services/vdagent.if
@@ -56,20 +56,6 @@ interface(`vdagent_getattr_log',`
 	allow $1 vdagent_log_t:file getattr_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read vdagent pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`vdagent_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 #####################################
 ## <summary>
 ##	Connect to vdagent with a unix
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
index 3e737dd010..831bbefe2b 100644
--- a/policy/modules/services/vhostmd.if
+++ b/policy/modules/services/vhostmd.if
@@ -115,35 +115,6 @@ interface(`vhostmd_manage_tmpfs_files',`
 	manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
 ')
 
-########################################
-## <summary>
-##	Read vhostmd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`vhostmd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	vhostmd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`vhostmd_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to vhostmd with a unix
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index ee7fd18fc6..0a85a67d46 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -735,36 +735,6 @@ interface(`virt_home_filetrans_virt_home',`
 	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
 ')
 
-########################################
-## <summary>
-##	Read virt pid files.  (Depprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`virt_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use virt_read_runtime_files() instead.')
-	virt_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	virt pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`virt_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read virt runtime files.
@@ -877,38 +847,6 @@ interface(`virt_manage_lib_files',`
 	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Create objects in virt pid
-##	directories with a private type.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`virt_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, please use virt_runtime_filetrans() instead.')
-	virt_runtime_filetrans($1, $2, $3, $4)
-')
-
 ########################################
 ## <summary>
 ##	Read virt log files.
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6ee85e0a9e..ba98628b3f 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -994,21 +994,6 @@ interface(`xserver_delete_xdm_tmp_sockets',`
 	delete_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
 
-########################################
-## <summary>
-##	Read XDM pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xserver_read_xdm_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use xserver_read_xdm_runtime_files() instead.')
-	xserver_read_xdm_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read XDM runtime files.
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index 11f1e5f73c..49aaa9a5e7 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -78,20 +78,6 @@ interface(`zabbix_append_log',`
 	append_files_pattern($1, zabbix_log_t, zabbix_log_t)
 ')
 
-########################################
-## <summary>
-##	Read zabbix pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`zabbix_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to zabbix agent on the TCP network.
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 4648ee4b7d..4a2bfbccbb 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1109,95 +1109,6 @@ interface(`auth_manage_var_auth',`
 	allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read PAM PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`auth_read_pam_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_read_pam_runtime_files() instead.')
-	auth_read_pam_runtime_files($1)
-')
-
-#######################################
-## <summary>
-##	Do not audit attempts to read PAM PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`auth_dontaudit_read_pam_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_dontaudit_read_pam_runtime_files() instead.')
-	auth_dontaudit_read_pam_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create specified objects in
-##	pid directories with the pam var
-##      run file type using a
-##      file type transition.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`auth_pid_filetrans_pam_var_run',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_runtime_filetrans_pam_runtime() instead.')
-	auth_runtime_filetrans_pam_runtime($1, $2, $3)
-')
-
-########################################
-## <summary>
-##	Delete pam PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`auth_delete_pam_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_delete_pam_runtime_files() instead.')
-	auth_delete_pam_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Manage pam PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`auth_manage_pam_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_manage_pam_runtime_dirs(); auth_manage_pam_runtime_files() instead.')
-	auth_manage_pam_runtime_dirs($1)
-	auth_manage_pam_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Manage pam runtime dirs.
@@ -1479,34 +1390,6 @@ interface(`auth_delete_pam_console_data',`
 	delete_files_pattern($1, pam_var_console_t, pam_var_console_t)
 ')
 
-########################################
-## <summary>
-##	Create specified objects in
-##	pid directories with the pam var
-##      console pid file type using a
-##      file type transition.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`auth_pid_filetrans_pam_var_console',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_runtime_filetrans_pam_var_console() instead.')
-	auth_runtime_filetrans_pam_var_console($1, $2, $3)
-')
-
 ########################################
 ## <summary>
 ##	Create specified objects in generic
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ba25610486..0726d70e46 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -638,33 +638,6 @@ interface(`init_dyntrans',`
 	dyntrans_pattern($1, init_t)
 ')
 
-########################################
-## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it  (Deprecated)
-## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	refpolicywarn(`$0($*) has been deprecated, please use init_daemon_runtime_file() instead.')
-	init_daemon_runtime_file($1, $2, $3)
-
-')
-
 ########################################
 ## <summary>
 ##	Mark the file type as a daemon runtime file, allowing initrc_t
@@ -1532,127 +1505,6 @@ interface(`init_var_lib_filetrans',`
 	filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
 ')
 
-######################################
-## <summary>
-##	Allow search  directory in the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_search_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use init_search_runtime() instead.')
-	init_search_runtime($1)
-')
-
-######################################
-## <summary>
-##  Allow listing of the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_list_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use init_list_runtime() instead.')
-	init_list_runtime($1)
-')
-
-######################################
-## <summary>
-##  Create symbolic links in the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_manage_pid_symlinks', `
-	refpolicywarn(`$0($*) has been deprecated, please use init_manage_runtime_symlinks() instead.')
-	init_manage_runtime_symlinks($1)
-')
-
-######################################
-## <summary>
-##  Create files in the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_create_pid_files', `
-	refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_files() instead.')
-	init_create_runtime_files($1)
-')
-
-######################################
-## <summary>
-##  Write files in the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_write_pid_files', `
-	refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_files() instead.')
-	init_write_runtime_files($1)
-')
-
-######################################
-## <summary>
-##  Create, read, write, and delete
-##  directories in the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_manage_pid_dirs', `
-	refpolicywarn(`$0($*) has been deprecated, please use init_manage_runtime_dirs() instead.')
-	init_manage_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Create files in an init PID directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="file_type">
-##	<summary>
-##	The type of the object to be created
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The object class.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`init_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans() instead.')
-	init_runtime_filetrans($*)
-')
-
 ######################################
 ## <summary>
 ##	Search init runtime directories, e.g. /run/systemd.
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 5d29bb0c89..2183207f48 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -246,37 +246,6 @@ interface(`ipsec_setcontext_default_spd',`
 	allow $1 ipsec_spd_t:association setcontext;
 ')
 
-########################################
-## <summary>
-##	write the ipsec_runtime_t files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ipsec_write_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use ipsec_write_runtime_files() instead.')
-	ipsec_write_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete the IPSEC pid files.
-##	(Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ipsec_manage_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use ipsec_manage_runtime_files() instead.')
-	ipsec_manage_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Write ipsec runtime files.
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index af9c54632d..f1ddfcdee8 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -235,21 +235,6 @@ interface(`iptables_mounton_runtime_files',`
 	allow $1 iptables_runtime_t:file mounton;
 ')
 
-########################################
-## <summary>
-##	dontaudit reading iptables_runtime_t  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`iptables_dontaudit_read_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use iptables_dontaudit_read_runtime_files() instead.')
-	iptables_dontaudit_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Do not audit reading iptables runtime files.
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index cf7ef17214..e6bdf9bfd4 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -844,21 +844,6 @@ interface(`logging_watch_runtime_dirs',`
 	allow $1 syslogd_runtime_t:dir watch;
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete syslog PID sockets.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`logging_manage_pid_sockets',`
-	refpolicywarn(`$0($*) has been deprecated, please use logging_manage_runtime_sockets() instead.')
-	logging_manage_runtime_sockets($1)
-')
-
 ########################################
 ## <summary>
 ##	Create, read, write, and delete syslog PID sockets.
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 468cbcaa83..2f0a2bb376 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -172,20 +172,6 @@ interface(`lvm_create_lock_dirs',`
 	files_add_entry_lock_dirs($1)
 ')
 
-########################################
-## <summary>
-##      Read and write a lvm unnamed pipe.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`lvm_rw_inherited_pid_pipes',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ######################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 05563897f4..08ec097794 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -38,21 +38,6 @@ interface(`modutils_read_module_deps',`
 	allow $1 modules_dep_t:file { read_file_perms map };
 ')
 
-########################################
-## <summary>
-##	Read the kernel modules.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`modutils_read_module_objects',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_mmap_read_kernel_modules() instead.')
-	files_mmap_read_kernel_modules($1)
-')
-
 ########################################
 ## <summary>
 ##	Read the configuration options used when
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index 6b3959b002..9cdffaff84 100644
--- a/policy/modules/system/raid.if
+++ b/policy/modules/system/raid.if
@@ -46,37 +46,6 @@ interface(`raid_run_mdadm',`
 	roleattribute $1 mdadm_roles;
 ')
 
-########################################
-## <summary>
-##	read mdadm pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`raid_read_mdadm_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use raid_read_mdadm_runtime_files() instead.')
-	raid_read_mdadm_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	mdadm pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`raid_manage_mdadm_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use raid_manage_mdadm_runtime_files() instead.')
-	raid_manage_mdadm_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read mdadm runtime files.
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 5d2d3c1581..e9619743d5 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -548,36 +548,6 @@ interface(`sysnet_manage_config',`
 	')
 ')
 
-#######################################
-## <summary>
-##	Read the dhcp client pid file.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysnet_read_dhcpc_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use sysnet_read_dhcpc_runtime_files() instead.')
-	sysnet_read_dhcpc_runtime_files($1)
-')
-
-#######################################
-## <summary>
-##	Delete the dhcp client pid file.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysnet_delete_dhcpc_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use sysnet_delete_dhcpc_runtime_files() instead.')
-	sysnet_delete_dhcpc_runtime_files($1)
-')
-
 #######################################
 ## <summary>
 ##	Read dhcp client runtime files.
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 9dc91fbb79..df33315c8a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1113,51 +1113,6 @@ interface(`systemd_map_hwdb',`
 	allow $1 systemd_hwdb_t:file map;
 ')
 
-######################################
-## <summary>
-##   Read systemd_login PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`systemd_read_logind_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use systemd_read_logind_runtime_files() instead.')
-	systemd_read_logind_runtime_files($1)
-')
-
-######################################
-## <summary>
-##   Manage systemd_login PID pipes.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`systemd_manage_logind_pid_pipes',`
-	refpolicywarn(`$0($*) has been deprecated, please use systemd_manage_logind_runtime_pipes() instead.')
-	systemd_manage_logind_runtime_pipes($1)
-')
-
-######################################
-## <summary>
-##     Write systemd_login named pipe.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`systemd_write_logind_pid_pipes',`
-	refpolicywarn(`$0($*) has been deprecated, please use systemd_write_logind_runtime_pipes() instead.')
-	systemd_write_logind_runtime_pipes($1)
-')
-
 ######################################
 ## <summary>
 ##   Watch systemd-logind runtime dirs.
@@ -1709,21 +1664,6 @@ interface(`systemd_watch_passwd_runtime_dirs',`
 	allow $1 systemd_passwd_runtime_t:dir watch;
 ')
 
-########################################
-## <summary>
-##      manage systemd unit dirs and the files in them  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`systemd_manage_all_units',`
-	refpolicywarn(`$0() has been deprecated, use init_manage_all_unit_files() instead.')
-	init_manage_all_unit_files($1)
-')
-
 ########################################
 ## <summary>
 ##      Allow domain to list the contents of systemd_journal_t dirs
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fef83e80e7..e83e0cb95d 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -242,193 +242,6 @@ interface(`udev_relabel_rules_files',`
 	files_search_etc($1)
 ')
 
-########################################
-## <summary>
-##	Do not audit search of udev database directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`udev_dontaudit_search_db',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Read the udev device table.  (Deprecated)
-## </summary>
-## <desc>
-##	<p>
-##	Allow the specified domain to read the udev device table.  (Deprecated)
-##	</p>
-## </desc>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <infoflow type="read" weight="10"/>
-#
-interface(`udev_read_db',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Allow process to modify list of devices.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_rw_db',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##      Allow process to relabelto udev database  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_relabelto_db',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Allow process to relabelto sockets in /run/udev  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_relabelto_db_sockets',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Search through udev pid content  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_search_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_search_runtime() instead.')
-	udev_search_runtime($1)
-')
-
-########################################
-## <summary>
-##      list udev pid content  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_list_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_list_runtime() instead.')
-	udev_list_runtime($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	udev pid directories  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_manage_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_manage_runtime_dirs() instead.')
-	udev_manage_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Read udev pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_read_runtime_files() instead.')
-	udev_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	dontaudit attempts to read/write udev pidfiles  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_dontaudit_rw_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_dontaudit_rw_runtime_files() instead.')
-	udev_dontaudit_rw_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	udev pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_manage_runtime_files() instead.')
-	udev_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create directories in the run location with udev_runtime_t type  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	Name of the directory that is created
-##	</summary>
-## </param>
-#
-interface(`udev_generic_pid_filetrans_run_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Search through udev runtime dirs.
@@ -563,43 +376,6 @@ interface(`udev_domtrans_udevadm',`
 	domtrans_pattern($1, udev_exec_t, udevadm_t)
 ')
 
-########################################
-## <summary>
-##	Execute udev admin in the udevadm domain.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`udevadm_domtrans',`
-	refpolicywarn(`$0($*) has been deprecated, use udev_domtrans_udevadm() instead.')
-	udev_domtrans_udevadm($1)
-')
-
-########################################
-## <summary>
-##	Execute udevadm in the udevadm domain, and
-##	allow the specified role the udevadm domain.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`udevadm_run',`
-	refpolicywarn(`$0($*) has been deprecated, use udev_run_udevadm() instead.')
-	udev_run_udevadm($1, $2)
-')
-
 ########################################
 ## <summary>
 ##	Execute udevadm in the udevadm domain, and
@@ -626,21 +402,6 @@ interface(`udev_run_udevadm',`
 	roleattribute $2 udevadm_roles;
 ')
 
-########################################
-## <summary>
-##	Execute udevadm in the caller domain.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udevadm_exec',`
-	refpolicywarn(`$0($*) has been deprecated, use udev_exec_udevadm() instead.')
-	udev_exec_udevadm($1)
-')
-
 ########################################
 ## <summary>
 ##	Execute udevadm in the caller domain.
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5f9fb1a682..ecc1a9112c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3846,33 +3846,6 @@ interface(`userdom_delete_all_user_runtime_chr_files',`
 	delete_chr_files_pattern($1, user_runtime_content_type, user_runtime_content_type)
 ')
 
-########################################
-## <summary>
-##	Create objects in the pid directory
-##	with an automatic type transition to
-##	the user runtime root type.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`userdom_pid_filetrans_user_runtime_root',`
-	refpolicywarn(`$0($*) has been deprecated, please use userdom_runtime_filetrans_user_runtime_root() instead.')
-	userdom_runtime_filetrans_user_runtime_root($1, $2, $3)
-')
-
 ########################################
 ## <summary>
 ##	Create objects in the runtime directory
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index e6ab038709..7f53015808 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -176,21 +176,6 @@ interface(`xen_manage_log',`
 	manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
 ')
 
-#######################################
-## <summary>
-##	Read xenstored pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xen_read_xenstored_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use xen_read_xenstored_runtime_files() instead.')
-	xen_read_xenstored_runtime_files($1)
-')
-
 #######################################
 ## <summary>
 ##	Read xenstored runtime files.
@@ -272,31 +257,6 @@ interface(`xen_stream_connect',`
 	stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
 ')
 
-########################################
-## <summary>
-##	Create in a xend_runtime_t directory  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-#
-interface(`xen_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, please use xen_runtime_filetrans() instead.')
-	xen_runtime_filetrans($1, $2, $3)
-')
-
 ########################################
 ## <summary>
 ##	Create in a xend_runtime_t directory

From ee3610e3df65e62e89dba3606f3d19ca8caeead9 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 12 Dec 2022 09:10:20 -0500
Subject: [PATCH 119/257] tests.yml: Pin ubuntu 20.04.

Fix this issue:

Version 3.5 was not found in the local cache
Error: The version '3.5' with architecture 'x64' was not found for Ubuntu 22.04.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 .github/workflows/tests.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 816e740330..96605d8e21 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -8,7 +8,7 @@ env:
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     steps:
     - uses: actions/checkout@v3
@@ -56,7 +56,7 @@ jobs:
         selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
 
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     strategy:
       fail-fast: false

From d4ee0d3c29b70570dd6f3099888fab503e964fdf Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 10 Dec 2022 16:24:25 -0500
Subject: [PATCH 120/257] systemd: add policy for systemd-pcrphase

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.te | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 0ccb9ccaa2..5a8572c0e2 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -36,6 +36,7 @@
 /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-pcrphase		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pstore		--	gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-rfkill		--	gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ef25974ac1..61ca65236f 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -215,6 +215,10 @@ files_runtime_file(systemd_nspawn_runtime_t)
 type systemd_nspawn_tmp_t;
 files_tmp_file(systemd_nspawn_tmp_t)
 
+type systemd_pcrphase_t;
+type systemd_pcrphase_exec_t;
+init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t)
+
 type systemd_pstore_t;
 type systemd_pstore_exec_t;
 init_system_domain(systemd_pstore_t, systemd_pstore_exec_t)
@@ -1360,6 +1364,28 @@ optional_policy(`
 	plymouthd_stream_connect(systemd_passwd_agent_t)
 ')
 
+#########################################
+#
+# systemd-pcrphase local policy
+#
+
+allow systemd_pcrphase_t self:capability dac_override;
+dontaudit systemd_pcrphase_t self:capability net_admin;
+
+dev_rw_tpm(systemd_pcrphase_t)
+dev_write_kmsg(systemd_pcrphase_t)
+
+fs_read_efivarfs_files(systemd_pcrphase_t)
+fs_getattr_cgroup(systemd_pcrphase_t)
+fs_search_cgroup_dirs(systemd_pcrphase_t)
+
+kernel_dontaudit_getattr_proc(systemd_pcrphase_t)
+kernel_read_kernel_sysctls(systemd_pcrphase_t)
+kernel_read_system_state(systemd_pcrphase_t)
+
+init_read_state(systemd_pcrphase_t)
+
+logging_send_syslog_msg(systemd_pcrphase_t)
 
 #########################################
 #

From d55395c1a30156d8b8af97084026b89b0b753a17 Mon Sep 17 00:00:00 2001
From: Russell Coker <russell@coker.com.au>
Date: Thu, 8 Dec 2022 18:35:27 +1100
Subject: [PATCH 121/257] This patch removes deprecated interfaces that were
 deprecated in the 20210203 release.  I think that 2 years of support for a
 deprecated interface is enough and by the time we have the next release out
 it will probably be more than 2 years since 20210203.

I think this is ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>
---
 policy/modules/admin/kismet.if            |  31 --
 policy/modules/admin/rpm.if               |  55 ---
 policy/modules/admin/samhain.if           |  15 -
 policy/modules/admin/sblim.if             |  14 -
 policy/modules/apps/qemu.if               |  17 +-
 policy/modules/kernel/corenetwork.if.m4   | 106 -----
 policy/modules/kernel/devices.if          |  45 --
 policy/modules/kernel/files.if            | 528 ----------------------
 policy/modules/kernel/filesystem.if       |  30 --
 policy/modules/kernel/selinux.if          |  22 -
 policy/modules/services/abrt.if           |  30 --
 policy/modules/services/amavis.if         |  30 --
 policy/modules/services/apcupsd.if        |  14 -
 policy/modules/services/asterisk.if       |  15 -
 policy/modules/services/avahi.if          |  87 ----
 policy/modules/services/bind.if           |  14 -
 policy/modules/services/certmonger.if     |  14 -
 policy/modules/services/clamav.if         |  15 -
 policy/modules/services/consolesetup.if   |  17 -
 policy/modules/services/couchdb.if        |  15 -
 policy/modules/services/cron.if           |  15 -
 policy/modules/services/cups.if           |  15 -
 policy/modules/services/devicekit.if      |  31 --
 policy/modules/services/dnsmasq.if        |  95 ----
 policy/modules/services/exim.if           |  14 -
 policy/modules/services/fail2ban.if       |  14 -
 policy/modules/services/glance.if         |  29 --
 policy/modules/services/gssproxy.if       |  14 -
 policy/modules/services/icecast.if        |  14 -
 policy/modules/services/ifplugd.if        |  14 -
 policy/modules/services/inn.if            |  18 -
 policy/modules/services/memcached.if      |  30 --
 policy/modules/services/mysql.if          |  29 --
 policy/modules/services/networkmanager.if |  15 -
 policy/modules/services/nis.if            |  29 --
 policy/modules/services/nscd.if           |  31 --
 policy/modules/services/nslcd.if          |  14 -
 policy/modules/services/openct.if         |  15 -
 policy/modules/services/openvswitch.if    |  15 -
 policy/modules/services/pcscd.if          |  15 -
 policy/modules/services/plymouthd.if      |  30 --
 policy/modules/services/ppp.if            |  57 ---
 policy/modules/services/psad.if           |  28 --
 policy/modules/services/qpid.if           |  14 -
 policy/modules/services/rhsmcertd.if      |  14 -
 policy/modules/services/rpcbind.if        |  14 -
 policy/modules/services/samba.if          |  15 -
 policy/modules/services/sanlock.if        |  15 -
 policy/modules/services/smokeping.if      |  29 --
 policy/modules/services/spamassassin.if   |  15 -
 policy/modules/services/sssd.if           |  30 --
 policy/modules/services/tuned.if          |  29 --
 policy/modules/services/uuidd.if          |  14 -
 policy/modules/services/vdagent.if        |  14 -
 policy/modules/services/vhostmd.if        |  29 --
 policy/modules/services/virt.if           |  62 ---
 policy/modules/services/xserver.if        |  15 -
 policy/modules/services/zabbix.if         |  14 -
 policy/modules/system/authlogin.if        | 117 -----
 policy/modules/system/init.if             | 148 ------
 policy/modules/system/ipsec.if            |  31 --
 policy/modules/system/iptables.if         |  15 -
 policy/modules/system/logging.if          |  15 -
 policy/modules/system/lvm.if              |  14 -
 policy/modules/system/modutils.if         |  15 -
 policy/modules/system/raid.if             |  31 --
 policy/modules/system/sysnetwork.if       |  30 --
 policy/modules/system/systemd.if          |  60 ---
 policy/modules/system/udev.if             | 239 ----------
 policy/modules/system/userdomain.if       |  27 --
 policy/modules/system/xen.if              |  40 --
 71 files changed, 1 insertion(+), 2799 deletions(-)

diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if
index 4c3c0d2853..6c62e57af1 100644
--- a/policy/modules/admin/kismet.if
+++ b/policy/modules/admin/kismet.if
@@ -82,37 +82,6 @@ interface(`kismet_run',`
 	roleattribute $2 kismet_roles;
 ')
 
-########################################
-## <summary>
-##	Read kismet pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`kismet_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use kismet_read_runtime_files() instead.')
-	kismet_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	kismet pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`kismet_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use kismet_manage_runtime_files() instead.')
-	kismet_manage_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read kismet runtime files.
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 2b5e0768e3..4abe1b6fbf 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -525,61 +525,6 @@ interface(`rpm_dontaudit_manage_db',`
 	dontaudit $1 rpm_var_lib_t:file map;
 ')
 
-#####################################
-## <summary>
-##	Read rpm pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rpm_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-#####################################
-## <summary>
-##	Create, read, write, and delete
-##	rpm pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rpm_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use rpm_manage_runtime_files() instead.')
-	rpm_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create specified objects in pid directories
-##	with the rpm pid file type.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`rpm_pid_filetrans_rpm_pid',`
-	refpolicywarn(`$0($*) has been deprecated')
-')
-
 #####################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/admin/samhain.if b/policy/modules/admin/samhain.if
index 7aa0c8197c..1618eaca85 100644
--- a/policy/modules/admin/samhain.if
+++ b/policy/modules/admin/samhain.if
@@ -173,21 +173,6 @@ interface(`samhain_manage_log_files',`
 	manage_files_pattern($1, samhain_log_t, samhain_log_t)
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	samhain pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`samhain_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 #######################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/admin/sblim.if b/policy/modules/admin/sblim.if
index 42b31f8f3f..9c1994c162 100644
--- a/policy/modules/admin/sblim.if
+++ b/policy/modules/admin/sblim.if
@@ -19,20 +19,6 @@ interface(`sblim_domtrans_gatherd',`
 	domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t)
 ')
 
-########################################
-## <summary>
-##	Read gatherd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sblim_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index a8570a252d..e9704a63d8 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -89,7 +89,7 @@ template(`qemu_domain_template',`
 	optional_policy(`
 		xserver_stream_connect($1_t)
 		xserver_read_xdm_tmp_files($1_t)
-		xserver_read_xdm_pid($1_t)
+		xserver_read_xdm_runtime_files($1_t)
 #		xserver_xdm_rw_shm($1_t)
 	')
 ')
@@ -280,21 +280,6 @@ interface(`qemu_stream_connect',`
 	stream_connect_pattern($1, qemu_runtime_t, qemu_runtime_t, qemu_t)
 ')
 
-########################################
-## <summary>
-##	Unlink qemu socket  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`qemu_delete_pid_sock_file',`
-	refpolicywarn(`$0($*) has been deprecated, please use qemu_delete_runtime_sock_files() instead.')
-	qemu_delete_runtime_sock_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Unlink qemu runtime sockets.
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index 5ef0b4e0df..372ad89358 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -461,112 +461,6 @@ interface(`corenet_udp_bind_$1_node',`
 ########################################
 
 define(`create_port_interfaces',``
-########################################
-## <summary>
-##	Send and receive TCP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_tcp_sendrecv_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Send UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`corenet_udp_send_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to send UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`corenet_dontaudit_udp_send_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Receive UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <infoflow type="read" weight="10"/>
-#
-interface(`corenet_udp_receive_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to receive UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`corenet_dontaudit_udp_receive_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Send and receive UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_udp_sendrecv_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to send and receive
-##	UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`corenet_dontaudit_udp_sendrecv_$1_port',`
-	refpolicywarn(`dollarszero() has been deprecated, please remove.')
-')
-
 ########################################
 ## <summary>
 ##	Bind TCP sockets to the $1 port.
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 4239ba1f32..2fa4b69561 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3382,51 +3382,6 @@ interface(`dev_rw_mtrr',`
 	rw_chr_files_pattern($1, device_t, mtrr_device_t)
 ')
 
-########################################
-## <summary>
-##	Get the attributes of the network control device  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dev_getattr_netcontrol_dev',`
-	refpolicywarn(`$0() has been deprecated, use dev_getattr_pmqos_dev() instead.')
-	dev_getattr_pmqos_dev($1)
-')
-
-########################################
-## <summary>
-##	Read the network control identity.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dev_read_netcontrol',`
-	refpolicywarn(`$0() has been deprecated, use dev_read_pmqos() instead.')
-	dev_read_pmqos($1)
-')
-
-########################################
-## <summary>
-##	Read and write the the network control device.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dev_rw_netcontrol',`
-	refpolicywarn(`$0() has been deprecated, use dev_rw_pmqos() instead.')
-	dev_rw_pmqos($1)
-')
-
 ########################################
 ## <summary>
 ##	Get the attributes of the null device nodes.
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ab59540423..c386d19dc2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -189,50 +189,6 @@ interface(`files_security_mountpoint',`
 	typeattribute $1 mountpoint;
 ')
 
-########################################
-## <summary>
-##	Make the specified type usable for
-##	runtime process ID files.  (Deprecated)
-## </summary>
-## <desc>
-##	<p>
-##	Make the specified type usable for runtime process ID files,
-##	typically found in /var/run.
-##	This will also make the type usable for files, making
-##	calls to files_type() redundant.  Failure to use this interface
-##	for a PID file type may result in problems with starting
-##	or stopping services.
-##	</p>
-##	<p>
-##	Related interfaces:
-##	</p>
-##	<ul>
-##		<li>files_runtime_filetrans()</li>
-##	</ul>
-##	<p>
-##	Example usage with a domain that can create and
-##	write its PID file with a private PID file type in the
-##	/var/run directory:
-##	</p>
-##	<p>
-##	type mypidfile_t;
-##	files_runtime_file(mypidfile_t)
-##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-##	files_runtime_filetrans(mydomain_t, mypidfile_t, file)
-##	</p>
-## </desc>
-## <param name="type">
-##	<summary>
-##	Type to be used for PID files.
-##	</summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`files_pid_file',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_runtime_file() instead.')
-	files_runtime_file($1)
-')
-
 ########################################
 ## <summary>
 ##	Make the specified type usable for
@@ -6668,130 +6624,6 @@ interface(`files_lock_filetrans',`
 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
 ')
 
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of the /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_getattr_runtime_dirs() instead.')
-	files_dontaudit_getattr_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	mounton a /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_mounton_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_mounton_runtime_dirs() instead.')
-	files_mounton_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Set the attributes of the /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_setattr_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_setattr_runtime_dirs() instead.')
-	files_setattr_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Search the contents of runtime process
-##	ID directories (/var/run).  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_search_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_search_runtime() instead.')
-	files_search_runtime($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search
-##	the /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_search_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_search_runtime() instead.')
-	files_dontaudit_search_runtime($1)
-')
-
-########################################
-## <summary>
-##	List the contents of the runtime process
-##	ID directories (/var/run).  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_list_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_list_runtime() instead.')
-	files_list_runtime($1)
-')
-
-########################################
-## <summary>
-##	Check write access on /var/run directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_check_write_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_check_write_runtime_dirs() instead.')
-	files_check_write_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Create a /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_create_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_create_runtime_dirs() instead.')
-	files_create_runtime_dirs($1)
-')
-
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@@ -6963,286 +6795,6 @@ interface(`files_watch_runtime_dirs',`
 	allow $1 var_run_t:dir watch;
 ')
 
-########################################
-## <summary>
-##	Read generic process ID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_read_generic_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_read_runtime_files() instead.')
-	files_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Write named generic process ID pipes.   (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_write_generic_pid_pipes',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_write_runtime_pipes() instead.')
-	files_write_runtime_pipes($1)
-')
-
-########################################
-## <summary>
-##	Create an object in the process ID directory, with a private type.  (Deprecated)
-## </summary>
-## <desc>
-##	<p>
-##	Create an object in the process ID directory (e.g., /var/run)
-##	with a private type.  Typically this is used for creating
-##	private PID files in /var/run with the private type instead
-##	of the general PID file type. To accomplish this goal,
-##	either the program must be SELinux-aware, or use this interface.
-##	</p>
-##	<p>
-##	Related interfaces:
-##	</p>
-##	<ul>
-##		<li>files_runtime_file()</li>
-##	</ul>
-##	<p>
-##	Example usage with a domain that can create and
-##	write its PID file with a private PID file type in the
-##	/var/run directory:
-##	</p>
-##	<p>
-##	type mypidfile_t;
-##	files_runtime_file(mypidfile_t)
-##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-##	files_runtime_filetrans(mydomain_t, mypidfile_t, file)
-##	</p>
-## </desc>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`files_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_runtime_filetrans() instead.')
-	files_runtime_filetrans($1, $2, $3, $4)
-')
-
-########################################
-## <summary>
-## 	Create a generic lock directory within the run directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`files_pid_filetrans_lock_dir',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_runtime_filetrans_lock_dir() instead.')
-	files_runtime_filetrans_lock_dir($1, $2)
-')
-
-########################################
-## <summary>
-##	Read and write generic process ID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_rw_generic_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_rw_runtime_files() instead.')
-	files_rw_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes of
-##	daemon runtime data files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_getattr_all_runtime_files() instead.')
-	files_dontaudit_getattr_all_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to write to daemon runtime data files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_write_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_write_all_runtime_files() instead.')
-	files_dontaudit_write_all_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to ioctl daemon runtime data files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_ioctl_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_ioctl_all_runtime_files() instead.')
-	files_dontaudit_ioctl_all_runtime_files($1)
-')
-
-########################################
-## <summary>
-##     manage all pidfile directories
-##     in the /var/run directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_manage_all_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_manage_all_runtime_dirs() instead.')
-	files_manage_all_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Read all process ID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`files_read_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_read_all_runtime_files() instead.')
-	files_read_all_runtime_files($1)
-')
-
-########################################
-## <summary>
-##     Execute generic programs in /var/run in the caller domain.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_exec_generic_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_exec_runtime() instead.')
-	files_exec_runtime($1)
-')
-
-########################################
-## <summary>
-##     Relabel all pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_relabel_all_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_relabel_all_runtime_files() instead.')
-	files_relabel_all_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Delete all process IDs.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`files_delete_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_delete_runtime_symlinks(); files_delete_all_runtime_files(); files_delete_all_runtime_dirs(); files_delete_all_runtime_sockets(); files_delete_all_runtime_pipes(); instead.')
-	files_delete_runtime_symlinks($1)
-	files_delete_all_runtime_files($1)
-	files_delete_all_runtime_dirs($1)
-	files_delete_all_runtime_sockets($1)
-	files_delete_all_runtime_pipes($1)
-')
-
-########################################
-## <summary>
-##     Create all pid sockets.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_create_all_pid_sockets',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_create_all_runtime_sockets() instead.')
-	files_create_all_runtime_sockets($1)
-')
-
-########################################
-## <summary>
-##     Create all pid named pipes.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_create_all_pid_pipes',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_create_all_runtime_pipes() instead.')
-	files_create_all_runtime_pipes($1)
-')
-
 ########################################
 ## <summary>
 ##	Read generic runtime files.
@@ -7801,86 +7353,6 @@ interface(`files_delete_all_spool_sockets',`
         allow $1 spoolfile:sock_file delete_sock_file_perms;
 ')
 
-########################################
-## <summary>
-##	Delete all process ID directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_delete_all_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_delete_all_runtime_dirs() instead.')
-	files_delete_all_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write and delete all
-##	var_run (pid) content  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_manage_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_manage_all_runtime_dirs(); files_manage_all_runtime_files(); files_manage_all_runtime_symlinks() instead.')
-	files_manage_all_runtime_dirs($1)
-	files_manage_all_runtime_files($1)
-	files_manage_all_runtime_symlinks($1)
-')
-
-########################################
-## <summary>
-##	Relabel to/from all var_run (pid) directories  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_relabel_all_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_relabel_all_runtime_dirs() instead.')
-	files_relabel_all_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Relabel to/from all var_run (pid) socket files  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_relabel_all_pid_sock_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_relabel_all_runtime_sockets() instead.')
-	files_relabel_all_runtime_sockets($1)
-')
-
-########################################
-## <summary>
-##	Relabel to/from all var_run (pid) files and directories  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_relabel_all_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_relabel_all_runtime_dirs(); files_relabel_all_runtime_files(); files_relabel_all_runtime_symlinks() instead.')
-	files_relabel_all_runtime_dirs($1)
-	files_relabel_all_runtime_files($1)
-	files_relabel_all_runtime_symlinks($1)
-')
-
 ########################################
 ## <summary>
 ##	Mount filesystems on all polyinstantiation
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 173dcbdc73..9dedaddd59 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -5769,21 +5769,6 @@ interface(`fs_relabel_tmpfs_chr_files',`
 	relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
-########################################
-## <summary>
-##	Relabel character nodes on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_relabel_tmpfs_chr_file',`
-	refpolicywarn(`$0($*) has been deprecated, please use fs_relabel_tmpfs_chr_files() instead.')
-	fs_relabel_tmpfs_chr_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read and write block nodes on tmpfs filesystems.
@@ -5822,21 +5807,6 @@ interface(`fs_relabel_tmpfs_blk_files',`
 	relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
-########################################
-## <summary>
-##	Relabel block nodes on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_relabel_tmpfs_blk_file',`
-	refpolicywarn(`$0($*) has been deprecated, please use fs_relabel_tmpfs_blk_files() instead.')
-	fs_relabel_tmpfs_blk_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Relabel named pipes on tmpfs filesystems.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 13aa1e0525..19ffa640f9 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -697,28 +697,6 @@ interface(`selinux_use_status_page',`
 	allow $1 security_t:file mmap_read_file_perms;
 ')
 
-########################################
-## <summary>
-##	Allows caller to map secuirty_t files. (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-
-interface(`selinux_map_security_files',`
-	gen_require(`
-		type security_t;
-	')
-
-	refpolicywarn(`$0() has been deprecated, use selinux_use_status_page() instead.')
-
-	dev_search_sysfs($1)
-	allow $1 security_t:file map;
-')
-
 ########################################
 ## <summary>
 ##	Unconfined access to the SELinux kernel security server.
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index e763b4b9f6..75753ed862 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -221,36 +221,6 @@ interface(`abrt_read_log',`
 	read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
 ')
 
-######################################
-## <summary>
-##	Read abrt PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`abrt_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-######################################
-## <summary>
-##	Create, read, write, and delete
-##	abrt PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`abrt_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use abrt_manage_runtime_files() instead.')
-	abrt_manage_runtime_files($1)
-')
-
 ######################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index f0944bceb2..ebd5638e3a 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -171,36 +171,6 @@ interface(`amavis_manage_lib_files',`
 	files_search_var_lib($1)
 ')
 
-########################################
-## <summary>
-##	Set attributes of amavis pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`amavis_setattr_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use amavis_setattr_runtime_files() instead.')
-	amavis_setattr_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create amavis pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`amavis_create_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use amavis_create_runtime_files() instead.')
-	amavis_create_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Set attributes of amavis runtime files.
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index 5077cf4648..e0eeff71f7 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -39,20 +39,6 @@ interface(`apcupsd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read apcupsd PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`apcupsd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read apcupsd log files.
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
index 31f446c66f..a1a74b1bea 100644
--- a/policy/modules/services/asterisk.if
+++ b/policy/modules/services/asterisk.if
@@ -79,21 +79,6 @@ interface(`asterisk_setattr_logs',`
 	logging_search_logs($1)
 ')
 
-#######################################
-## <summary>
-##	Set attributes of the asterisk
-##	PID content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`asterisk_setattr_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index c223e8b3ae..fe9f460e33 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -133,36 +133,6 @@ interface(`avahi_stream_connect',`
 	stream_connect_pattern($1, avahi_runtime_t, avahi_runtime_t, avahi_t)
 ')
 
-########################################
-## <summary>
-##	Create avahi pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`avahi_create_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use avahi_create_runtime_dirs() instead.')
-	avahi_create_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Set attributes of avahi pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`avahi_setattr_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use avahi_setattr_runtime_dirs() instead.')
-	avahi_setattr_runtime_dirs($1)
-')
-
 ########################################
 ## <summary>
 ##	Set attributes of avahi runtime directories.
@@ -201,63 +171,6 @@ interface(`avahi_create_runtime_dirs',`
 	allow $1 avahi_runtime_t:dir create_dir_perms;
 ')
 
-########################################
-## <summary>
-##	Create, read, and write avahi pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`avahi_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use avahi_manage_runtime_files() instead.')
-	avahi_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search
-##	avahi pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`avahi_dontaudit_search_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use avahi_dontaudit_search_runtime() instead.')
-	avahi_dontaudit_search_runtime($1)
-')
-
-########################################
-## <summary>
-##	Create specified objects in generic
-##	pid directories with the avahi pid file type.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`avahi_filetrans_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use avahi_filetrans_runtime() instead.')
-	avahi_filetrans_runtime($*)
-')
-
 ########################################
 ## <summary>
 ##	Create, read, and write avahi runtime files.
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 25ba4d1190..7c252d9aba 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -254,20 +254,6 @@ interface(`bind_manage_cache',`
 	manage_lnk_files_pattern($1, named_cache_t, named_cache_t)
 ')
 
-########################################
-## <summary>
-##	Set attributes of bind pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`bind_setattr_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Set attributes of bind zone directories.
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
index 1b89f9bbb3..5d4cf96155 100644
--- a/policy/modules/services/certmonger.if
+++ b/policy/modules/services/certmonger.if
@@ -59,20 +59,6 @@ interface(`certmonger_initrc_domtrans',`
 	init_labeled_script_domtrans($1, certmonger_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read certmonger PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`certmonger_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Search certmonger lib directories.
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 29d00c98f0..f59ce107c2 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -87,21 +87,6 @@ interface(`clamav_append_log',`
 	append_files_pattern($1, clamd_var_log_t, clamd_var_log_t)
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	clamav pid content.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`clamav_manage_pid_content',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read clamav configuration files.
diff --git a/policy/modules/services/consolesetup.if b/policy/modules/services/consolesetup.if
index f5f766f03c..d9b65ddbff 100644
--- a/policy/modules/services/consolesetup.if
+++ b/policy/modules/services/consolesetup.if
@@ -83,23 +83,6 @@ interface(`consolesetup_manage_runtime', `
     manage_files_pattern($1, consolesetup_runtime_t, consolesetup_runtime_t)
 ')
 
-########################################
-## <summary>
-##  Create a console-setup directory in
-##  the runtime directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`consolesetup_pid_filetrans_runtime', `
-	refpolicywarn(`$0($*) has been deprecated, please use consolesetup_runtime_filetrans_runtime_dir() instead.')
-	consolesetup_runtime_filetrans_runtime_dir($1)
-')
-
 ########################################
 ## <summary>
 ##  Create a console-setup directory in
diff --git a/policy/modules/services/couchdb.if b/policy/modules/services/couchdb.if
index cc925162c1..1be0403ba7 100644
--- a/policy/modules/services/couchdb.if
+++ b/policy/modules/services/couchdb.if
@@ -57,21 +57,6 @@ interface(`couchdb_read_conf_files',`
 	read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
 ')
 
-########################################
-## <summary>
-##	Read couchdb pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`couchdb_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use couchdb_read_runtime_files() instead.')
-	couchdb_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read couchdb runtime files.
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index ecf8952169..78de1d27ca 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -663,21 +663,6 @@ interface(`cron_search_spool',`
 	allow $1 cron_spool_t:dir search_dir_perms;
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	crond pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cron_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Execute anacron in the cron
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index c8c50c399b..852db3d673 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -94,21 +94,6 @@ interface(`cups_dbus_chat',`
 	allow cupsd_t $1:dbus send_msg;
 ')
 
-########################################
-## <summary>
-##	Read cups PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cups_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use cups_read_runtime_files() instead.')
-	cups_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read cups runtime files.
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
index 17862b6b80..58c82ab1f0 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -199,37 +199,6 @@ interface(`devicekit_relabel_log_files',`
 	relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
 ')
 
-########################################
-## <summary>
-##	Read devicekit PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`devicekit_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use devicekit_read_runtime_files() instead.')
-	devicekit_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	devicekit PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`devicekit_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use devicekit_manage_runtime_files() instead.')
-	devicekit_manage_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read devicekit runtime files.
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
index c0b4bc2824..5bf375b185 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -135,101 +135,6 @@ interface(`dnsmasq_write_config',`
 	files_search_etc($1)
 ')
 
-########################################
-## <summary>
-##	Delete dnsmasq pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-#
-interface(`dnsmasq_delete_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_delete_runtime_files() instead.')
-	dnsmasq_delete_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	dnsmasq pid files  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dnsmasq_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_manage_runtime_files() instead.')
-	dnsmasq_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Read dnsmasq pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-#
-interface(`dnsmasq_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_read_runtime_files() instead.')
-	dnsmasq_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create dnsmasq pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dnsmasq_create_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_create_runtime_dirs() instead.')
-	dnsmasq_create_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Create specified objects in specified
-##	directories with a type transition to
-##	the dnsmasq pid file type.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="file_type">
-##	<summary>
-##	Directory to transition on.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`dnsmasq_spec_filetrans_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use dnsmasq_virt_runtime_filetrans_runtime() instead.')
-	dnsmasq_virt_runtime_filetrans_runtime($1, $3, $4)
-')
-
 ########################################
 ## <summary>
 ##	Create dnsmasq runtime directories.
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
index ceff9d87b0..66dc62452e 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -103,20 +103,6 @@ interface(`exim_read_tmp_files',`
 	files_search_tmp($1)
 ')
 
-########################################
-## <summary>
-##	Read exim pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`exim_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read exim log files.
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
index d270e693a5..c5884093ae 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -220,20 +220,6 @@ interface(`fail2ban_append_log',`
 	allow $1 fail2ban_log_t:file append_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read fail2ban pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fail2ban_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if
index 7098328519..eff86ff1b1 100644
--- a/policy/modules/services/glance.if
+++ b/policy/modules/services/glance.if
@@ -179,35 +179,6 @@ interface(`glance_manage_lib_dirs',`
 	manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read glance pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`glance_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	glance pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`glance_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/gssproxy.if b/policy/modules/services/gssproxy.if
index 27d9d9f813..693d5228e3 100644
--- a/policy/modules/services/gssproxy.if
+++ b/policy/modules/services/gssproxy.if
@@ -95,20 +95,6 @@ interface(`gssproxy_manage_lib_dirs',`
 	manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read gssproxy PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gssproxy_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to gssproxy over an unix
diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
index 0d3cc58fcd..65fbd96a88 100644
--- a/policy/modules/services/icecast.if
+++ b/policy/modules/services/icecast.if
@@ -55,20 +55,6 @@ interface(`icecast_initrc_domtrans',`
 	init_labeled_script_domtrans($1, icecast_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read icecast pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`icecast_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if
index 3e75f24ae2..8e9bd02328 100644
--- a/policy/modules/services/ifplugd.if
+++ b/policy/modules/services/ifplugd.if
@@ -77,20 +77,6 @@ interface(`ifplugd_manage_config',`
 	manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
 ')
 
-########################################
-## <summary>
-##	Read ifplugd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ifplugd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index 2f5cc3e8fb..7a4343b729 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -86,24 +86,6 @@ interface(`inn_generic_log_filetrans_innd_log',`
 	logging_log_filetrans($1, innd_log_t, $2, $3)
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	innd pid content.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`inn_manage_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use inn_manage_runtime_dirs(); inn_manage_runtime_files()inn_manage_runtime_sockets() instead.')
-	inn_manage_runtime_dirs($1)
-	inn_manage_runtime_files($1)
-	inn_manage_runtime_sockets($1)
-')
-
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
index 34423fcf1f..9644187746 100644
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
@@ -19,36 +19,6 @@ interface(`memcached_domtrans',`
 	domtrans_pattern($1, memcached_exec_t, memcached_t)
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	memcached pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`memcached_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use memcached_manage_runtime_files() instead.')
-	memcached_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Read memcached pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`memcached_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index f8d7c373d2..ea50660ce2 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -386,35 +386,6 @@ interface(`mysql_domtrans_mysql_safe',`
 	domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
 ')
 
-#####################################
-## <summary>
-##	Read mysqld pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`mysql_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-#####################################
-## <summary>
-##	Search mysqld pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-##
-#
-interface(`mysql_search_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 88d2fa6e20..59ce01ce58 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -271,21 +271,6 @@ interface(`networkmanager_append_log_files',`
 	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
 ')
 
-########################################
-## <summary>
-##	Read networkmanager pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`networkmanager_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use networkmanager_read_runtime_files() instead.')
-	networkmanager_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read networkmanager runtime files.
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index 4c6724b576..ba5c6a9d93 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -210,21 +210,6 @@ interface(`nis_list_var_yp',`
 	allow $1 var_yp_t:dir list_dir_perms;
 ')
 
-########################################
-## <summary>
-##	Read ypbind pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`nis_read_ypbind_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use nis_read_ypbind_runtime_files() instead.')
-	nis_read_ypbind_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read ypbind runtime files.
@@ -244,20 +229,6 @@ interface(`nis_read_ypbind_runtime_files',`
 	allow $1 ypbind_runtime_t:file read_file_perms;
 ')
 
-########################################
-## <summary>
-##	Delete ypbind pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`nis_delete_ypbind_pid',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read ypserv configuration files.
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 790e8a5f42..3f87cc461a 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -172,37 +172,6 @@ interface(`nscd_use',`
 	')
 ')
 
-########################################
-## <summary>
-##	Do not audit attempts to search
-##	nscd pid directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`nscd_dontaudit_search_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use nscd_dontaudit_search_runtime() instead.')
-	nscd_dontaudit_search_runtime($1)
-')
-
-########################################
-## <summary>
-##	Read nscd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`nscd_read_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use nscd_read_runtime_files() instead.')
-	nscd_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
index df0e05059a..5858ef9e83 100644
--- a/policy/modules/services/nslcd.if
+++ b/policy/modules/services/nslcd.if
@@ -37,20 +37,6 @@ interface(`nslcd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, nslcd_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read nslcd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`nslcd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to nslcd over an unix
diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
index f6ced13a92..3199d585df 100644
--- a/policy/modules/services/openct.if
+++ b/policy/modules/services/openct.if
@@ -56,21 +56,6 @@ interface(`openct_domtrans',`
 	domtrans_pattern($1, openct_exec_t, openct_t)
 ')
 
-########################################
-## <summary>
-##	Read openct pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`openct_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use openct_read_runtime_files() instead.')
-	openct_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read openct runtime files.
diff --git a/policy/modules/services/openvswitch.if b/policy/modules/services/openvswitch.if
index 73bbb6d697..e7af2589a9 100644
--- a/policy/modules/services/openvswitch.if
+++ b/policy/modules/services/openvswitch.if
@@ -19,21 +19,6 @@ interface(`openvswitch_domtrans',`
 	domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
 ')
 
-########################################
-## <summary>
-##	Read openvswitch pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`openvswitch_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use openvswitch_read_runtime_files() instead.')
-	openvswitch_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read openvswitch runtime files.
diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
index 219161c2a4..d6f652360b 100644
--- a/policy/modules/services/pcscd.if
+++ b/policy/modules/services/pcscd.if
@@ -19,21 +19,6 @@ interface(`pcscd_domtrans',`
 	domtrans_pattern($1, pcscd_exec_t, pcscd_t)
 ')
 
-########################################
-## <summary>
-##	Read pcscd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`pcscd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use pcscd_read_runtime_files() instead.')
-	pcscd_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read pcscd runtime files.
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
index b0a3999359..74539d062f 100644
--- a/policy/modules/services/plymouthd.if
+++ b/policy/modules/services/plymouthd.if
@@ -231,36 +231,6 @@ interface(`plymouthd_manage_lib_files',`
 	manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read plymouthd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`plymouthd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use plymouthd_read_runtime_files() instead.')
-	plymouthd_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Delete the plymouthd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`plymouthd_delete_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use plymouthd_delete_runtime_files() instead.')
-	plymouthd_delete_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read plymouthd runtime files.
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index dd09fa9543..cf7f567db8 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -353,63 +353,6 @@ interface(`ppp_read_secrets',`
 	allow $1 pppd_etc_t:lnk_file read_lnk_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read ppp pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ppp_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use ppp_read_runtime_files() instead.')
-	ppp_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	ppp pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ppp_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use ppp_manage_runtime_files() instead.')
-	ppp_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create specified pppd pid objects
-##	with a type transition.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`ppp_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, please use ppp_runtime_filetrans() instead.')
-	ppp_runtime_filetrans($1, $2, $3)
-')
-
 ########################################
 ## <summary>
 ##	Read ppp runtime files.
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
index fe191f52fb..1193f97ca4 100644
--- a/policy/modules/services/psad.if
+++ b/policy/modules/services/psad.if
@@ -98,34 +98,6 @@ interface(`psad_manage_config',`
 	allow $1 psad_etc_t:lnk_file manage_lnk_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read psad pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`psad_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Read and write psad pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`psad_rw_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read psad log content.
diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if
index 9b0dd4abfa..375bc7cbc3 100644
--- a/policy/modules/services/qpid.if
+++ b/policy/modules/services/qpid.if
@@ -74,20 +74,6 @@ interface(`qpidd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read qpidd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`qpidd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Search qpidd lib directories.
diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if
index dbc8a61c09..673ae1986f 100644
--- a/policy/modules/services/rhsmcertd.if
+++ b/policy/modules/services/rhsmcertd.if
@@ -177,20 +177,6 @@ interface(`rhsmcertd_manage_lib_dirs',`
 	manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read rhsmcertd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rhsmcertd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ####################################
 ## <summary>
 ##	Connect to rhsmcertd with a
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
index b815d02dee..0938487d22 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -39,20 +39,6 @@ interface(`rpcbind_stream_connect',`
 	stream_connect_pattern($1, rpcbind_runtime_t, rpcbind_runtime_t, rpcbind_t)
 ')
 
-########################################
-## <summary>
-##	Read rpcbind pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rpcbind_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Search rpcbind lib directories.
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 92eab06d7b..05e713672e 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -705,21 +705,6 @@ interface(`samba_run_winbind_helper',`
 	roleattribute $2 winbind_helper_roles;
 ')
 
-########################################
-## <summary>
-##	Read winbind pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`samba_read_winbind_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use samba_read_winbind_runtime_files() instead.')
-	samba_read_winbind_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read winbind runtime files.
diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if
index 2fe384a521..d6c94ecc6e 100644
--- a/policy/modules/services/sanlock.if
+++ b/policy/modules/services/sanlock.if
@@ -38,21 +38,6 @@ interface(`sanlock_initrc_domtrans',`
 	init_labeled_script_domtrans($1, sanlock_initrc_exec_t)
 ')
 
-######################################
-## <summary>
-##	Create, read, write, and delete
-##	sanlock pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sanlock_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to sanlock with a unix
diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
index 83c55e2798..27b89ed7f4 100644
--- a/policy/modules/services/smokeping.if
+++ b/policy/modules/services/smokeping.if
@@ -38,35 +38,6 @@ interface(`smokeping_initrc_domtrans',`
 	init_labeled_script_domtrans($1, smokeping_initrc_exec_t)
 ')
 
-########################################
-## <summary>
-##	Read smokeping pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`smokeping_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	smokeping pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`smokeping_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Get attributes of smokeping lib files.
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index b530a76f8d..86afba2d0e 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -363,21 +363,6 @@ interface(`spamassassin_manage_lib_files',`
 	manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read spamd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`spamassassin_read_spamd_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use spamassassin_read_spamd_runtime_files() instead.')
-	spamassassin_read_spamd_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read spamd runtime files.
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 4814414512..491ff9ae5c 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -155,36 +155,6 @@ interface(`sssd_manage_public_files',`
 	manage_files_pattern($1, sssd_public_t, sssd_public_t)
 ')
 
-########################################
-## <summary>
-##	Read sssd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sssd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use sssd_read_runtime_files() instead.')
-	sssd_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	sssd pid content.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sssd_manage_pids',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read sssd runtime files.
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 6fd0f35f05..aecfe22fcf 100644
--- a/policy/modules/services/tuned.if
+++ b/policy/modules/services/tuned.if
@@ -38,35 +38,6 @@ interface(`tuned_exec',`
 	can_exec($1, tuned_exec_t)
 ')
 
-######################################
-## <summary>
-##	Read tuned pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`tuned_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-#######################################
-## <summary>
-##	Create, read, write, and delete
-##	tuned pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`tuned_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Execute tuned init scripts in
diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if
index b1469d3c15..a7868f17ad 100644
--- a/policy/modules/services/uuidd.if
+++ b/policy/modules/services/uuidd.if
@@ -116,20 +116,6 @@ interface(`uuidd_manage_lib_dirs',`
 	manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Read uuidd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`uuidd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to uuidd with an unix
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
index d31894325f..73fc90d259 100644
--- a/policy/modules/services/vdagent.if
+++ b/policy/modules/services/vdagent.if
@@ -56,20 +56,6 @@ interface(`vdagent_getattr_log',`
 	allow $1 vdagent_log_t:file getattr_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read vdagent pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`vdagent_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 #####################################
 ## <summary>
 ##	Connect to vdagent with a unix
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
index 3e737dd010..831bbefe2b 100644
--- a/policy/modules/services/vhostmd.if
+++ b/policy/modules/services/vhostmd.if
@@ -115,35 +115,6 @@ interface(`vhostmd_manage_tmpfs_files',`
 	manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
 ')
 
-########################################
-## <summary>
-##	Read vhostmd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`vhostmd_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	vhostmd pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`vhostmd_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to vhostmd with a unix
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index ee7fd18fc6..0a85a67d46 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -735,36 +735,6 @@ interface(`virt_home_filetrans_virt_home',`
 	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
 ')
 
-########################################
-## <summary>
-##	Read virt pid files.  (Depprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`virt_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use virt_read_runtime_files() instead.')
-	virt_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	virt pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`virt_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Read virt runtime files.
@@ -877,38 +847,6 @@ interface(`virt_manage_lib_files',`
 	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 ')
 
-########################################
-## <summary>
-##	Create objects in virt pid
-##	directories with a private type.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`virt_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, please use virt_runtime_filetrans() instead.')
-	virt_runtime_filetrans($1, $2, $3, $4)
-')
-
 ########################################
 ## <summary>
 ##	Read virt log files.
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6ee85e0a9e..ba98628b3f 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -994,21 +994,6 @@ interface(`xserver_delete_xdm_tmp_sockets',`
 	delete_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
 
-########################################
-## <summary>
-##	Read XDM pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xserver_read_xdm_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use xserver_read_xdm_runtime_files() instead.')
-	xserver_read_xdm_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read XDM runtime files.
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index 11f1e5f73c..49aaa9a5e7 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -78,20 +78,6 @@ interface(`zabbix_append_log',`
 	append_files_pattern($1, zabbix_log_t, zabbix_log_t)
 ')
 
-########################################
-## <summary>
-##	Read zabbix pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`zabbix_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Connect to zabbix agent on the TCP network.
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 4648ee4b7d..4a2bfbccbb 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1109,95 +1109,6 @@ interface(`auth_manage_var_auth',`
 	allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read PAM PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`auth_read_pam_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_read_pam_runtime_files() instead.')
-	auth_read_pam_runtime_files($1)
-')
-
-#######################################
-## <summary>
-##	Do not audit attempts to read PAM PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`auth_dontaudit_read_pam_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_dontaudit_read_pam_runtime_files() instead.')
-	auth_dontaudit_read_pam_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create specified objects in
-##	pid directories with the pam var
-##      run file type using a
-##      file type transition.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`auth_pid_filetrans_pam_var_run',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_runtime_filetrans_pam_runtime() instead.')
-	auth_runtime_filetrans_pam_runtime($1, $2, $3)
-')
-
-########################################
-## <summary>
-##	Delete pam PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`auth_delete_pam_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_delete_pam_runtime_files() instead.')
-	auth_delete_pam_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Manage pam PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`auth_manage_pam_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_manage_pam_runtime_dirs(); auth_manage_pam_runtime_files() instead.')
-	auth_manage_pam_runtime_dirs($1)
-	auth_manage_pam_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Manage pam runtime dirs.
@@ -1479,34 +1390,6 @@ interface(`auth_delete_pam_console_data',`
 	delete_files_pattern($1, pam_var_console_t, pam_var_console_t)
 ')
 
-########################################
-## <summary>
-##	Create specified objects in
-##	pid directories with the pam var
-##      console pid file type using a
-##      file type transition.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`auth_pid_filetrans_pam_var_console',`
-	refpolicywarn(`$0($*) has been deprecated, please use auth_runtime_filetrans_pam_var_console() instead.')
-	auth_runtime_filetrans_pam_var_console($1, $2, $3)
-')
-
 ########################################
 ## <summary>
 ##	Create specified objects in generic
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ba25610486..0726d70e46 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -638,33 +638,6 @@ interface(`init_dyntrans',`
 	dyntrans_pattern($1, init_t)
 ')
 
-########################################
-## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it  (Deprecated)
-## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	refpolicywarn(`$0($*) has been deprecated, please use init_daemon_runtime_file() instead.')
-	init_daemon_runtime_file($1, $2, $3)
-
-')
-
 ########################################
 ## <summary>
 ##	Mark the file type as a daemon runtime file, allowing initrc_t
@@ -1532,127 +1505,6 @@ interface(`init_var_lib_filetrans',`
 	filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
 ')
 
-######################################
-## <summary>
-##	Allow search  directory in the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_search_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use init_search_runtime() instead.')
-	init_search_runtime($1)
-')
-
-######################################
-## <summary>
-##  Allow listing of the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_list_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use init_list_runtime() instead.')
-	init_list_runtime($1)
-')
-
-######################################
-## <summary>
-##  Create symbolic links in the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_manage_pid_symlinks', `
-	refpolicywarn(`$0($*) has been deprecated, please use init_manage_runtime_symlinks() instead.')
-	init_manage_runtime_symlinks($1)
-')
-
-######################################
-## <summary>
-##  Create files in the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_create_pid_files', `
-	refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_files() instead.')
-	init_create_runtime_files($1)
-')
-
-######################################
-## <summary>
-##  Write files in the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_write_pid_files', `
-	refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_files() instead.')
-	init_write_runtime_files($1)
-')
-
-######################################
-## <summary>
-##  Create, read, write, and delete
-##  directories in the /run/systemd directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_manage_pid_dirs', `
-	refpolicywarn(`$0($*) has been deprecated, please use init_manage_runtime_dirs() instead.')
-	init_manage_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Create files in an init PID directory.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="file_type">
-##	<summary>
-##	The type of the object to be created
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The object class.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`init_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans() instead.')
-	init_runtime_filetrans($*)
-')
-
 ######################################
 ## <summary>
 ##	Search init runtime directories, e.g. /run/systemd.
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 5d29bb0c89..2183207f48 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -246,37 +246,6 @@ interface(`ipsec_setcontext_default_spd',`
 	allow $1 ipsec_spd_t:association setcontext;
 ')
 
-########################################
-## <summary>
-##	write the ipsec_runtime_t files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ipsec_write_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use ipsec_write_runtime_files() instead.')
-	ipsec_write_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete the IPSEC pid files.
-##	(Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ipsec_manage_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use ipsec_manage_runtime_files() instead.')
-	ipsec_manage_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Write ipsec runtime files.
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index af9c54632d..f1ddfcdee8 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -235,21 +235,6 @@ interface(`iptables_mounton_runtime_files',`
 	allow $1 iptables_runtime_t:file mounton;
 ')
 
-########################################
-## <summary>
-##	dontaudit reading iptables_runtime_t  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`iptables_dontaudit_read_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use iptables_dontaudit_read_runtime_files() instead.')
-	iptables_dontaudit_read_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Do not audit reading iptables runtime files.
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index cf7ef17214..e6bdf9bfd4 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -844,21 +844,6 @@ interface(`logging_watch_runtime_dirs',`
 	allow $1 syslogd_runtime_t:dir watch;
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete syslog PID sockets.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`logging_manage_pid_sockets',`
-	refpolicywarn(`$0($*) has been deprecated, please use logging_manage_runtime_sockets() instead.')
-	logging_manage_runtime_sockets($1)
-')
-
 ########################################
 ## <summary>
 ##	Create, read, write, and delete syslog PID sockets.
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 468cbcaa83..2f0a2bb376 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -172,20 +172,6 @@ interface(`lvm_create_lock_dirs',`
 	files_add_entry_lock_dirs($1)
 ')
 
-########################################
-## <summary>
-##      Read and write a lvm unnamed pipe.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`lvm_rw_inherited_pid_pipes',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ######################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 05563897f4..08ec097794 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -38,21 +38,6 @@ interface(`modutils_read_module_deps',`
 	allow $1 modules_dep_t:file { read_file_perms map };
 ')
 
-########################################
-## <summary>
-##	Read the kernel modules.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`modutils_read_module_objects',`
-	refpolicywarn(`$0($*) has been deprecated, please use files_mmap_read_kernel_modules() instead.')
-	files_mmap_read_kernel_modules($1)
-')
-
 ########################################
 ## <summary>
 ##	Read the configuration options used when
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index 6b3959b002..9cdffaff84 100644
--- a/policy/modules/system/raid.if
+++ b/policy/modules/system/raid.if
@@ -46,37 +46,6 @@ interface(`raid_run_mdadm',`
 	roleattribute $1 mdadm_roles;
 ')
 
-########################################
-## <summary>
-##	read mdadm pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`raid_read_mdadm_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use raid_read_mdadm_runtime_files() instead.')
-	raid_read_mdadm_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	mdadm pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`raid_manage_mdadm_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use raid_manage_mdadm_runtime_files() instead.')
-	raid_manage_mdadm_runtime_files($1)
-')
-
 ########################################
 ## <summary>
 ##	Read mdadm runtime files.
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 5d2d3c1581..e9619743d5 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -548,36 +548,6 @@ interface(`sysnet_manage_config',`
 	')
 ')
 
-#######################################
-## <summary>
-##	Read the dhcp client pid file.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysnet_read_dhcpc_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use sysnet_read_dhcpc_runtime_files() instead.')
-	sysnet_read_dhcpc_runtime_files($1)
-')
-
-#######################################
-## <summary>
-##	Delete the dhcp client pid file.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysnet_delete_dhcpc_pid',`
-	refpolicywarn(`$0($*) has been deprecated, please use sysnet_delete_dhcpc_runtime_files() instead.')
-	sysnet_delete_dhcpc_runtime_files($1)
-')
-
 #######################################
 ## <summary>
 ##	Read dhcp client runtime files.
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 9dc91fbb79..df33315c8a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1113,51 +1113,6 @@ interface(`systemd_map_hwdb',`
 	allow $1 systemd_hwdb_t:file map;
 ')
 
-######################################
-## <summary>
-##   Read systemd_login PID files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`systemd_read_logind_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use systemd_read_logind_runtime_files() instead.')
-	systemd_read_logind_runtime_files($1)
-')
-
-######################################
-## <summary>
-##   Manage systemd_login PID pipes.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`systemd_manage_logind_pid_pipes',`
-	refpolicywarn(`$0($*) has been deprecated, please use systemd_manage_logind_runtime_pipes() instead.')
-	systemd_manage_logind_runtime_pipes($1)
-')
-
-######################################
-## <summary>
-##     Write systemd_login named pipe.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`systemd_write_logind_pid_pipes',`
-	refpolicywarn(`$0($*) has been deprecated, please use systemd_write_logind_runtime_pipes() instead.')
-	systemd_write_logind_runtime_pipes($1)
-')
-
 ######################################
 ## <summary>
 ##   Watch systemd-logind runtime dirs.
@@ -1709,21 +1664,6 @@ interface(`systemd_watch_passwd_runtime_dirs',`
 	allow $1 systemd_passwd_runtime_t:dir watch;
 ')
 
-########################################
-## <summary>
-##      manage systemd unit dirs and the files in them  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`systemd_manage_all_units',`
-	refpolicywarn(`$0() has been deprecated, use init_manage_all_unit_files() instead.')
-	init_manage_all_unit_files($1)
-')
-
 ########################################
 ## <summary>
 ##      Allow domain to list the contents of systemd_journal_t dirs
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fef83e80e7..e83e0cb95d 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -242,193 +242,6 @@ interface(`udev_relabel_rules_files',`
 	files_search_etc($1)
 ')
 
-########################################
-## <summary>
-##	Do not audit search of udev database directories.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`udev_dontaudit_search_db',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Read the udev device table.  (Deprecated)
-## </summary>
-## <desc>
-##	<p>
-##	Allow the specified domain to read the udev device table.  (Deprecated)
-##	</p>
-## </desc>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <infoflow type="read" weight="10"/>
-#
-interface(`udev_read_db',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Allow process to modify list of devices.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_rw_db',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##      Allow process to relabelto udev database  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_relabelto_db',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Allow process to relabelto sockets in /run/udev  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_relabelto_db_sockets',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-##	Search through udev pid content  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_search_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_search_runtime() instead.')
-	udev_search_runtime($1)
-')
-
-########################################
-## <summary>
-##      list udev pid content  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_list_pids',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_list_runtime() instead.')
-	udev_list_runtime($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	udev pid directories  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_manage_pid_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_manage_runtime_dirs() instead.')
-	udev_manage_runtime_dirs($1)
-')
-
-########################################
-## <summary>
-##	Read udev pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_read_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_read_runtime_files() instead.')
-	udev_read_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	dontaudit attempts to read/write udev pidfiles  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_dontaudit_rw_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_dontaudit_rw_runtime_files() instead.')
-	udev_dontaudit_rw_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	udev pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udev_manage_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use udev_manage_runtime_files() instead.')
-	udev_manage_runtime_files($1)
-')
-
-########################################
-## <summary>
-##	Create directories in the run location with udev_runtime_t type  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	Name of the directory that is created
-##	</summary>
-## </param>
-#
-interface(`udev_generic_pid_filetrans_run_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
-
 ########################################
 ## <summary>
 ##	Search through udev runtime dirs.
@@ -563,43 +376,6 @@ interface(`udev_domtrans_udevadm',`
 	domtrans_pattern($1, udev_exec_t, udevadm_t)
 ')
 
-########################################
-## <summary>
-##	Execute udev admin in the udevadm domain.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`udevadm_domtrans',`
-	refpolicywarn(`$0($*) has been deprecated, use udev_domtrans_udevadm() instead.')
-	udev_domtrans_udevadm($1)
-')
-
-########################################
-## <summary>
-##	Execute udevadm in the udevadm domain, and
-##	allow the specified role the udevadm domain.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`udevadm_run',`
-	refpolicywarn(`$0($*) has been deprecated, use udev_run_udevadm() instead.')
-	udev_run_udevadm($1, $2)
-')
-
 ########################################
 ## <summary>
 ##	Execute udevadm in the udevadm domain, and
@@ -626,21 +402,6 @@ interface(`udev_run_udevadm',`
 	roleattribute $2 udevadm_roles;
 ')
 
-########################################
-## <summary>
-##	Execute udevadm in the caller domain.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udevadm_exec',`
-	refpolicywarn(`$0($*) has been deprecated, use udev_exec_udevadm() instead.')
-	udev_exec_udevadm($1)
-')
-
 ########################################
 ## <summary>
 ##	Execute udevadm in the caller domain.
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5f9fb1a682..ecc1a9112c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3846,33 +3846,6 @@ interface(`userdom_delete_all_user_runtime_chr_files',`
 	delete_chr_files_pattern($1, user_runtime_content_type, user_runtime_content_type)
 ')
 
-########################################
-## <summary>
-##	Create objects in the pid directory
-##	with an automatic type transition to
-##	the user runtime root type.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`userdom_pid_filetrans_user_runtime_root',`
-	refpolicywarn(`$0($*) has been deprecated, please use userdom_runtime_filetrans_user_runtime_root() instead.')
-	userdom_runtime_filetrans_user_runtime_root($1, $2, $3)
-')
-
 ########################################
 ## <summary>
 ##	Create objects in the runtime directory
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index e6ab038709..7f53015808 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -176,21 +176,6 @@ interface(`xen_manage_log',`
 	manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
 ')
 
-#######################################
-## <summary>
-##	Read xenstored pid files.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xen_read_xenstored_pid_files',`
-	refpolicywarn(`$0($*) has been deprecated, please use xen_read_xenstored_runtime_files() instead.')
-	xen_read_xenstored_runtime_files($1)
-')
-
 #######################################
 ## <summary>
 ##	Read xenstored runtime files.
@@ -272,31 +257,6 @@ interface(`xen_stream_connect',`
 	stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
 ')
 
-########################################
-## <summary>
-##	Create in a xend_runtime_t directory  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-#
-interface(`xen_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, please use xen_runtime_filetrans() instead.')
-	xen_runtime_filetrans($1, $2, $3)
-')
-
 ########################################
 ## <summary>
 ##	Create in a xend_runtime_t directory

From 065c6a0f3c7774a585add7ac5a2bae6044ea37f8 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 12 Dec 2022 09:10:20 -0500
Subject: [PATCH 122/257] tests.yml: Pin ubuntu 20.04.

Fix this issue:

Version 3.5 was not found in the local cache
Error: The version '3.5' with architecture 'x64' was not found for Ubuntu 22.04.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 .github/workflows/tests.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 816e740330..96605d8e21 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -8,7 +8,7 @@ env:
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     steps:
     - uses: actions/checkout@v3
@@ -56,7 +56,7 @@ jobs:
         selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
 
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     strategy:
       fail-fast: false

From 26f9727760dcbd0a665b899ee3d197e54f11b9c1 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 09:45:49 -0500
Subject: [PATCH 123/257] hddtemp: add missing rules for interactive usage

Add missing rules required for hddtemp admins to interactively run
hddtemp.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/hddtemp.if | 29 +++++++++++++++++++++++++++++
 policy/modules/services/hddtemp.te |  4 ++++
 2 files changed, 33 insertions(+)

diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if
index 269bafd188..2cecebd4e3 100644
--- a/policy/modules/services/hddtemp.if
+++ b/policy/modules/services/hddtemp.if
@@ -19,6 +19,33 @@ interface(`hddtemp_domtrans',`
 	domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
 ')
 
+########################################
+## <summary>
+##	Execute hddtemp in the hddtemp domain, and
+##	allow the specified role the hdd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hddtemp_run',`
+	gen_require(`
+		type hddtemp_t;
+	')
+
+	hddtemp_domtrans($1)
+	role $2 types hddtemp_t;
+')
+
+
 ######################################
 ## <summary>
 ##	Execute hddtemp in the caller domain.
@@ -60,6 +87,8 @@ interface(`hddtemp_admin',`
 		type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
 	')
 
+	hddtemp_run($1, $2)
+
 	allow $1 hddtemp_t:process { ptrace signal_perms };
 	ps_process_pattern($1, hddtemp_t)
 
diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te
index 35361704b3..9357031f9f 100644
--- a/policy/modules/services/hddtemp.te
+++ b/policy/modules/services/hddtemp.te
@@ -34,6 +34,8 @@ corenet_tcp_bind_generic_node(hddtemp_t)
 corenet_tcp_bind_hddtemp_port(hddtemp_t)
 corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
 
+domain_use_interactive_fds(hddtemp_t)
+
 files_search_etc(hddtemp_t)
 files_read_usr_files(hddtemp_t)
 
@@ -45,3 +47,5 @@ auth_use_nsswitch(hddtemp_t)
 logging_send_syslog_msg(hddtemp_t)
 
 miscfiles_read_localization(hddtemp_t)
+
+userdom_use_user_terminals(hddtemp_t)

From b85d3f673db87a5c6e45ba5feddd6d71d531f570 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 09:49:14 -0500
Subject: [PATCH 124/257] netutils: minor fixes for nmap and traceroute

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/netutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 6ea9f176a8..564e28a9d7 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -36,6 +36,8 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
 dontaudit netutils_t self:capability { dac_override sys_tty_config };
 allow netutils_t self:process { getcap setcap signal_perms };
+# netlink_generic_socket for nmap.
+allow netutils_t self:netlink_generic_socket create_socket_perms;
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
 allow netutils_t self:netlink_socket create_socket_perms;
 # For tcpdump.
@@ -69,6 +71,8 @@ fs_getattr_xattr_fs(netutils_t)
 
 domain_use_interactive_fds(netutils_t)
 
+kernel_dontaudit_getattr_proc(netutils_t)
+
 files_read_etc_files(netutils_t)
 # for nscd
 files_dontaudit_search_var(netutils_t)
@@ -154,6 +158,7 @@ optional_policy(`
 allow traceroute_t self:capability { net_admin net_raw setgid setuid };
 allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
 allow traceroute_t self:process signal;
+allow traceroute_t self:netlink_generic_socket create_socket_perms;
 allow traceroute_t self:rawip_socket create_socket_perms;
 allow traceroute_t self:packet_socket { map create_socket_perms };
 allow traceroute_t self:udp_socket create_socket_perms;

From a6db7cb87f6e95f917d26c7a1efd709416c87a67 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 09:53:58 -0500
Subject: [PATCH 125/257] container: add rules required for metallb BGP
 speakers

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 458e392d98..534d6f4c58 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -425,6 +425,8 @@ corenet_tcp_sendrecv_generic_node(container_net_domain)
 corenet_udp_sendrecv_generic_node(container_net_domain)
 corenet_tcp_bind_generic_node(container_net_domain)
 corenet_udp_bind_generic_node(container_net_domain)
+# for metallb BGP speakers
+corenet_raw_bind_generic_node(container_net_domain)
 
 corenet_sendrecv_all_server_packets(container_net_domain)
 corenet_tcp_bind_all_ports(container_net_domain)
@@ -456,6 +458,8 @@ files_read_kernel_modules(container_t)
 
 fs_mount_cgroup(container_t)
 fs_rw_cgroup_files(container_t)
+# for metallb BGP speakers
+fs_read_nsfs_files(container_t)
 
 kernel_read_vm_overcommit_sysctl(container_t)
 

From d34dd9571e2ccd9d1243ec2a2d60155d0b046156 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 10:27:48 -0500
Subject: [PATCH 126/257] filesystem, init: allow systemd to setattr on ramfs
 dirs

This is needed by systemd-creds on system boot. Without this access,
many services fail to start. Observed on systemd-252 on Gentoo.

type=PROCTITLE msg=audit(1670295099.238:180306): proctitle="(sd-mkdcreds)"
type=PATH msg=audit(1670295099.238:180306): item=0 name=(null) inode=16711 dev=00:2c mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1670295099.238:180306): cwd="/"
type=SYSCALL msg=audit(1670295099.238:180306): arch=c000003e syscall=91 success=no exit=-13 a0=3 a1=140 a2=77fb64c2bd90 a3=e9dbd3ce8cce3dba items=1 ppid=23082 pid=23083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-mkdcreds)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1670295099.238:180306): avc:  denied  { setattr } for  pid=23083 comm="(sd-mkdcreds)" name="/" dev="ramfs" ino=16711 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
 policy/modules/system/init.te       |  2 ++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 9dedaddd59..5a60fa3bb5 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4778,6 +4778,25 @@ interface(`fs_dontaudit_search_ramfs',`
 	dontaudit $1 ramfs_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Set the attributes of directories on
+##	a ramfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_setattr_ramfs_dirs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:dir setattr;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 030b5f55d2..cb70d5ca64 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -472,6 +472,8 @@ ifdef(`init_systemd',`
 	fs_create_pstore_dirs(init_t)
 	# for network namespaces
 	fs_read_nsfs_files(init_t)
+	# needed by systemd-creds
+	fs_setattr_ramfs_dirs(init_t)
 
 	init_manage_all_unit_files(init_t)
 	init_read_script_state(init_t)

From d96b591a70be46a8b07f7be3f7e8919cdae9003d Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 10:30:09 -0500
Subject: [PATCH 127/257] logging: allow domains sending syslog messages to
 connect to kernel unix stream sockets

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/logging.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index e6bdf9bfd4..8a4a05566b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -703,6 +703,7 @@ interface(`logging_send_syslog_msg',`
 		allow syslogd_t $1:process signull;
 
 		kernel_dgram_send($1)
+		kernel_stream_connect($1)
 	')
 
 ')

From e59404bd4439f07980c33fa12bf592a26676a677 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 10:35:24 -0500
Subject: [PATCH 128/257] init, sysadm: allow sysadm to manage systemd runtime
 units

On systemd 252, mount units generated from /etc/fstab result in services
labeled init_runtime_t. Allow sysadm to manage these services.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/roles/sysadm.te |  6 ++++
 policy/modules/system/init.if  | 57 ++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index fb34f94533..936381f250 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -82,6 +82,12 @@ ifndef(`enable_mls',`
 ')
 
 ifdef(`init_systemd',`
+	# Allow managing runtime units, for example mount units generated
+	# from /etc/fstab.
+	init_get_runtime_units_status(sysadm_t)
+	init_start_runtime_units(sysadm_t)
+	init_stop_runtime_units(sysadm_t)
+
 	# Allow sysadm to resolve the username of dynamic users by calling
 	# LookupDynamicUserByUID on org.freedesktop.systemd1.
 	init_dbus_chat(sysadm_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 0726d70e46..53aca4b030 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3431,6 +3431,63 @@ interface(`init_reload_generic_units',`
 	allow $1 systemd_unit_t:service reload;
 ')
 
+########################################
+## <summary>
+##	Get the status of runtime systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_runtime_units_status',`
+	gen_require(`
+		type init_runtime_t;
+		class service status;
+	')
+
+	allow $1 init_runtime_t:service status;
+')
+
+########################################
+## <summary>
+##	Start runtime systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_start_runtime_units',`
+	gen_require(`
+		type init_runtime_t;
+		class service start;
+	')
+
+	allow $1 init_runtime_t:service start;
+')
+
+########################################
+## <summary>
+##	Stop runtime systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_stop_runtime_units',`
+	gen_require(`
+		type init_runtime_t;
+		class service stop;
+	')
+
+	allow $1 init_runtime_t:service stop;
+')
+
 ########################################
 ## <summary>
 ##	Get status of transient systemd units.

From 7662001300e93c3c14840deb6188b7d816f3dd51 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 10:45:43 -0500
Subject: [PATCH 129/257] podman: allow podman to stop systemd transient units

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/podman.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 5cc13da706..3d16e64d19 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -69,6 +69,7 @@ ifdef(`init_systemd',`
 	# containers get created as systemd transient units
 	init_get_transient_units_status(podman_t)
 	init_start_transient_units(podman_t)
+	init_stop_transient_units(podman_t)
 
 	# podman can read logs from containers which are
 	# sent to the system journal
@@ -212,6 +213,7 @@ container_manage_engine_tmp_sock_files(podman_conmon_t)
 ifdef(`init_systemd',`
 	init_get_transient_units_status(podman_conmon_t)
 	init_start_transient_units(podman_conmon_t)
+	init_stop_transient_units(podman_conmon_t)
 	init_start_system(podman_conmon_t)
 	init_stop_system(podman_conmon_t)
 ')

From 810cc48197a9cc4606a5ec3ebdb0de7c37acc343 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 10:47:40 -0500
Subject: [PATCH 130/257] userdom: allow admin users to use tcpdiag netlink
 sockets

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/userdomain.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index ecc1a9112c..8c06366a9f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1343,6 +1343,7 @@ template(`userdom_admin_user_template',`
 	allow $1_t self:cap_userns sys_ptrace;
 	allow $1_t self:process { setexec setfscreate };
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+	allow $1_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 	allow $1_t self:tun_socket create;
 	# Set password information for other users.
 	allow $1_t self:passwd { passwd chfn chsh };

From 22ece2b57e70d7534b2bd6e9004d06529fbb01d5 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 10:49:39 -0500
Subject: [PATCH 131/257] container: allow container admins the sysadm
 capability in user namespaces

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 55f8e4f3dd..8fd3832fb9 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -2518,7 +2518,7 @@ interface(`container_admin',`
 	allow $1 container_engine_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, container_engine_domain)
 
-	allow $1 self:cap_userns { kill sys_ptrace };
+	allow $1 self:cap_userns { kill sys_ptrace sys_admin };
 
 	files_search_var_lib($1)
 	admin_pattern($1, container_var_lib_t)

From 9290f196e78499f1bed7815f8d8cad7604f94500 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 10:55:27 -0500
Subject: [PATCH 132/257] postfix: allow postfix master to map data files

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/postfix.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index c828efc632..9c07697de9 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -207,7 +207,7 @@ allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
 allow postfix_master_t postfix_etc_t:file rw_file_perms;
 
 allow postfix_master_t postfix_data_t:dir manage_dir_perms;
-allow postfix_master_t postfix_data_t:file manage_file_perms;
+allow postfix_master_t postfix_data_t:file mmap_manage_file_perms;
 
 allow postfix_master_t postfix_keytab_t:file read_file_perms;
 

From 52e90d4b49b90fbee3f554d865e636cf8e827b02 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 10:55:39 -0500
Subject: [PATCH 133/257] sasl: add filecon for /etc/sasl2 keytab

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/sasl.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc
index 06ee9710ca..8165ee72ad 100644
--- a/policy/modules/services/sasl.fc
+++ b/policy/modules/services/sasl.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/sasl	--	gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
 
+/etc/sasl2(/.*)?		gen_context(system_u:object_r:saslauthd_keytab_t,s0)
+
 /usr/bin/saslauthd	--	gen_context(system_u:object_r:saslauthd_exec_t,s0)
 
 /usr/sbin/saslauthd	--	gen_context(system_u:object_r:saslauthd_exec_t,s0)

From db8bf1ae3baa377616a61e1e1626c1ccb7d043f2 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 8 Dec 2022 09:27:51 -0500
Subject: [PATCH 134/257] obj_perm_sets: add mmap_manage_file_perms

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/support/obj_perm_sets.spt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index e62863f6f3..b9cafaf4f6 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -167,6 +167,7 @@ define(`create_file_perms',`{ getattr create open }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')
 define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`mmap_manage_file_perms',`{ create open map getattr setattr read write append rename link unlink ioctl lock }')
 define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_file_perms',`{ getattr relabelto }')
 define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')

From d38a21388f721ca77162ebfbf28d686c2668d24e Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 12 Dec 2022 10:35:32 -0500
Subject: [PATCH 135/257] various: use mmap_manage_file_perms

Replace instances of manage_file_perms and map with
mmap_manage_file_perms

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/alsa.te         | 2 +-
 policy/modules/admin/apt.if          | 2 +-
 policy/modules/apps/mozilla.te       | 2 +-
 policy/modules/apps/pulseaudio.if    | 2 +-
 policy/modules/apps/pulseaudio.te    | 2 +-
 policy/modules/services/aptcacher.te | 2 +-
 policy/modules/services/mailman.te   | 8 ++++----
 policy/modules/services/matrixd.te   | 2 +-
 policy/modules/services/nsd.te       | 2 +-
 policy/modules/services/postfix.te   | 2 +-
 10 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index e7f36e73c8..37d04a9e52 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -68,7 +68,7 @@ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
 userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
 
-allow alsa_t alsa_tmpfs_t:file { manage_file_perms map };
+allow alsa_t alsa_tmpfs_t:file mmap_manage_file_perms;
 fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
 
 manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 6d5d3f33a8..5787e98045 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir manage_dir_perms;
-	allow $1 apt_var_cache_t:file { manage_file_perms map };
+	allow $1 apt_var_cache_t:file mmap_manage_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index ea19bf78c0..a26f9c8cba 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -86,7 +86,7 @@ allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
 allow mozilla_t mozilla_plugin_t:fd use;
 
 allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map };
+allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file mmap_manage_file_perms;
 allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
 userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
 userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index b2d2f1d435..c7df8b8a70 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -45,7 +45,7 @@ template(`pulseaudio_role',`
 	allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 
 	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map };
+	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { mmap_manage_file_perms relabel_file_perms };
 
 	allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index f41d235c18..0a5985da27 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -58,7 +58,7 @@ allow pulseaudio_t self:tcp_socket { accept listen };
 allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
-allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map };
+allow pulseaudio_t pulseaudio_home_t:file mmap_manage_file_perms;
 allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
 
 userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
index ac29c8728e..10a0e54e1b 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -51,7 +51,7 @@ allow aptcacher_t aptcacher_conf_t:file mmap_read_file_perms;
 allow aptcacher_t aptcacher_conf_t:lnk_file read_lnk_file_perms;
 
 allow aptcacher_t aptcacher_cache_t:dir manage_dir_perms;
-allow aptcacher_t aptcacher_cache_t:file { manage_file_perms map };
+allow aptcacher_t aptcacher_cache_t:file mmap_manage_file_perms;
 allow aptcacher_t aptcacher_cache_t:lnk_file manage_lnk_file_perms;
 
 allow aptcacher_t aptcacher_lib_t:file map;
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index 97a000d272..fe52b6fd81 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -109,7 +109,7 @@ allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
 allow mailman_cgi_t mailman_archive_t:file read_file_perms;
 
 allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
-allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
+allow mailman_cgi_t mailman_data_t:file mmap_manage_file_perms;
 allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
 
 allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
@@ -123,7 +123,7 @@ allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
 allow mailman_cgi_t mailman_runtime_t:sock_file manage_sock_file_perms;
 
 fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
-allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
+allow mailman_cgi_t mailman_cgi_tmpfs_t:file mmap_manage_file_perms;
 
 kernel_read_net_sysctls(mailman_cgi_t)
 kernel_read_system_state(mailman_cgi_t)
@@ -283,7 +283,7 @@ allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
 allow mailman_queue_t mailman_archive_t:file manage_file_perms;
 
 allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
-allow mailman_queue_t mailman_data_t:file { map manage_file_perms };
+allow mailman_queue_t mailman_data_t:file mmap_manage_file_perms;
 allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
 
 allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
@@ -293,7 +293,7 @@ allow mailman_queue_t mailman_log_t:dir list_dir_perms;
 allow mailman_queue_t mailman_log_t:file manage_file_perms;
 
 fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file)
-allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms };
+allow mailman_queue_t mailman_queue_tmpfs_t:file mmap_manage_file_perms;
 
 kernel_read_network_state(mailman_queue_t)
 kernel_read_system_state(mailman_queue_t)
diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te
index 394969cbc6..4ac31d9018 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -51,7 +51,7 @@ allow matrixd_t self:unix_dgram_socket create_socket_perms;
 # https://cffi.readthedocs.io/en/latest/using.html#callbacks
 allow matrixd_t self:process { getsched execmem };
 
-allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
+allow matrixd_t matrixd_tmp_t:file mmap_manage_file_perms;
 files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
 fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
 
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index 3cf2b363a3..ee161f791f 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -44,7 +44,7 @@ allow nsd_t nsd_conf_t:dir list_dir_perms;
 allow nsd_t nsd_conf_t:file read_file_perms;
 allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
 
-allow nsd_t nsd_db_t:file { manage_file_perms map };
+allow nsd_t nsd_db_t:file mmap_manage_file_perms;
 filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
 
 manage_files_pattern(nsd_t, nsd_runtime_t, nsd_runtime_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 9c07697de9..c841902947 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -508,7 +508,7 @@ allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid
 allow postfix_map_t self:tcp_socket { accept listen };
 
 allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
+allow postfix_map_t postfix_etc_t:file mmap_manage_file_perms;
 allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
 
 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)

From 2354b4f1be4ad7364b43031c4e4fad4d66522e41 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 11:00:03 -0500
Subject: [PATCH 136/257] postfix, sasl: allow postfix smtp daemon to read SASL
 keytab

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/postfix.te |  1 +
 policy/modules/services/sasl.if    | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index c841902947..205f4ce2db 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -839,6 +839,7 @@ optional_policy(`
 
 optional_policy(`
 	sasl_connect(postfix_smtpd_t)
+	sasl_read_keytab(postfix_smtpd_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index e1e15648fa..87caf806ea 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -19,6 +19,25 @@ interface(`sasl_connect',`
 	stream_connect_pattern($1, saslauthd_runtime_t, saslauthd_runtime_t, saslauthd_t)
 ')
 
+########################################
+## <summary>
+##	Read SASL keytab files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sasl_read_keytab',`
+	gen_require(`
+		type saslauthd_keytab_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, saslauthd_keytab_t, saslauthd_keytab_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to

From a364dd4e2a06dcc14a4e58ce2f2f9cc4181abe29 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 11:14:47 -0500
Subject: [PATCH 137/257] various: fixes for libvirtd and systemd-machined

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/devices.if     | 18 ++++++++++++++++++
 policy/modules/services/dbus.te      |  1 +
 policy/modules/services/policykit.te |  2 ++
 policy/modules/services/virt.te      | 15 ++++++++++++++-
 policy/modules/system/systemd.if     | 18 ++++++++++++++++++
 policy/modules/system/systemd.te     |  6 ++++++
 6 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 2fa4b69561..4a573a4bf6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4820,6 +4820,24 @@ interface(`dev_create_urand_dev',`
 	create_chr_files_pattern($1, device_t, urandom_device_t)
 ')
 
+########################################
+## <summary>
+##  Set attributes on the urandom device (/dev/urandom).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_urand_dev',`
+	gen_require(`
+		type device_t, urandom_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Getattr generic the USB devices.
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index bc7e4d2118..a45cbc3d5c 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -236,6 +236,7 @@ optional_policy(`
 	systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
 	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
 
+	systemd_connect_machined(system_dbusd_t)
 	# for passing around terminal file handles for machinectl shell
 	systemd_use_inherited_machined_ptys(system_dbusd_t)
 
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 85aeb3bd4d..82e9d5557e 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -134,7 +134,9 @@ optional_policy(`
 
 optional_policy(`
 	# for /run/systemd/machines
+	systemd_connect_machined(policykit_t)
 	systemd_read_machines(policykit_t)
+	systemd_watch_machines_dirs(policykit_t)
 
 	# for /run/systemd/seats/seat*
 	systemd_read_logind_sessions_files(policykit_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 851c23c656..620ad84d03 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -206,6 +206,7 @@ files_type(virtlockd_var_lib_t)
 type virtlogd_t;
 type virtlogd_exec_t;
 init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+init_named_socket_activation(virtlogd_t, virt_runtime_t)
 
 type virtlogd_run_t;
 files_runtime_file(virtlogd_run_t)
@@ -451,6 +452,8 @@ tunable_policy(`virt_use_evdev',`
 
 allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
 dontaudit virtd_t self:capability { sys_module sys_ptrace };
+allow virtd_t self:capability2 { bpf perfmon };
+allow virtd_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
@@ -522,7 +525,8 @@ allow virtd_t virt_image_type:file relabel_file_perms;
 allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
+# relabel needed for qemu guest agent sockets
+allow virtd_t virt_image_type:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -691,6 +695,15 @@ sysnet_domtrans_ifconfig(virtd_t)
 
 userdom_read_all_users_state(virtd_t)
 
+ifdef(`init_systemd',`
+	init_read_utmp(virtd_t)
+
+	systemd_dbus_chat_logind(virtd_t)
+
+	systemd_connect_machined(virtd_t)
+	systemd_dbus_chat_machined(virtd_t)
+')
+
 tunable_policy(`virt_use_fusefs',`
 	fs_manage_fusefs_dirs(virtd_t)
 	fs_manage_fusefs_files(virtd_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index df33315c8a..1dd302851d 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1461,6 +1461,24 @@ interface(`systemd_read_machines',`
 	allow $1 systemd_machined_runtime_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow watching /run/systemd/machines
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_watch_machines_dirs',`
+	gen_require(`
+		type systemd_machined_runtime_t;
+	')
+
+	allow $1 systemd_machined_runtime_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##     Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ef25974ac1..9f3770fc6b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -992,15 +992,18 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per
 
 manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
 
+kernel_getattr_proc(systemd_machined_t)
 kernel_read_kernel_sysctls(systemd_machined_t)
 kernel_read_system_state(systemd_machined_t)
 
 dev_getattr_fs(systemd_machined_t)
+dev_setattr_urand_dev(systemd_machined_t)
 
 files_read_etc_files(systemd_machined_t)
 
 fs_getattr_cgroup(systemd_machined_t)
 fs_getattr_tmpfs(systemd_machined_t)
+fs_getattr_xattr_fs(systemd_machined_t)
 fs_read_nsfs_files(systemd_machined_t)
 
 selinux_getattr_fs(systemd_machined_t)
@@ -1015,6 +1018,9 @@ init_stop_system(systemd_machined_t)
 init_get_generic_units_status(systemd_machined_t)
 init_start_generic_units(systemd_machined_t)
 init_stop_generic_units(systemd_machined_t)
+init_get_transient_units_status(systemd_machined_t)
+init_start_transient_units(systemd_machined_t)
+init_stop_transient_units(systemd_machined_t)
 
 logging_send_syslog_msg(systemd_machined_t)
 

From 3d4e2deda57a640b46117916a48c187880363d60 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Wed, 30 Nov 2022 09:27:56 +0100
Subject: [PATCH 138/257] fstools: handle gentoo place for drivedb.h

On a gentoo-hardened+selinux, I got denial from fsadm_t reading var_t.
This is due to smartctl trying to read /var/db/smartmontools/drivedb.h

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/system/fstools.fc | 4 ++++
 policy/modules/system/fstools.te | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 8fbd5ce440..63423802d5 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -108,6 +108,10 @@
 /usr/sbin/zstreamdump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
+ifdef(`distro_gentoo',`
+/var/db/smartmontools(/.*)?		gen_context(system_u:object_r:fsadm_db_t,s0)
+')
+
 /var/swap			--	gen_context(system_u:object_r:swapfile_t,s0)
 
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 75da8a0a01..11211b6996 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -19,6 +19,11 @@ files_tmp_file(fsadm_tmp_t)
 type fsadm_run_t;
 files_runtime_file(fsadm_run_t)
 
+ifdef(`distro_gentoo',`
+type fsadm_db_t;
+files_type(fsadm_db_t)
+')
+
 type swapfile_t; # customizable
 files_type(swapfile_t)
 
@@ -55,6 +60,10 @@ allow fsadm_t fsadm_run_t:dir manage_dir_perms;
 allow fsadm_t fsadm_run_t:file manage_file_perms;
 files_runtime_filetrans(fsadm_t, fsadm_run_t, dir)
 
+ifdef(`distro_gentoo',`
+manage_files_pattern(fsadm_t, fsadm_db_t, fsadm_db_t)
+')
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)

From eca2a046383cd908470e633fd440f7ba82c7ee01 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 13 Dec 2022 10:06:06 -0500
Subject: [PATCH 139/257] fstools: Move lines.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/system/fstools.te | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 11211b6996..3d5525cc45 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -19,14 +19,14 @@ files_tmp_file(fsadm_tmp_t)
 type fsadm_run_t;
 files_runtime_file(fsadm_run_t)
 
-ifdef(`distro_gentoo',`
-type fsadm_db_t;
-files_type(fsadm_db_t)
-')
-
 type swapfile_t; # customizable
 files_type(swapfile_t)
 
+ifdef(`distro_gentoo',`
+	type fsadm_db_t;
+	files_type(fsadm_db_t)
+')
+
 ########################################
 #
 # local policy
@@ -60,10 +60,6 @@ allow fsadm_t fsadm_run_t:dir manage_dir_perms;
 allow fsadm_t fsadm_run_t:file manage_file_perms;
 files_runtime_filetrans(fsadm_t, fsadm_run_t, dir)
 
-ifdef(`distro_gentoo',`
-manage_files_pattern(fsadm_t, fsadm_db_t, fsadm_db_t)
-')
-
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
@@ -178,6 +174,10 @@ ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(fsadm_t)
 ')
 
+ifdef(`distro_gentoo',`
+	manage_files_pattern(fsadm_t, fsadm_db_t, fsadm_db_t)
+')
+
 ifdef(`distro_redhat',`
 	optional_policy(`
 		unconfined_domain(fsadm_t)

From 43f3608f0e9fddd9fa8aeaab0b238886a21e1b98 Mon Sep 17 00:00:00 2001
From: Oleksii Miroshko <oleksii.miroshko@bmw.de>
Date: Thu, 15 Dec 2022 09:05:28 +0100
Subject: [PATCH 140/257] Fix templates parsing in gentemplates.sh

Template definitions might have a whitespace after
the comma, e.g. su_restricted_domain_template
in /policy/modules/admin/su.if

template(`su_restricted_domain_template', `
  ...
')

gentemplates.sh silently fails to parse it. This works
unless 'set -e' is set, in which case the script fails
non-silently.

This commit adds support of whitespace after comma, which
is a valid syntax.

Signed-off-by: Oleksii Miroshko <oleksii.miroshko@bmw.de>
---
 support/gentemplates.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/support/gentemplates.sh b/support/gentemplates.sh
index 7f20505ee5..f28debd3db 100755
--- a/support/gentemplates.sh
+++ b/support/gentemplates.sh
@@ -57,6 +57,6 @@ fi
 for ifile in $(find ${SOURCEDIR} -type f -name '*.if'); do
   for interface in $(grep -E '^template\(' ${ifile} | sed -e 's:^template(`\([^'\'']*\)'\''\s*,\s*`:\1:g'); do
     # Generate the interface
-    sed -n "/^template(\`${interface}',\`/,/^')/p" ${ifile} | grep -v "^template" | grep -v "^')" > ${TARGETDIR}/${interface}.iftemplate;
+    sed -n "/^template(\`${interface}',\s*\`/,/^')/p" ${ifile} | grep -v "^template" | grep -v "^')" > ${TARGETDIR}/${interface}.iftemplate;
   done
 done

From 207b09a656c2c3ac5c286d3f7eef085325e35408 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Tue, 27 Dec 2022 21:27:08 +0100
Subject: [PATCH 141/257] mount: dbus interface must be optional

On gentoo, when emerging selinux-base-policy, the post install (loading policy) fail due to a missing type.
This is due to mount.te using a dbus interface and the dbus module is not present.
Fix this by setting the dbus interface as optional;

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/system/mount.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index c66c5ca8a7..bffc6b2f56 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -145,8 +145,6 @@ selinux_getattr_fs(mount_t)
 
 userdom_use_all_users_fds(mount_t)
 
-dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
-
 ifdef(`distro_redhat',`
 	optional_policy(`
 		auth_read_pam_console_data(mount_t)
@@ -201,6 +199,10 @@ optional_policy(`
 	container_getattr_fs(mount_t)
 ')
 
+optional_policy(`
+	dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
+')
+
 optional_policy(`
 	glusterfs_domtrans_daemon(mount_t)
 

From 95db1dda8d60c66f5f4bb2cc4c7e25749ffc1124 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Tue, 3 Jan 2023 09:22:11 +0100
Subject: [PATCH 142/257] mcelog: add missing file context for triggers

I got the following AVC:
allow mcelog_t mcelog_etc_t:file execute;

This is due do some trigger, not being set as bin_t
-rwxr-xr-x. 1 root root system_u:object_r:bin_t         801 nov.   1 19:11 bus-error-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t        1035 nov.   1 19:11 cache-error-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t        1213 nov.   1 19:11 dimm-error-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t         742 nov.   1 19:11 iomca-error-trigger
-rw-r-----. 1 root root system_u:object_r:mcelog_etc_t 7415 nov.   1 19:11 mcelog.conf
-rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1209 nov.   1 19:11 page-error-counter-replacement-trigger
-rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1656 nov.   1 19:11 page-error-post-sync-soft-trigger
-rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1640 nov.   1 19:11 page-error-pre-sync-soft-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t        1308 nov.   1 19:11 page-error-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t        1057 nov.   1 19:11 socket-memory-error-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t         947 nov.   1 19:11 unknown-error-trigger

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/kernel/corecommands.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 0c05c693d7..1f006131f3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -54,7 +54,7 @@ ifdef(`distro_redhat',`
 
 /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
 
-/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/.*-trigger		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_redhat',`

From 42a038719c9c161bfc3b6d769548766344a2790e Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Mon, 26 Dec 2022 19:47:43 +0100
Subject: [PATCH 143/257] munin: add file context for common functions file

Some Munin plugins need to read the plugin.sh file providing common functions.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/kernel/files.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index f6ff6b0790..1d2290c8af 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -209,6 +209,8 @@ HOME_ROOT/lost\+found/.*	<<none>>
 /usr/share/doc(/.*)?/README.*		gen_context(system_u:object_r:usr_t,s0)
 /usr/share/docbook2X/xslt/man(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
+/usr/share/munin/plugins/plugin\.sh	--	gen_context(system_u:object_r:usr_t,s0)
+
 /usr/tmp		-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /usr/tmp/.*			<<none>>
 

From 31f6577765440c700acc6764e6fd83e13fab92e8 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Fri, 16 Dec 2022 08:15:19 +0100
Subject: [PATCH 144/257] rsyslog: add label for /var/empty/dev/log

On gentoo, starting rsyslog give this:
allow syslogd_t var_t:dir { add_name remove_name };
allow syslogd_t var_t:sock_file { create setattr unlink };

This is due to the following piece of code in configuration:
"""
 Create an additional socket for the default chroot location
 (used by net-misc/openssh[hpn], see https://bugs.gentoo.org/490744)
 input(type="imuxsock" Socket="/var/empty/dev/log")
"""

So let's add correct label for this file

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/kernel/devices.fc | 4 ++++
 policy/modules/system/logging.fc | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 84427423cc..da21259b8c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -236,3 +236,7 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
 ')
+
+ifdef(`distro_gentoo',`
+/var/empty/dev		-d	gen_context(system_u:object_r:device_t,s0)
+')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 5681acb519..3b0dea51b3 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -68,6 +68,10 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')
 
+ifdef(`distro_gentoo',`
+/var/empty/dev/log	-s	gen_context(system_u:object_r:devlog_t,s0)
+')
+
 /run/audit_events	-s	gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh)
 /run/audispd_events	-s	gen_context(system_u:object_r:audisp_runtime_t,mls_systemhigh)
 /run/auditd\.pid	--	gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh)

From e9a4a12023f0782bc6397f490cfd52cb23f197fe Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Mon, 26 Dec 2022 10:25:59 +0100
Subject: [PATCH 145/257] munin: disk-plugin: transition to fsadm

smart_ plugin currently execute smartctl on the disk_munin_plugin_t domain.
But lot of rules are still missing for a correct smartctl execution.
Instead of duplicating most of all fsadm rules, it is easier to transition to the correct domain.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/services/munin.if | 17 +++++++++++++++++
 policy/modules/services/munin.te |  6 +++---
 policy/modules/system/fstools.te |  4 ++++
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 9cf4cb20e1..de654d4ea2 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -189,3 +189,20 @@ interface(`munin_admin',`
 
 	admin_pattern($1, httpd_munin_content_t)
 ')
+
+########################################
+## <summary>
+##	Permit to read/write Munin TCP sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_rw_tcp_sockets',`
+	gen_require(`
+		type munin_t;
+	')
+	allow $1 munin_t:tcp_socket rw_socket_perms;
+')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 2e6b1542ad..9fc77c8e9c 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -52,8 +52,6 @@ munin_plugin_template(unconfined)
 allow munin_plugin_domain self:process signal;
 allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
 
-allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-
 read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
 
 allow munin_plugin_domain munin_exec_t:file read_file_perms;
@@ -79,6 +77,8 @@ fs_getattr_all_fs(munin_plugin_domain)
 
 miscfiles_read_localization(munin_plugin_domain)
 
+munin_rw_tcp_sockets(munin_plugin_domain)
+
 optional_policy(`
 	nscd_use(munin_plugin_domain)
 ')
@@ -260,7 +260,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	fstools_exec(disk_munin_plugin_t)
+	fstools_domtrans(disk_munin_plugin_t)
 ')
 
 ####################################
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3d5525cc45..079aacad37 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -208,6 +208,10 @@ optional_policy(`
 	modutils_read_module_deps(fsadm_t)
 ')
 
+optional_policy(`
+	munin_rw_tcp_sockets(fsadm_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(fsadm_t)
 ')

From fa7f795539d94254de2bf938c2f9a41e9d04410e Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Wed, 4 Jan 2023 14:32:19 -0500
Subject: [PATCH 146/257] munin: Move munin_rw_tcp_sockets() implementation.

No rule changes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---
 policy/modules/services/munin.if | 34 ++++++++++++++++----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index de654d4ea2..b70f1ad91b 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -41,6 +41,23 @@ template(`munin_plugin_template',`
 	files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
 ')
 
+########################################
+## <summary>
+##	Permit to read/write Munin TCP sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_rw_tcp_sockets',`
+	gen_require(`
+		type munin_t;
+	')
+	allow $1 munin_t:tcp_socket rw_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to munin over a unix domain
@@ -189,20 +206,3 @@ interface(`munin_admin',`
 
 	admin_pattern($1, httpd_munin_content_t)
 ')
-
-########################################
-## <summary>
-##	Permit to read/write Munin TCP sockets
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`munin_rw_tcp_sockets',`
-	gen_require(`
-		type munin_t;
-	')
-	allow $1 munin_t:tcp_socket rw_socket_perms;
-')

From c9cdcc770454eeefae8ef1b6f0c648b1f4f4d770 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Wed, 28 Dec 2022 09:38:30 +0100
Subject: [PATCH 147/257] munin: add fc for munin-node plugin state

Gentoo deploy munin-node plugin state in /var/lib/munin-node

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/services/munin.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
index c24f24c605..ac91003501 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
@@ -68,6 +68,10 @@
 
 /var/lib/munin(/.*)?	gen_context(system_u:object_r:munin_var_lib_t,s0)
 /var/lib/munin/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)
+ifdef(`distro_gentoo',`
+/var/lib/munin-node(/.*)?	gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/lib/munin-node/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)
+')
 
 /var/log/munin.*	gen_context(system_u:object_r:munin_log_t,s0)
 

From 19da71e5c6d0d42a291ee2004e732dabf4d8cd5a Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Fri, 6 Jan 2023 09:58:09 -0500
Subject: [PATCH 148/257] munin: Whitespace change.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---
 policy/modules/services/munin.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
index ac91003501..8773bd7406 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
@@ -68,6 +68,7 @@
 
 /var/lib/munin(/.*)?	gen_context(system_u:object_r:munin_var_lib_t,s0)
 /var/lib/munin/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)
+
 ifdef(`distro_gentoo',`
 /var/lib/munin-node(/.*)?	gen_context(system_u:object_r:munin_var_lib_t,s0)
 /var/lib/munin-node/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)

From 4e81910cce2ed9bc482afc45a6e6cb28d32bce78 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Mon, 9 Jan 2023 09:33:10 +0100
Subject: [PATCH 149/257] usermanage: permit groupadd to read kernel sysctl

When using groupadd, I got some AVC due to groupadd reading /proc/sys/kernel/cap_last_cap

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 2c9be9d0cc..7e71118c9f 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -227,6 +227,8 @@ files_relabel_etc_files(groupadd_t)
 files_read_etc_runtime_files(groupadd_t)
 files_read_usr_symlinks(groupadd_t)
 
+kernel_read_kernel_sysctls(groupadd_t)
+
 # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
 corecmd_exec_bin(groupadd_t)
 

From a07dbbccf3362a4a1ff2d3ba8d1fd6b56ac1ac57 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 27 Jan 2021 15:07:34 -0500
Subject: [PATCH 150/257] portage: label eix cache as portage_cache_t

Closes: https://github.com/perfinion/hardened-refpolicy/pull/10
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
---
 policy/modules/admin/portage.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 0567dfdc5a..b2a1cf04d3 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -33,6 +33,7 @@
 /var/cache/distfiles/git[0-9]-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/svn-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/edb(/.*)?	gen_context(system_u:object_r:portage_cache_t,s0)
+/var/cache/eix(/.*)?	gen_context(system_u:object_r:portage_cache_t,s0)
 /var/log/emerge\.log.*	--	gen_context(system_u:object_r:portage_log_t,s0)
 /var/log/emerge-fetch\.log	--	gen_context(system_u:object_r:portage_log_t,s0)
 /var/log/portage(/.*)?	gen_context(system_u:object_r:portage_log_t,s0)

From 17f81aa065ca460dbe34b706f667bf7cca669240 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Tue, 10 Jan 2023 10:00:41 +0100
Subject: [PATCH 151/257] portage: Remove old binary location

/usr/lib/portage/bin is not used anymore

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/admin/portage.fc | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index b2a1cf04d3..0ba9688243 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -10,14 +10,6 @@
 /usr/bin/layman	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/bin/sandbox	--	gen_context(system_u:object_r:portage_exec_t,s0)
 
-/usr/lib/portage/bin/ebuild	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/emerge	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/emerge-webrsync	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
-/usr/lib/portage/bin/quickpkg	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/ebuild\.sh	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/regenworld	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/sandbox	--	gen_context(system_u:object_r:portage_exec_t,s0)
-
 /usr/portage(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
 /usr/portage/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)

From 51f52b56d73df17b4e7b0983476b928c24485a78 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Tue, 10 Jan 2023 10:04:15 +0100
Subject: [PATCH 152/257] portage: add go/hg source control files

Add location on /usr/portage/ as portage_srcrepo_t for the mercurial and go sources.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/admin/portage.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 0ba9688243..a6b9549974 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -14,6 +14,8 @@
 /usr/portage/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/git[0-9]-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/go-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/hg-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/svn-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 
 /var/db/pkg(/.*)?	gen_context(system_u:object_r:portage_db_t,s0)

From d7f25ea35b211c167666c2cad78fd6f7a3060c4e Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Tue, 10 Jan 2023 10:11:56 +0100
Subject: [PATCH 153/257] portage: add new location for portage commands

There are missing lot of portage commands location, add them following the gentoo SELinux repo.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/admin/portage.fc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index a6b9549974..938dce4730 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -5,11 +5,17 @@
 /etc/portage/gpg(/.*)?	gen_context(system_u:object_r:portage_gpg_t,s0)
 
 /usr/bin/emerge --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/bin/emerge-webrsync				--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/bin/gcc-config	--	gen_context(system_u:object_r:gcc_config_exec_t,s0)
 /usr/bin/glsa-check	--	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/bin/layman	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/bin/sandbox	--	gen_context(system_u:object_r:portage_exec_t,s0)
 
+/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check	--	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/layman	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint	--	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge	--	gen_context(system_u:object_r:portage_exec_t,s0)
+
 /usr/portage(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
 /usr/portage/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
@@ -31,6 +37,7 @@
 /var/log/emerge\.log.*	--	gen_context(system_u:object_r:portage_log_t,s0)
 /var/log/emerge-fetch\.log	--	gen_context(system_u:object_r:portage_log_t,s0)
 /var/log/portage(/.*)?	gen_context(system_u:object_r:portage_log_t,s0)
+/var/log/sandbox(/.*)?	gen_context(system_u:object_r:portage_log_t,s0)
 /var/lib/layman(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
 /var/lib/portage(/.*)?	gen_context(system_u:object_r:portage_cache_t,s0)
 /var/tmp/binpkgs(/.*)?	gen_context(system_u:object_r:portage_tmp_t,s0)

From 868cc9f44048ec160b6da344a9c53e6caeda6197 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Tue, 17 Jan 2023 07:25:35 +0100
Subject: [PATCH 154/257] portage: add missing go/hg context in new distfiles
 location

go/hg source files context are added in old portage distfiles location,
but are missing in new one.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/admin/portage.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 938dce4730..a042aff8bf 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -31,6 +31,8 @@
 /var/cache/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/git[0-9]-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/var/cache/distfiles/go-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/var/cache/distfiles/hg-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/svn-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/edb(/.*)?	gen_context(system_u:object_r:portage_cache_t,s0)
 /var/cache/eix(/.*)?	gen_context(system_u:object_r:portage_cache_t,s0)

From 6732acf8b74f1989cd241bd9a267482cb418c2f4 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Thu, 5 Jan 2023 16:42:10 +0100
Subject: [PATCH 155/257] mandb: permit to read inherited cron files

Each night /etc/cron.daily/man-db generates some AVC:
allow mandb_t system_cronjob_tmp_t:file { read write };

Add the necessary rules for it.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/apps/mandb.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/mandb.te b/policy/modules/apps/mandb.te
index f136a90ae4..5dd7cf7a50 100644
--- a/policy/modules/apps/mandb.te
+++ b/policy/modules/apps/mandb.te
@@ -59,5 +59,6 @@ ifdef(`init_systemd',`
 ')
 
 optional_policy(`
+	cron_rw_inherited_system_job_tmp_files(mandb_t)
 	cron_system_entry(mandb_t, mandb_exec_t)
 ')

From b06c8a0a4c2dd103880b8a1ef3366e6cfbadf8d2 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Mon, 9 Jan 2023 09:45:55 +0100
Subject: [PATCH 156/257] selinuxutil: do not audit load_policy trying to use
 portage ptys

Each time portage build and install a new SELinux policy I got the following AVC:
allow load_policy_t portage_devpts_t:chr_file { read write };

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/admin/portage.if      | 18 ++++++++++++++++++
 policy/modules/system/selinuxutil.te |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 03dc99e026..54f90402ec 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -311,6 +311,24 @@ interface(`portage_dontaudit_use_fds',`
 	dontaudit $1 portage_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and write inherited portage ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`portage_dontaudit_use_inherited_ptys',`
+	gen_require(`
+		type portage_devpts_t;
+	')
+
+	dontaudit $1 portage_devpts_t:chr_file rw_inherited_term_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search the
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index cfb0e2f19f..ef95c554ea 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -216,6 +216,7 @@ optional_policy(`
 
 optional_policy(`
 	portage_dontaudit_use_fds(load_policy_t)
+	portage_dontaudit_use_inherited_ptys(load_policy_t)
 ')
 
 optional_policy(`

From c1a352a615c3c365d7953a8a2fd65fdbad61e955 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 17 Jan 2023 08:36:58 -0500
Subject: [PATCH 157/257] systemd: Tmpfilesd can correct seusers on files.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1b2a7c022c..5da67ea833 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1646,6 +1646,8 @@ dev_setattr_all_sysfs(systemd_tmpfiles_t)
 # /sys/module/kernel/parameters/crash_kexec_post_notifiers
 dev_write_sysfs(systemd_tmpfiles_t)
 
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
+
 files_create_lock_dirs(systemd_tmpfiles_t)
 files_dontaudit_getattr_all_dirs(systemd_tmpfiles_t)
 files_manage_all_runtime_dirs(systemd_tmpfiles_t)

From 727fe91a40f520a8c607c023a837f3fe52ef1269 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Wed, 25 Jan 2023 21:33:13 +0100
Subject: [PATCH 158/257] selinuxutil: permit run_init to read kernel sysctl

When restarting services with run_init, I got some AVC due to run_init reading /proc/sys/kernel/cap_last_cap

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/system/selinuxutil.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ef95c554ea..f9b7350813 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -450,6 +450,8 @@ init_spec_domtrans_script(run_init_t)
 # for utmp
 init_rw_utmp(run_init_t)
 
+kernel_read_kernel_sysctls(run_init_t)
+
 logging_send_syslog_msg(run_init_t)
 
 miscfiles_read_localization(run_init_t)

From a78f4ac1fb76e87b51907142ca62a259f748ef97 Mon Sep 17 00:00:00 2001
From: David Sommerseth <davids@openvpn.net>
Date: Fri, 27 Jan 2023 09:50:22 +0100
Subject: [PATCH 159/257] openvpn: Allow netlink genl

OpenVPN 2.6 can use an OpenVPN specific kernel module to handle the VPN
data channel.  The communication via userspace and kernel space happens
over a generic netlink interface.

Without this access, the following denials can be found in the logs

  [...] denied  { create } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket
  [...] denied  { setopt } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket
  [...] denied  { bind } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket
  [...] denied  { getattr } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket

Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 policy/modules/services/openvpn.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index be3642ec64..e97730fbd1 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -62,6 +62,7 @@ allow openvpn_t self:unix_stream_socket { accept connectto listen };
 allow openvpn_t self:tcp_socket server_stream_socket_perms;
 allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow openvpn_t self:netlink_route_socket nlmsg_write;
+allow openvpn_t self:netlink_generic_socket create_socket_perms;
 
 allow openvpn_t openvpn_etc_t:dir list_dir_perms;
 allow openvpn_t openvpn_etc_t:file read_file_perms;

From 3bf53039ebc857b2816d1441305d2dba638e7b21 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Wed, 4 Jan 2023 14:05:16 +0100
Subject: [PATCH 160/257] portage: add misc mising rules

Add missing rules for portage I encountered while emerging or just calling gcc-config

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/admin/portage.if |  2 +-
 policy/modules/admin/portage.te | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 03dc99e026..f4592154dd 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -262,7 +262,7 @@ interface(`portage_domtrans_gcc_config',`
 	')
 
 	corecmd_search_bin($1)
-	domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)
+	nnp_domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)
 ')
 
 ########################################
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 6a84e91136..b8a820fb39 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -87,6 +87,7 @@ files_tmpfs_file(portage_tmpfs_t)
 
 allow gcc_config_t self:capability { chown fsetid };
 allow gcc_config_t self:fifo_file rw_fifo_file_perms;
+allow gcc_config_t self:process getsched;
 
 manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
 
@@ -95,6 +96,8 @@ read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
 allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
 read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
 
+allow gcc_config_t portage_devpts_t:chr_file rw_inherited_term_perms;
+
 allow gcc_config_t portage_exec_t:file mmap_exec_file_perms;
 
 kernel_read_system_state(gcc_config_t)
@@ -104,6 +107,8 @@ corecmd_exec_shell(gcc_config_t)
 corecmd_exec_bin(gcc_config_t)
 corecmd_manage_bin_files(gcc_config_t)
 
+dev_read_sysfs(gcc_config_t)
+
 domain_use_interactive_fds(gcc_config_t)
 
 files_manage_etc_files(gcc_config_t)
@@ -128,6 +133,8 @@ logging_send_syslog_msg(gcc_config_t)
 
 miscfiles_read_localization(gcc_config_t)
 
+storage_getattr_fixed_disk_dev(gcc_config_t)
+
 userdom_use_user_terminals(gcc_config_t)
 
 ifdef(`distro_gentoo',`
@@ -255,7 +262,7 @@ allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_
 allow portage_fetch_t portage_gpg_t:dir rw_dir_perms;
 allow portage_fetch_t portage_gpg_t:file manage_file_perms;
 
-allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
+allow portage_fetch_t portage_tmp_t:dir { manage_dir_perms watch };
 allow portage_fetch_t portage_tmp_t:file manage_file_perms;
 allow portage_fetch_t portage_tmp_t:sock_file manage_sock_file_perms;
 
@@ -349,6 +356,8 @@ dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write };
 allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
 logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
 
+allow portage_sandbox_t portage_tmp_t:dir watch;
+
 portage_compile_domain(portage_sandbox_t)
 
 auth_use_nsswitch(portage_sandbox_t)

From 1bca60bcd374ca509ed97573eb422df7b59d96e6 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 7 Feb 2023 16:02:01 -0500
Subject: [PATCH 161/257] iscsi: Read initiatorname.iscsi.

This is normally created by iscsi-init.service.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/system/iscsi.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index 171bfe85af..cf70f6d3fb 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -90,6 +90,8 @@ dev_rw_userio_dev(iscsid_t)
 domain_use_interactive_fds(iscsid_t)
 domain_dontaudit_read_all_domains_state(iscsid_t)
 
+files_read_etc_runtime_files(iscsid_t)
+
 auth_use_nsswitch(iscsid_t)
 
 init_stream_connect_script(iscsid_t)

From 307c617d4522f8f576b25015e72de1ec90218769 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 7 Feb 2023 16:02:23 -0500
Subject: [PATCH 162/257] lvm: Add fc entry for /etc/multipath/*

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/system/lvm.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 836a472f18..cb3742b666 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -15,6 +15,8 @@
 /etc/lvmtab(/.*)?			gen_context(system_u:object_r:lvm_metadata_t,s0)
 /etc/lvmtab\.d(/.*)?			gen_context(system_u:object_r:lvm_metadata_t,s0)
 
+/etc/multipath(/.*)?                    gen_context(system_u:object_r:lvm_metadata_t,s0)
+
 #
 # /usr
 #

From 7ec913312b93000c03090898455c35e568195980 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 10 Feb 2023 13:30:56 -0500
Subject: [PATCH 163/257] container: add missing filetrans and filecon for
 containerd/docker

Add a missing file transition for the docker socket in /run as well as a
missing file context for /var/log/containerd.

Thanks-to: zen_desu
Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.fc | 1 +
 policy/modules/services/container.te | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 29a02b1d32..056aa60234 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -100,6 +100,7 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 /var/lib/etcd(/.*)?             gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kube-proxy(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 
+/var/log/containerd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/containers(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/crio(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 534d6f4c58..15d1e8c881 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -747,7 +747,7 @@ allow container_engine_system_domain container_runtime_t:file { manage_file_perm
 allow container_engine_system_domain container_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 allow container_engine_system_domain container_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 allow container_engine_system_domain container_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-files_runtime_filetrans(container_engine_system_domain, container_runtime_t, { dir file })
+files_runtime_filetrans(container_engine_system_domain, container_runtime_t, { dir file sock_file })
 
 allow container_engine_system_domain container_engine_cache_t:dir manage_dir_perms;
 allow container_engine_system_domain container_engine_cache_t:file manage_file_perms;

From 105e623ee883586a70be6215659175b40f35b7b2 Mon Sep 17 00:00:00 2001
From: George Zenner <zen@pyl.onl>
Date: Fri, 10 Feb 2023 15:45:09 -0600
Subject: [PATCH 164/257] Signed-off-by: George Zenner <zen@pyl.onl>

	modified:   policy/modules/system/sysnetwork.if
---
 policy/modules/system/sysnetwork.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index e9619743d5..64c5d5b497 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -83,6 +83,25 @@ interface(`sysnet_dontaudit_use_dhcpc_fds',`
 	dontaudit $1 dhcpc_t:fd use;
 ')
 
+########################################
+## <summary>
+##      Do not audit attempts to read/write to the
+##      dhcp unix datagram socket descriptors.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets',`
+        gen_require(`
+                type dhcpc_t;
+        ')
+
+        dontaudit $1 dhcpc_t:unix_dgram_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read/write to the

From cbde619aaf0ef9997d7df2c0f3ba9f49d3e36fc3 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Mon, 13 Feb 2023 09:38:00 -0500
Subject: [PATCH 165/257] sysnetwork: Rename
 sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets()

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---
 policy/modules/system/sysnetwork.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 64c5d5b497..bc35493606 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -94,7 +94,7 @@ interface(`sysnet_dontaudit_use_dhcpc_fds',`
 ##      </summary>
 ## </param>
 #
-interface(`sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets',`
+interface(`sysnet_dontaudit_rw_dhcpc_dgram_sockets',`
         gen_require(`
                 type dhcpc_t;
         ')

From bf11e1b229c5f040c9695dfee816e4e3c9b1c20e Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Fri, 24 Feb 2023 19:16:41 +0000
Subject: [PATCH 166/257] Set label systemd-oomd

Feb 24 19:02:53 localhost audit[1664]: AVC avc:  denied  { write } for  pid=1664 comm="systemd-oomd" path=2F6D656D66643A646174612D6664202864656C6574656429 dev="tmpfs" ino=2051 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1

Needs to manage cgroups and kill processes, so make it init_exec_t

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
---
 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 1a99e58240..1c30256354 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -31,6 +31,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/dracut/modules\.d/[^/]+/.*\.service	--	gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/systemd-shutdown	--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/systemd-oomd	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)

From 3b1d4e715ea9e813402c242fb322ca5221b0e173 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 2 Mar 2023 18:59:16 +0800
Subject: [PATCH 167/257] systemd: add capability sys_resource to
 systemd_userdbd_t

Fixes:
avc:  denied  { sys_resource } for  pid=316 comm="(sd-worker)"
capability=24  scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:systemd_userdbd_t tclass=capability
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5da67ea833..a0165b914b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1863,7 +1863,7 @@ seutil_libselinux_linked(systemd_user_session_type)
 # systemd-userdbd local policy
 #
 
-allow systemd_userdbd_t self:capability dac_read_search;
+allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
 allow systemd_userdbd_t self:process signal;
 allow systemd_userdbd_t self:unix_stream_socket create_stream_socket_perms;
 

From 5e6fad9e4c0ae0ba6aca032366ca1d3b0d261fb0 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 2 Mar 2023 19:02:12 +0800
Subject: [PATCH 168/257] systemd: allow systemd-sysctl to search directories
 on ramfs

Fixes:
avc:  denied  { search } for  pid=170 comm="systemd-sysctl" name="/"
dev="ramfs" ino=14098 scontext=system_u:system_r:systemd_sysctl_t
tcontext=system_u:object_r:ramfs_t tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a0165b914b..d8cae8c88f 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1574,6 +1574,7 @@ files_read_etc_files(systemd_sysctl_t)
 
 fs_getattr_all_fs(systemd_sysctl_t)
 fs_search_cgroup_dirs(systemd_sysctl_t)
+fs_search_ramfs(systemd_sysctl_t)
 
 systemd_log_parse_environment(systemd_sysctl_t)
 

From 0e1cc1e01ec3a4d6c6be82bfa62ece2d96d1ee18 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Thu, 2 Mar 2023 09:00:45 -0500
Subject: [PATCH 169/257] Define user_namespace object class.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/flask/access_vectors   | 5 +++++
 policy/flask/security_classes | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 2219fb1972..a22b11a7e6 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -1072,3 +1072,8 @@ class io_uring
 	override_creds
 	sqpoll
 }
+
+class user_namespace
+{
+	create
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 636357899e..f187c590f1 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -203,4 +203,6 @@ class anon_inode
 
 class io_uring
 
+class user_namespace
+
 # FLASK

From ffd80c42c9c4dc60f5712c35260d7c1807aa0559 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Thu, 2 Mar 2023 09:01:24 -0500
Subject: [PATCH 170/257] chromium: Allow user namespace creation.

closes #600

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/apps/chromium.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index 2f85172f29..e0ec30722e 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -96,6 +96,7 @@ allow chromium_t self:file create;
 allow chromium_t self:fifo_file rw_fifo_file_perms;
 allow chromium_t self:sem create_sem_perms;
 allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+allow chromium_t self:user_namespace create;
 # cap_userns sys_admin for the sandbox
 allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
 

From de41a207b991cd9d964ffafeb5a64c2ed3828034 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Thu, 2 Mar 2023 15:59:49 -0500
Subject: [PATCH 171/257] mozilla: Allow user namespace creation.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/apps/mozilla.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index a26f9c8cba..0730a57a93 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -76,6 +76,7 @@ xdg_cache_content(mozilla_xdg_cache_t)
 allow mozilla_t self:capability { setgid setuid sys_nice };
 allow mozilla_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
 allow mozilla_t self:process { sigkill signal setcap setsched getsched setrlimit };
+allow mozilla_t self:user_namespace create;
 allow mozilla_t self:fifo_file rw_fifo_file_perms;
 allow mozilla_t self:shm create_shm_perms;
 allow mozilla_t self:sem create_sem_perms;

From e1a61993842288fec22bc1b2bffc07ca638f998a Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Thu, 2 Mar 2023 16:00:13 -0500
Subject: [PATCH 172/257] systemd: Allow user namespace creation.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/system/init.te    | 1 +
 policy/modules/system/systemd.te | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cb70d5ca64..837946dfa7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -271,6 +271,7 @@ ifdef(`init_systemd',`
 	allow init_t self:capability2 audit_read;
 	allow init_t self:key { search setattr write };
 	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
+	allow init_t self:user_namespace create;
 	dontaudit init_t self:process { dyntransition setcurrent };
 
 	# manage the capabilities granted to namespace processes
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5da67ea833..7dcf61a3a0 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -429,6 +429,7 @@ ifdef(`enable_mls',`
 allow systemd_coredump_t self:capability { setgid setuid setpcap sys_ptrace };
 allow systemd_coredump_t self:cap_userns { sys_admin sys_ptrace };
 allow systemd_coredump_t self:process { getcap setcap setfscreate };
+allow systemd_coredump_t self:user_namespace create;
 allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
 allow systemd_coredump_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow systemd_coredump_t self:fifo_file rw_inherited_fifo_file_perms;
@@ -1179,6 +1180,7 @@ miscfiles_read_localization(systemd_notify_t)
 allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
 allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
 allow systemd_nspawn_t self:capability2 wake_alarm;
+allow systemd_nspawn_t self:user_namespace create;
 allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
 allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
 

From 313d8f46d6b965a05b38ff73286c1ac2aba9139f Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 7 Mar 2023 09:50:52 -0500
Subject: [PATCH 173/257] container: Allow user namespace creation for all
 container engines.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/services/container.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 15d1e8c881..343784643d 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -486,6 +486,7 @@ allow container_engine_domain self:cap_userns { audit_write chown dac_override d
 allow container_engine_domain self:cap2_userns { audit_read bpf block_suspend perfmon syslog wake_alarm };
 allow container_engine_domain self:bpf { map_create map_read map_write prog_load prog_run };
 allow container_engine_domain self:fd use;
+allow container_engine_domain self:user_namespace create;
 allow container_engine_domain self:fifo_file manage_fifo_file_perms;
 allow container_engine_domain self:tcp_socket create_stream_socket_perms;
 allow container_engine_domain self:udp_socket create_socket_perms;

From a25a1a3056903f585dd1f385a1b94a6c751539b5 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Wed, 4 Jan 2023 17:00:37 +0100
Subject: [PATCH 174/257] smartmon: allow smartd to read fsadm_db_t files

On gentoo, smartd need to access fsadm_db_t files.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/services/smartmon.te |  3 +++
 policy/modules/system/fstools.if    | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index b5c1a40b1a..82bfa992d8 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -120,3 +120,6 @@ optional_policy(`
 	seutil_sigchld_newrole(fsdaemon_t)
 ')
 
+optional_policy(`
+	fstools_read_fsadm_db_files(fsdaemon_t)
+')
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index f994965af4..d82b4b2820 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -264,3 +264,21 @@ interface(`fstools_manage_swap_files',`
 
 	allow $1 swapfile_t:file manage_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read fsadm_db_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_read_fsadm_db_files',`
+	gen_require(`
+		type fsadm_db_t;
+	')
+
+	read_files_pattern($1, fsadm_db_t, fsadm_db_t)
+')

From f27b6fcc5ecae1d3592348653231c3b9309c3164 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 24 Feb 2023 20:40:33 -0500
Subject: [PATCH 175/257] container, init, systemd: add policy for quadlet

quadlet is a systemd generator provided by podman which generates
runtime units from "template" container units.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.if | 20 ++++++++++++++++++++
 policy/modules/system/init.fc        |  6 ++++++
 policy/modules/system/systemd.fc     |  2 ++
 policy/modules/system/systemd.te     |  7 ++++++-
 4 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 8fd3832fb9..43e1ac0571 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1073,6 +1073,26 @@ interface(`container_exec_plugins',`
 	can_exec($1, container_plugin_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	search container config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_search_config',`
+	gen_require(`
+		type container_config_t;
+	')
+
+    files_search_etc($1)
+    allow $1 container_config_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 1c30256354..b7dba7fc84 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -19,6 +19,11 @@ ifdef(`distro_gentoo',`
 #
 /dev/initctl		-p	gen_context(system_u:object_r:initctl_t,s0)
 
+#
+# /etc
+#
+/etc/containers/systemd(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
+
 #
 # /usr
 #
@@ -36,6 +41,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/system(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/share/containers/systemd(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 /run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_transient_unit_t,s0)
 
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 5a8572c0e2..e9714bffc0 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -21,6 +21,7 @@
 /usr/lib/systemd/system-generators/.*							--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
 /usr/lib/systemd/user-environment-generators/.*					--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
 /usr/lib/systemd/user-generators/.*								--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
+/usr/libexec/podman/quadlet										--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
 
 /usr/lib/systemd/systemd-activate	--	gen_context(system_u:object_r:systemd_activate_exec_t,s0)
 /usr/lib/systemd/systemd-backlight	--	gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
@@ -49,6 +50,7 @@
 /usr/lib/systemd/systemd-userwork	--	gen_context(system_u:object_r:systemd_userdbd_exec_t,s0)
 
 # Systemd unit files
+HOME_DIR/\.config/containers/systemd(/.*)?		gen_context(system_u:object_r:systemd_conf_home_t,s0)
 HOME_DIR/\.config/systemd(/.*)?		gen_context(system_u:object_r:systemd_conf_home_t,s0)
 HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data_home_t,s0)
 
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1859de79fb..264c9ad81c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -478,7 +478,7 @@ seutil_search_default_contexts(systemd_coredump_t)
 
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
 allow systemd_generator_t self:capability { dac_override sys_admin };
-allow systemd_generator_t self:process setfscreate;
+allow systemd_generator_t self:process { getsched setfscreate signal };
 
 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
@@ -546,6 +546,11 @@ optional_policy(`
 	cloudinit_getattr_state_files(systemd_generator_t)
 ')
 
+optional_policy(`
+	# for quadlet to access /etc/containers/systemd
+	container_search_config(systemd_generator_t)
+')
+
 optional_policy(`
 	fstools_exec(systemd_generator_t)
 ')

From d2ec3ce6e42d3f287c3d43c420690fc57ae0f6c8 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 24 Feb 2023 20:44:28 -0500
Subject: [PATCH 176/257] container: fixes for podman 4.4.0

podman now creates a lock file in /run/containers and will fail to run
if this is not allowed.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 343784643d..c788faaae0 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -162,6 +162,9 @@ type container_engine_tmpfs_t;
 files_tmpfs_file(container_engine_tmpfs_t)
 container_mountpoint(container_engine_tmpfs_t)
 
+type container_engine_lock_t;
+files_lock_file(container_engine_lock_t)
+
 type container_runtime_t;
 files_runtime_file(container_runtime_t)
 container_mountpoint(container_runtime_t)
@@ -631,6 +634,10 @@ allow container_engine_domain container_engine_tmpfs_t:lnk_file { manage_lnk_fil
 allow container_engine_domain container_engine_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 fs_tmpfs_filetrans(container_engine_domain, container_engine_tmpfs_t, { dir file })
 
+manage_dirs_pattern(container_engine_domain, container_engine_lock_t, container_engine_lock_t)
+manage_files_pattern(container_engine_domain, container_engine_lock_t, container_engine_lock_t)
+files_lock_filetrans(container_engine_domain, container_engine_lock_t, { dir file })
+
 allow container_engine_domain container_file_t:dir { manage_dir_perms relabel_dir_perms };
 allow container_engine_domain container_file_t:file { manage_file_perms relabel_file_perms exec_file_perms };
 allow container_engine_domain container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };

From 6894aaa796cc0f737a8ac705d49d9d9c5d265143 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 24 Feb 2023 20:46:36 -0500
Subject: [PATCH 177/257] container: fixes for podman run
 --log-driver=passthrough

The --log-driver=passthrough argument is used by default for units
generated by quadlet. Without this access, containers started through
systemd in this way will not be able to send logs to the journal.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index c788faaae0..5de421fc3c 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -304,6 +304,9 @@ clock_read_adjtime(container_domain)
 
 init_read_utmp(container_domain)
 init_dontaudit_write_utmp(container_domain)
+# for podman run --log-driver=passthrough
+init_rw_stream_sockets(container_domain)
+init_use_fds(container_domain)
 
 libs_dontaudit_setattr_lib_files(container_domain)
 

From eaf9f15d357c981e01621b574cb148a74297934b Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 2 Mar 2023 01:45:33 -0500
Subject: [PATCH 178/257] node_exporter: various fixes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/node_exporter.te | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/node_exporter.te b/policy/modules/services/node_exporter.te
index 7b74a3278d..80968d1055 100644
--- a/policy/modules/services/node_exporter.te
+++ b/policy/modules/services/node_exporter.te
@@ -25,7 +25,7 @@ logging_log_file(node_exporter_log_t)
 
 allow node_exporter_t self:fifo_file rw_fifo_file_perms;
 allow node_exporter_t self:process { getsched signal };
-allow node_exporter_t self:netlink_route_socket r_netlink_socket_perms;
+allow node_exporter_t self:netlink_route_socket create_netlink_socket_perms;
 allow node_exporter_t self:tcp_socket create_stream_socket_perms;
 allow node_exporter_t self:udp_socket create_socket_perms;
 
@@ -47,6 +47,10 @@ corenet_tcp_bind_generic_node(node_exporter_t)
 
 dev_read_sysfs(node_exporter_t)
 
+files_dontaudit_search_all_dirs(node_exporter_t)
+# to read /etc/os-release
+files_read_etc_files(node_exporter_t)
+
 fs_getattr_all_fs(node_exporter_t)
 
 init_read_state(node_exporter_t)
@@ -58,6 +62,9 @@ kernel_read_network_state(node_exporter_t)
 kernel_read_software_raid_state(node_exporter_t)
 kernel_read_system_state(node_exporter_t)
 
+# to read udev state data
+udev_read_runtime_files(node_exporter_t)
+
 ifdef(`init_systemd',`
 	dbus_system_bus_client(node_exporter_t)
 

From 1aab07e154d8bdc187762dbfb92d5a20cbd73d83 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 2 Mar 2023 01:46:39 -0500
Subject: [PATCH 179/257] redis: add missing rules for runtime filetrans

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/redis.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/redis.te b/policy/modules/services/redis.te
index 923caac7c4..3ac378f9d5 100644
--- a/policy/modules/services/redis.te
+++ b/policy/modules/services/redis.te
@@ -49,6 +49,8 @@ files_search_var_lib(redis_t)
 manage_dirs_pattern(redis_t, redis_runtime_t, redis_runtime_t)
 manage_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
 manage_lnk_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
+manage_sock_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
+files_runtime_filetrans(redis_t, redis_runtime_t, { dir file lnk_file sock_file })
 
 kernel_read_net_sysctls(redis_t)
 kernel_read_system_state(redis_t)

From 181077dd47693b85b124fd0a25298687919464bd Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 2 Mar 2023 01:54:51 -0500
Subject: [PATCH 180/257] podman, selinux: move lines, add missing rules for
 --network=host

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/selinux.if  | 37 +++++++++++++++++++++++++++++++
 policy/modules/services/podman.te | 10 ++++++---
 2 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 19ffa640f9..51767f7f05 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -200,6 +200,25 @@ interface(`selinux_dontaudit_getattr_fs',`
 	dev_dontaudit_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of the selinuxfs
+##	directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`selinux_getattr_dirs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the
@@ -276,6 +295,24 @@ interface(`selinux_dontaudit_read_fs',`
 	dontaudit $1 security_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Mount on the selinuxfs directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_mounton_dirs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Allows the caller to get the mode of policy enforcement
diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 3d16e64d19..d929bb2535 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -39,9 +39,9 @@ userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
 
 allow podman_t podman_conmon_t:process setsched;
 
-# podman creates OCI networking configs and will
-# remove them when running podman system reset
-container_manage_config_files(podman_t)
+# for --network=host
+selinux_getattr_dirs(podman_t)
+selinux_mounton_dirs(podman_t)
 
 logging_send_syslog_msg(podman_t)
 
@@ -51,6 +51,10 @@ userdom_list_user_home_content(podman_t)
 userdom_relabel_generic_user_home_dirs(podman_t)
 userdom_relabel_generic_user_home_files(podman_t)
 
+# podman creates OCI networking configs and will
+# remove them when running podman system reset
+container_manage_config_files(podman_t)
+
 # when run by root, podman will fail to start if
 # /root/.config/containers is not readable
 container_config_home_filetrans(podman_t, dir)

From 1d8b309808ac16cde1b81220f32e6624b3204285 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 2 Mar 2023 01:58:15 -0500
Subject: [PATCH 181/257] netutils: fixes for iftop

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/netutils.fc | 1 +
 policy/modules/admin/netutils.te | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 13bd901ce3..4ef6719d91 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -15,6 +15,7 @@
 /usr/sbin/arping	--	gen_context(system_u:object_r:netutils_exec_t,s0)
 /usr/sbin/fping 	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/hping2	--	gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/iftop		--	gen_context(system_u:object_r:netutils_exec_t,s0)
 /usr/sbin/iptstate	--	gen_context(system_u:object_r:netutils_exec_t,s0)
 /usr/sbin/send_arp	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/tcpdump	--	gen_context(system_u:object_r:netutils_exec_t,s0)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 564e28a9d7..541d8c384f 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -74,6 +74,8 @@ domain_use_interactive_fds(netutils_t)
 kernel_dontaudit_getattr_proc(netutils_t)
 
 files_read_etc_files(netutils_t)
+# for iftop to read terminfo files
+files_read_usr_files(netutils_t)
 # for nscd
 files_dontaudit_search_var(netutils_t)
 

From 214149b63727f84055fb265cf78f2469346dc327 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 2 Mar 2023 02:01:22 -0500
Subject: [PATCH 182/257] kernel, zfs: add filetrans for kernel creating zpool
 cache file

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/kernel.te |  1 +
 policy/modules/services/zfs.if  | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b47fa6e04e..31c5e8a2a9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -508,6 +508,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	zfs_filetrans_zpool_cache(kernel_t)
 	zfs_rw_zpool_cache(kernel_t)
 ')
 
diff --git a/policy/modules/services/zfs.if b/policy/modules/services/zfs.if
index ce9f43e66d..1b2841be95 100644
--- a/policy/modules/services/zfs.if
+++ b/policy/modules/services/zfs.if
@@ -104,6 +104,26 @@ interface(`zfs_read_config',`
 	read_lnk_files_pattern($1, zfs_config_t, zfs_config_t)
 ')
 
+########################################
+## <summary>
+##	Create the zpool cache with an
+##	automatic transition to the zpool
+##	cache type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zfs_filetrans_zpool_cache',`
+	gen_require(`
+		type zfs_config_t, zfs_zpool_cache_t;
+	')
+
+	filetrans_pattern($1, zfs_config_t, zfs_zpool_cache_t, file, "zpool.cache")
+')
+
 ########################################
 ## <summary>
 ##	Read and write zpool cache files.

From 18c1eeb654f370b2e0cc6e7713c17a96b9d4f778 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 2 Mar 2023 02:04:40 -0500
Subject: [PATCH 183/257] zfs: allow sending signals to itself

Required for zfs snapshot.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/zfs.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index ebe389e05a..bba7871362 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -76,7 +76,7 @@ zfs_rw_zpool_cache(zed_t)
 # zfs local policy
 #
 
-allow zfs_t self:process { getsched signull };
+allow zfs_t self:process { getsched signal signull };
 allow zfs_t self:capability { sys_admin sys_rawio };
 allow zfs_t self:fifo_file rw_fifo_file_perms;
 

From 011aadef165964ec78c7683f9f205ba44ecee9cd Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 5 Mar 2023 18:03:34 -0500
Subject: [PATCH 184/257] zfs: add runtime filetrans for dirs

Needed by zfs recv.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/zfs.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index bba7871362..ed1ae77ba7 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -85,7 +85,7 @@ read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
 read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
 
 manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
-files_runtime_filetrans(zfs_t, zfs_runtime_t, file)
+files_runtime_filetrans(zfs_t, zfs_runtime_t, { dir file })
 
 # to execute scripts in /usr/libexec/zfs
 corecmd_exec_bin(zfs_t)

From 064a66c509b1e7f48a887d642df975a91d058b18 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 10:13:06 -0500
Subject: [PATCH 185/257] init: make init_runtime_t useable for systemd units

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 837946dfa7..64268bd111 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -74,6 +74,7 @@ optional_policy(`
 type init_runtime_t alias init_var_run_t;
 files_runtime_file(init_runtime_t)
 init_mountpoint(init_runtime_t)
+init_unit_file(init_runtime_t)
 
 #
 # init_var_lib_t is the type for /var/lib/systemd.

From 079de3d496c0cc18dbd82ff6f0f3e7b47993cd2f Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 10:14:55 -0500
Subject: [PATCH 186/257] various: make /etc/machine-id etc_runtime_t

This file is updated at boot by systemd.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/files.fc   | 1 +
 policy/modules/services/dbus.te  | 2 ++
 policy/modules/system/systemd.te | 6 ++++++
 3 files changed, 9 insertions(+)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 1d2290c8af..9a6f9d2d44 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -53,6 +53,7 @@ ifdef(`distro_suse',`
 /etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/killpower		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
+/etc/machine-id		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/mtab~[0-9]*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/mtab\.tmp		--	gen_context(system_u:object_r:etc_runtime_t,s0)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index a45cbc3d5c..4c6e5d7f13 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -191,6 +191,8 @@ ifdef(`init_systemd', `
 	dev_rw_dri(system_dbusd_t)
 	dev_rw_input_dev(system_dbusd_t)
 
+	files_read_etc_runtime_files(system_dbusd_t)
+
 	# for /run/systemd/dynamic-uid/
 	init_list_runtime(system_dbusd_t)
 	init_read_runtime_symlinks(system_dbusd_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 264c9ad81c..44a12932f2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -489,6 +489,7 @@ dev_write_sysfs_dirs(systemd_generator_t)
 dev_read_urand(systemd_generator_t)
 
 files_read_etc_files(systemd_generator_t)
+files_read_etc_runtime_files(systemd_generator_t)
 files_search_runtime(systemd_generator_t)
 files_list_boot(systemd_generator_t)
 files_read_boot_files(systemd_generator_t)
@@ -853,6 +854,7 @@ dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
+files_read_etc_runtime_files(systemd_logind_t)
 files_search_runtime(systemd_logind_t)
 # Getattr all shm segments as part of cleaning up the
 # segments of deleted ephemeral users.
@@ -1113,6 +1115,7 @@ dev_read_sysfs(systemd_networkd_t)
 dev_write_kmsg(systemd_networkd_t)
 
 files_read_etc_files(systemd_networkd_t)
+files_read_etc_runtime_files(systemd_networkd_t)
 files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
 files_list_runtime(systemd_networkd_t)
@@ -1388,6 +1391,9 @@ dontaudit systemd_pcrphase_t self:capability net_admin;
 dev_rw_tpm(systemd_pcrphase_t)
 dev_write_kmsg(systemd_pcrphase_t)
 
+# read /etc/machine-id
+files_read_etc_runtime_files(systemd_pcrphase_t)
+
 fs_read_efivarfs_files(systemd_pcrphase_t)
 fs_getattr_cgroup(systemd_pcrphase_t)
 fs_search_cgroup_dirs(systemd_pcrphase_t)

From 9af88f2bf714d0772d3692402ebdae3a702f8c7d Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 10:25:29 -0500
Subject: [PATCH 187/257] init, systemd: allow init to create userdb runtime
 symlinks

At boot, systemd-init will create symlinks in /run/systemd/userdb. This
fixes these AVCs:

avc:  denied  { create } for  pid=1 comm="systemd" name="io.systemd.NameServiceSwitch" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0
avc:  denied  { create } for  pid=1 comm="systemd" name="io.systemd.DropIn" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te    |  1 +
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 64268bd111..8a137c7072 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -534,6 +534,7 @@ ifdef(`init_systemd',`
 	systemd_rw_networkd_netlink_route_sockets(init_t)
 	systemd_manage_userdb_runtime_sock_files(init_t)
 	systemd_manage_userdb_runtime_dirs(init_t)
+	systemd_manage_userdb_runtime_symlinks(init_t)
 	systemd_filetrans_userdb_runtime_dirs(init_t)
 	systemd_stream_connect_userdb(init_t)
 
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 1dd302851d..a903282f01 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1402,6 +1402,24 @@ interface(`systemd_read_userdb_runtime_files', `
 	read_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
 ')
 
+########################################
+## <summary>
+##  Manage symbolic links under /run/systemd/userdb.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_userdb_runtime_symlinks', `
+	gen_require(`
+		type systemd_userdbd_runtime_t;
+	')
+
+	manage_lnk_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##  Manage socket files under /run/systemd/userdb .

From 5ad60847c6c12b491bb24a142dd4b8001c17e202 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 11:23:23 -0500
Subject: [PATCH 188/257] init: allow initrc_t to getcap

Many AVCs are observed on a systemd system and various services.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8a137c7072..082da0e4e5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -699,7 +699,7 @@ optional_policy(`
 # Init script local policy
 #
 
-allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit getsched };
 allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
 allow initrc_t self:capability2 { wake_alarm block_suspend };
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this

From d1593345df051ed1571c23dd48fd5212e531a2bb Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 11:22:38 -0500
Subject: [PATCH 189/257] systemd: allow systemd-userdbd to getcap

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 44a12932f2..61d2764092 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1878,7 +1878,7 @@ seutil_libselinux_linked(systemd_user_session_type)
 #
 
 allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
-allow systemd_userdbd_t self:process signal;
+allow systemd_userdbd_t self:process { getcap signal };
 allow systemd_userdbd_t self:unix_stream_socket create_stream_socket_perms;
 
 stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t, systemd_homed_runtime_t, systemd_homed_t)

From dea2090ac3b3d621e25010c81690b078b7d80f74 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 10:40:53 -0500
Subject: [PATCH 190/257] logging: allow systemd-journald to list cgroups

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index abd61e6bd7..4b6d6dbefd 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -548,6 +548,8 @@ ifdef(`init_systemd',`
 	domain_getattr_all_domains(syslogd_t)
 	domain_read_all_domains_state(syslogd_t)
 
+	fs_list_cgroup_dirs(syslogd_t)
+
 	init_create_runtime_dirs(syslogd_t)
 	init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")
 	init_getattr(syslogd_t)

From 02e558be0f546a05571d8ce0dc01dc65c963267a Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 13:18:41 -0500
Subject: [PATCH 191/257] fs, udev: allow systemd-udevd various cgroup perms

Needed for systemd-udevd to create files under
/sys/fs/cgroup/system.slice/systemd-udevd.service/udev

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/filesystem.if | 40 ++++++++++++++++++++++++++++-
 policy/modules/system/udev.te       |  6 ++++-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5a60fa3bb5..a9bff72074 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -798,7 +798,6 @@ interface(`fs_getattr_cgroup',`
 interface(`fs_search_cgroup_dirs',`
 	gen_require(`
 		type cgroup_t;
-
 	')
 
 	search_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -843,6 +842,25 @@ interface(`fs_ioctl_cgroup_dirs', `
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Create cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	create_dirs_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Delete cgroup directories.
@@ -941,6 +959,26 @@ interface(`fs_read_cgroup_files',`
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Create cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	create_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Watch cgroup files.
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index c86fa6d4d1..90a71239e1 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -261,7 +261,11 @@ ifdef(`distro_redhat',`
 ifdef(`init_systemd',`
 	files_search_kernel_modules(udev_t)
 
-	fs_read_cgroup_files(udev_t)
+	# systemd-udev creates cgroup files under
+	# /sys/fs/cgroup/system.slice/systemd-udevd.service/udev
+	fs_create_cgroup_dirs(udev_t)
+	fs_create_cgroup_files(udev_t)
+	fs_rw_cgroup_files(udev_t)
 
 	init_dgram_send(udev_t)
 	init_get_generic_units_status(udev_t)

From eed80c888c9c5cc434a0004d3a502d36aa71feba Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 13:23:11 -0500
Subject: [PATCH 192/257] logging, systemd: allow relabelfrom,relabelto on
 systemd journal files by systemd-journald

journald's journal-offline will relabel log files. It should be noted
however that this happens even if the files already have the correct
label.

avc:  granted  { relabelfrom } for  pid=11440 comm="journal-offline" name=".#system@97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0
avc:  granted  { relabelto } for  pid=11440 comm="journal-offline" name=".#system@97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/logging.te |  2 ++
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 4b6d6dbefd..1dd4813d1d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -566,6 +566,8 @@ ifdef(`init_systemd',`
 
 	systemd_manage_journal_files(syslogd_t)
 	systemd_watch_journal_dirs(syslogd_t)
+	systemd_relabelfrom_journal_files(syslogd_t)
+	systemd_relabelto_journal_files(syslogd_t)
 
 	udev_read_runtime_files(syslogd_t)
 
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a903282f01..77a59c6621 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1775,6 +1775,24 @@ interface(`systemd_watch_journal_dirs',`
 	allow $1 systemd_journal_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Relabel from systemd-journald file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_relabelfrom_journal_files',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	allow $1 systemd_journal_t:file relabelfrom_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Relabel to systemd-journald directory type.

From 716f47dbd5ed4a314157c1368df0a7073acfce7b Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 13:37:02 -0500
Subject: [PATCH 193/257] files, systemd: allow systemd-tmpfiles to relabel
 config file symlinks

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/files.if   | 19 +++++++++++++++++++
 policy/modules/system/systemd.te |  3 ++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index c386d19dc2..cdd19e82c2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1711,6 +1711,25 @@ interface(`files_dontaudit_relabel_config_files',`
 	dontaudit $1 configfile:file relabel_file_perms;
 ')
 
+#######################################
+## <summary>
+##	Relabel configuration symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`files_relabel_config_symlinks',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	relabel_lnk_files_pattern($1, configfile, configfile)
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on all mount points.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 61d2764092..c398d76b85 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1677,8 +1677,9 @@ files_manage_all_locks(systemd_tmpfiles_t)
 files_purge_tmp(systemd_tmpfiles_t)
 files_read_etc_files(systemd_tmpfiles_t)
 files_read_etc_runtime_files(systemd_tmpfiles_t)
-files_relabel_config_files(systemd_tmpfiles_t)
 files_relabel_config_dirs(systemd_tmpfiles_t)
+files_relabel_config_files(systemd_tmpfiles_t)
+files_relabel_config_symlinks(systemd_tmpfiles_t)
 files_relabel_all_locks(systemd_tmpfiles_t)
 files_relabel_all_runtime_dirs(systemd_tmpfiles_t)
 files_relabel_all_tmp_dirs(systemd_tmpfiles_t)

From 20fbb550b749cbf6fe2ebc22004299f412ecbbd6 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 18:20:57 -0500
Subject: [PATCH 194/257] systemd: add rules for systemd-zram-generator

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c398d76b85..40fee715ae 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -477,8 +477,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 #
 
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
-allow systemd_generator_t self:capability { dac_override sys_admin };
-allow systemd_generator_t self:process { getsched setfscreate signal };
+allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
+allow systemd_generator_t self:process { getcap getsched setfscreate signal };
 
 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
@@ -487,6 +487,8 @@ dev_read_sysfs(systemd_generator_t)
 dev_write_kmsg(systemd_generator_t)
 dev_write_sysfs_dirs(systemd_generator_t)
 dev_read_urand(systemd_generator_t)
+dev_create_sysfs_files(systemd_generator_t)
+dev_write_sysfs(systemd_generator_t)
 
 files_read_etc_files(systemd_generator_t)
 files_read_etc_runtime_files(systemd_generator_t)
@@ -522,7 +524,8 @@ kernel_dontaudit_getattr_proc(systemd_generator_t)
 # Where an unlabeled mountpoint is encounted:
 kernel_dontaudit_search_unlabeled(systemd_generator_t)
 
-storage_raw_read_fixed_disk(systemd_generator_t)
+# write for systemd-zram-generator
+storage_raw_rw_fixed_disk(systemd_generator_t)
 storage_raw_read_removable_device(systemd_generator_t)
 
 # needed to resolve hostnames for NFS mounts

From 48af8ca656480f8c831c6b68204a3d5bc2c08360 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 19:17:03 -0500
Subject: [PATCH 195/257] systemd: allow systemd-pcrphase to read generic certs

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 40fee715ae..3bfbf0592d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1409,6 +1409,8 @@ init_read_state(systemd_pcrphase_t)
 
 logging_send_syslog_msg(systemd_pcrphase_t)
 
+miscfiles_read_generic_certs(systemd_pcrphase_t)
+
 #########################################
 #
 # systemd-pstore local policy

From 104e2014ea4dcae8a6d2d39c295a17e81ac9b6df Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 19:19:51 -0500
Subject: [PATCH 196/257] fs, init: allow systemd-init to set the attributes of
 efivarfs files

avc:  denied  { setattr } for  pid=1 comm="systemd" name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=1049 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/filesystem.if | 20 ++++++++++++++++++++
 policy/modules/system/init.te       |  1 +
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index a9bff72074..bf4484297e 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2439,6 +2439,26 @@ interface(`fs_read_efivarfs_files',`
 	read_files_pattern($1, efivarfs_t, efivarfs_t)
 ')
 
+#######################################
+## <summary>
+##      Set the attributes of files in efivarfs
+##      - contains Linux Kernel configuration options for UEFI systems
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_setattr_efivarfs_files',`
+	gen_require(`
+		type efivarfs_t;
+	')
+
+	setattr_files_pattern($1, efivarfs_t, efivarfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 082da0e4e5..20944ee559 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -463,6 +463,7 @@ ifdef(`init_systemd',`
 	fs_relabel_tmpfs_chr_files(init_t)
 	fs_relabel_tmpfs_fifo_files(init_t)
 	fs_read_efivarfs_files(init_t)
+	fs_setattr_efivarfs_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)

From 930711027750bb056a7692e3966d806d9b69a330 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 19:46:45 -0500
Subject: [PATCH 197/257] init: allow systemd-init to set the attributes of
 unallocated terminals

type=AVC msg=audit(1678150061.367:292): avc:  denied  { setattr } for pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 20944ee559..fffb04ccb5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -542,6 +542,7 @@ ifdef(`init_systemd',`
 	term_create_devpts_dirs(init_t)
 	term_create_ptmx(init_t)
 	term_create_controlling_term(init_t)
+	term_setattr_unallocated_ttys(init_t)
 	term_watch_unallocated_ttys(init_t)
 	term_watch_reads_unallocated_ttys(init_t)
 

From 5b0aa89da7a4a9577cb535a2ea396f6205972f4d Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 20:04:08 -0500
Subject: [PATCH 198/257] systemd: allow systemd-resolved to bind to UDP port
 5353

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 3bfbf0592d..117d8e8095 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1491,6 +1491,7 @@ corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 corenet_udp_bind_generic_node(systemd_resolved_t)
 corenet_udp_bind_dns_port(systemd_resolved_t)
 corenet_udp_bind_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_howl_port(systemd_resolved_t)
 
 selinux_use_status_page(systemd_resolved_t)
 

From edef7a84699f615b9b8b5a467ac0196784fedd44 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 19:15:24 -0500
Subject: [PATCH 199/257] init: allow initrc_t to create
 netlink_kobject_uevent_sockets

Needed by rdma-rdd, which is automatically started by udev when an RDMA
device with a node description is present.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index fffb04ccb5..1b6bbefb92 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -705,6 +705,7 @@ allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit getsched
 allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
 allow initrc_t self:capability2 { wake_alarm block_suspend };
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+allow initrc_t self:netlink_kobject_uevent_socket create_socket_perms; # needed by rdma-ndd
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 

From 69e6c33c4671589daa98afc19e76f2726ce249bd Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 10:28:22 -0500
Subject: [PATCH 200/257] raid: allow mdadm to read udev runtime files

This fixes this AVC:

avc:  denied  { getattr } for  pid=2238 comm="mdadm" path="/run/udev" dev="tmpfs" ino=52 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/raid.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 5d44696cf7..bd0c4bb857 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -85,6 +85,8 @@ logging_send_syslog_msg(mdadm_t)
 
 miscfiles_read_localization(mdadm_t)
 
+udev_read_runtime_files(mdadm_t)
+
 userdom_use_user_terminals(mdadm_t)
 userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
 userdom_dontaudit_search_user_home_content(mdadm_t)

From 6ad1768065b47b4b17d2403dd13a1609a0bd37f5 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 10:33:07 -0500
Subject: [PATCH 201/257] raid: allow mdadm to create generic links in /dev/md

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/raid.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index bd0c4bb857..e10e318504 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -54,6 +54,8 @@ dev_rw_sysfs(mdadm_t)
 dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
+# create links in /dev/md
+dev_create_generic_symlinks(mdadm_t)
 
 domain_use_interactive_fds(mdadm_t)
 

From 228e8e3f153906e9f370cf293a067d8f194bb5ed Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 19:12:16 -0500
Subject: [PATCH 202/257] fstools: allow fsadm to read utab

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/fstools.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 079aacad37..0e3a989677 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -164,7 +164,7 @@ logging_send_syslog_msg(fsadm_t)
 miscfiles_read_localization(fsadm_t)
 
 # for /run/mount/utab
-mount_getattr_runtime_files(fsadm_t)
+mount_read_runtime_files(fsadm_t)
 
 seutil_read_config(fsadm_t)
 

From bf546e4c4f95601298d53f3be743a3bbbee329b0 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 20:21:54 -0500
Subject: [PATCH 203/257] glusterfs: allow glusterd to bind to all TCP
 unreserved ports

Port 32767 seems to be needed by glfs_timer

type=SYSCALL msg=audit(1678151692.991:193): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=43bc7241350 a2=10 a3=3968 items=0 ppid=1 pid=2401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glfs_timer" exe="/usr/bin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1678151692.991:193): avc:  denied  { name_bind } for pid=2401 comm="glfs_timer" src=32767 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/glusterfs.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index d9c77d3846..fe80b732a8 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -108,6 +108,7 @@ corenet_tcp_connect_glusterd_port(glusterd_t)
 # Too coarse?
 corenet_sendrecv_all_server_packets(glusterd_t)
 corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
 corenet_udp_bind_all_rpc_ports(glusterd_t)
 corenet_udp_bind_ipp_port(glusterd_t)
 

From 9b4e8bd875f95101e1307de75f59d6c479645d85 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 8 Mar 2023 13:19:36 -0500
Subject: [PATCH 204/257] kubernetes: allow kubelet to read etc runtime files

To read /etc/machine-id.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/kubernetes.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index b89ffb1bc9..e9d8fcdd2f 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -240,6 +240,8 @@ files_search_mnt(kubelet_t)
 files_read_kernel_symbol_table(kubelet_t)
 # read /usr/share/mime/globs2
 files_read_usr_files(kubelet_t)
+# read /etc/machine-id
+files_read_etc_runtime_files(kubelet_t)
 
 fs_getattr_tmpfs(kubelet_t)
 fs_search_tmpfs(kubelet_t)

From c75a32f2be222b8439fa02fa9c00b2baa93d913b Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Wed, 15 Mar 2023 10:57:55 +0800
Subject: [PATCH 205/257] systemd: allow systemd-resolved to search directories
 on tmpfs and ramfs

Fixes:
avc:  denied  { search } for  pid=233 comm="systemd-resolve" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1

avc:  denied  { search } for  pid=233 comm="systemd-resolve" name="/"
dev="ramfs" ino=813 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:ramfs_t tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 117d8e8095..ee8119cf30 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1503,6 +1503,8 @@ files_list_runtime(systemd_resolved_t)
 
 fs_getattr_all_fs(systemd_resolved_t)
 fs_search_cgroup_dirs(systemd_resolved_t)
+fs_search_tmpfs(systemd_resolved_t)
+fs_search_ramfs(systemd_resolved_t)
 
 init_dgram_send(systemd_resolved_t)
 

From 6dd2c3bcd1c4147fb6bbcc16327c48b709d2528e Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Wed, 15 Mar 2023 20:39:28 +0000
Subject: [PATCH 206/257] Add separate label for cgroup's memory.pressure files

Required to enable notifications on memory pressure events, need to
write to the file to start receiving them. This will be used by all
systemd daemons, and eventually external daemons that subscribe to the
same interface too.

See: https://github.com/systemd/systemd/blob/main/docs/MEMORY_PRESSURE.md

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
---
 policy/modules/kernel/filesystem.if | 129 +++++++++++++++++++---------
 policy/modules/kernel/filesystem.te |   8 ++
 policy/modules/system/init.te       |   9 ++
 3 files changed, 105 insertions(+), 41 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index bf4484297e..b3b5dfcc49 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -725,10 +725,10 @@ interface(`fs_manage_bpf_files',`
 #
 interface(`fs_mount_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	allow $1 cgroup_t:filesystem mount;
+	allow $1 cgroup_types:filesystem mount;
 ')
 
 ########################################
@@ -743,10 +743,10 @@ interface(`fs_mount_cgroup', `
 #
 interface(`fs_remount_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	allow $1 cgroup_t:filesystem remount;
+	allow $1 cgroup_types:filesystem remount;
 ')
 
 ########################################
@@ -761,10 +761,10 @@ interface(`fs_remount_cgroup', `
 #
 interface(`fs_unmount_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	allow $1 cgroup_t:filesystem unmount;
+	allow $1 cgroup_types:filesystem unmount;
 ')
 
 ########################################
@@ -779,10 +779,10 @@ interface(`fs_unmount_cgroup', `
 #
 interface(`fs_getattr_cgroup',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	allow $1 cgroup_t:filesystem getattr;
+	allow $1 cgroup_types:filesystem getattr;
 ')
 
 ########################################
@@ -797,10 +797,10 @@ interface(`fs_getattr_cgroup',`
 #
 interface(`fs_search_cgroup_dirs',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	search_dirs_pattern($1, cgroup_t, cgroup_t)
+	search_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -816,10 +816,10 @@ interface(`fs_search_cgroup_dirs',`
 #
 interface(`fs_list_cgroup_dirs', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	list_dirs_pattern($1, cgroup_t, cgroup_t)
+	list_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -873,10 +873,10 @@ interface(`fs_create_cgroup_dirs',`
 #
 interface(`fs_delete_cgroup_dirs', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	delete_dirs_pattern($1, cgroup_t, cgroup_t)
+	delete_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -892,11 +892,11 @@ interface(`fs_delete_cgroup_dirs', `
 #
 interface(`fs_manage_cgroup_dirs',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 
 	')
 
-	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+	manage_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -912,10 +912,10 @@ interface(`fs_manage_cgroup_dirs',`
 #
 interface(`fs_relabel_cgroup_dirs',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+	relabel_dirs_pattern($1, cgroup_types, cgroup_types)
 ')
 
 ########################################
@@ -930,10 +930,10 @@ interface(`fs_relabel_cgroup_dirs',`
 #
 interface(`fs_getattr_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	getattr_files_pattern($1, cgroup_t, cgroup_t)
+	getattr_files_pattern($1, cgroup_types, cgroup_types)
 	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
@@ -950,12 +950,12 @@ interface(`fs_getattr_cgroup_files',`
 #
 interface(`fs_read_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 
 	')
 
-	read_files_pattern($1, cgroup_t, cgroup_t)
-	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	read_files_pattern($1, cgroup_types, cgroup_types)
+	read_lnk_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -991,11 +991,11 @@ interface(`fs_create_cgroup_files',`
 #
 interface(`fs_watch_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 
 	')
 
-	allow $1 cgroup_t:file watch;
+	allow $1 cgroup_types:file watch;
 ')
 
 ########################################
@@ -1010,11 +1010,11 @@ interface(`fs_watch_cgroup_files',`
 #
 interface(`fs_create_cgroup_links',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	create_lnk_files_pattern($1, cgroup_t, cgroup_t)
-	rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	create_lnk_files_pattern($1, cgroup_types, cgroup_types)
+	rw_lnk_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -1030,10 +1030,10 @@ interface(`fs_create_cgroup_links',`
 #
 interface(`fs_write_cgroup_files', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	write_files_pattern($1, cgroup_t, cgroup_t)
+	write_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -1049,11 +1049,11 @@ interface(`fs_write_cgroup_files', `
 #
 interface(`fs_rw_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	rw_files_pattern($1, cgroup_t, cgroup_t)
-	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	rw_files_pattern($1, cgroup_types, cgroup_types)
+	read_lnk_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -1071,10 +1071,10 @@ interface(`fs_rw_cgroup_files',`
 #
 interface(`fs_dontaudit_rw_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	dontaudit $1 cgroup_t:file rw_file_perms;
+	dontaudit $1 cgroup_types:file rw_file_perms;
 ')
 
 ########################################
@@ -1089,11 +1089,11 @@ interface(`fs_dontaudit_rw_cgroup_files',`
 #
 interface(`fs_manage_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 
 	')
 
-	manage_files_pattern($1, cgroup_t, cgroup_t)
+	manage_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -1109,10 +1109,10 @@ interface(`fs_manage_cgroup_files',`
 #
 interface(`fs_relabel_cgroup_symlinks',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	relabel_lnk_files_pattern($1, cgroup_types, cgroup_types)
 ')
 
 ########################################
@@ -1145,10 +1145,10 @@ interface(`fs_watch_cgroup_dirs', `
 #
 interface(`fs_mounton_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	allow $1 cgroup_t:dir mounton;
+	allow $1 cgroup_types:dir mounton;
 ')
 
 ########################################
@@ -1187,6 +1187,53 @@ interface(`fs_cgroup_filetrans',`
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Create an object in a cgroup tmpfs filesystem, with the memory_pressure_t
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`fs_cgroup_filetrans_memory_pressure',`
+	gen_require(`
+		type memory_pressure_t;
+	')
+
+	fs_cgroup_filetrans($1, memory_pressure_t, $2, $3)
+')
+
+########################################
+## <summary>
+##      Allow managing a cgroup's memory.pressure file to get notifications
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Source domain
+##      </summary>
+## </param>
+#
+interface(`fs_watch_memory_pressure',`
+	gen_require(`
+		type memory_pressure_t;
+	')
+
+	allow $1 memory_pressure_t:file { rw_file_perms setattr };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index c56678135b..67aa29ed9f 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -86,12 +86,20 @@ fs_type(capifs_t)
 files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
 
+attribute cgroup_types;
 type cgroup_t;
+typeattribute cgroup_t cgroup_types;
 fs_type(cgroup_t)
 files_mountpoint(cgroup_t)
 dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
+# When running under systemd, the cgroup file memory.pressure will have this
+# separate label, to allow unprivileged process to access it without accessing
+# the rest of the cgroup tree.
+type memory_pressure_t;
+typeattribute memory_pressure_t cgroup_types;
+dev_associate_sysfs(memory_pressure_t)
 
 type configfs_t;
 fs_type(configfs_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1b6bbefb92..38d0c25389 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1171,6 +1171,15 @@ ifdef(`init_systemd',`
 	systemd_start_power_units(initrc_t)
 	systemd_watch_networkd_runtime_dirs(initrc_t)
 
+	# Ensures the memory.pressure cgroup file is labelled differently, so
+	# that processes can manage it without having access to the rest of the
+	# cgroup tree. This is a special file so each open is an independent,
+	# separate instance that cannot affect already opened ones, so it is not
+	# necessary to lock it down on a process-by-process base. This is useful
+	# to allow receiving notifications when memory pressure is high, see:
+	# https://systemd.io/MEMORY_PRESSURE/
+	fs_cgroup_filetrans_memory_pressure(init_t, file, "memory.pressure")
+
 	optional_policy(`
 		# create /var/lock/lvm/
 		lvm_create_lock_dirs(initrc_t)

From 6ecba6ff80e121df23a72b776921581767f84119 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Wed, 15 Mar 2023 22:26:11 +0000
Subject: [PATCH 207/257] systemd: also allow to mounton memory.pressure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mar 15 22:15:35 localhost audit[1607]: AVC avc:  denied  { mounton } for  pid=1607 comm="(esetinfo)" path="/run/systemd/unit-root/sys/fs/cgroup/system.slice/socresetinfo.service/memory.pressure" dev="cgroup2" ino=2522 scontext=system_u:system_r:init_t tcontext=system_u:object_r:memory_pressure_t tclass=file permissive=1

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
---
 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 policy/modules/system/init.te       |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index b3b5dfcc49..cbaab2c869 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1151,6 +1151,24 @@ interface(`fs_mounton_cgroup', `
 	allow $1 cgroup_types:dir mounton;
 ')
 
+########################################
+## <summary>
+##	Mount on cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_cgroup_files', `
+	gen_require(`
+		attribute cgroup_types;
+	')
+
+	allow $1 cgroup_types:file mounton;
+')
+
 ########################################
 ## <summary>
 ##	Create an object in a cgroup tmpfs filesystem, with a private
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 38d0c25389..799d23081c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1179,6 +1179,7 @@ ifdef(`init_systemd',`
 	# to allow receiving notifications when memory pressure is high, see:
 	# https://systemd.io/MEMORY_PRESSURE/
 	fs_cgroup_filetrans_memory_pressure(init_t, file, "memory.pressure")
+	fs_mounton_cgroup_files(init_t)
 
 	optional_policy(`
 		# create /var/lock/lvm/

From d0d4e8fd73c5835fd1a63e12cb1ab55b4ae35b23 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Wed, 15 Mar 2023 20:40:26 +0000
Subject: [PATCH 208/257] systemd: allow daemons to access memory.pressure

These services are hooked up to the memory.pressure interface, so
allow them to access the file.

Jan 26 08:12:21 localhost audit[202]: AVC avc:  denied  { getattr } for  pid=202 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[379]: AVC avc:  denied  { getattr } for  pid=379 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1463 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:01 localhost audit[475]: AVC avc:  denied  { getattr } for  pid=475 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1595 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:02 localhost audit[491]: AVC avc:  denied  { getattr } for  pid=491 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:02 localhost audit[490]: AVC avc:  denied  { write } for  pid=490 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1826 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[202]: AVC avc:  denied  { getattr } for  pid=202 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[382]: AVC avc:  denied  { getattr } for  pid=382 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1463 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[479]: AVC avc:  denied  { getattr } for  pid=479 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1595 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[493]: AVC avc:  denied  { getattr } for  pid=493 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[492]: AVC avc:  denied  { write } for  pid=492 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1826 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[204]: AVC avc:  denied  { getattr } for  pid=204 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=526 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[316]: AVC avc:  denied  { getattr } for  pid=316 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1234 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[359]: AVC avc:  denied  { getattr } for  pid=359 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1564 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[350]: AVC avc:  denied  { write } for  pid=350 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1531 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[203]: AVC avc:  denied  { getattr } for  pid=203 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=526 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[312]: AVC avc:  denied  { getattr } for  pid=312 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1234 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[351]: AVC avc:  denied  { getattr } for  pid=351 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1564 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[342]: AVC avc:  denied  { write } for  pid=342 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1531 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[201]: AVC avc:  denied  { open } for  pid=201 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 13 17:00:57 localhost audit[490]: AVC avc:  denied  { open } for  pid=490 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
---
 policy/modules/services/ntp.te   | 1 +
 policy/modules/system/logging.te | 1 +
 policy/modules/system/systemd.te | 5 +++++
 policy/modules/system/udev.te    | 1 +
 4 files changed, 8 insertions(+)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 16494ba614..8a85342940 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -156,6 +156,7 @@ ifdef(`init_systemd',`
 	allow ntpd_t self:capability { fowner setpcap };
 	init_read_state(ntpd_t)
 	init_reload(ntpd_t)
+	fs_watch_memory_pressure(ntpd_t)
 
 	# for /var/lib/systemd/clock
 	init_list_var_lib_dirs(ntpd_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 1dd4813d1d..f10a1f6ba8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -549,6 +549,7 @@ ifdef(`init_systemd',`
 	domain_read_all_domains_state(syslogd_t)
 
 	fs_list_cgroup_dirs(syslogd_t)
+	fs_watch_memory_pressure(syslogd_t)
 
 	init_create_runtime_dirs(syslogd_t)
 	init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ee8119cf30..de5be835bd 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -873,6 +873,7 @@ fs_read_efivarfs_files(systemd_logind_t)
 fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
 fs_getattr_xattr_fs(systemd_logind_t)
+fs_watch_memory_pressure(systemd_logind_t)
 
 selinux_use_status_page(systemd_logind_t)
 
@@ -1020,6 +1021,7 @@ fs_getattr_cgroup(systemd_machined_t)
 fs_getattr_tmpfs(systemd_machined_t)
 fs_getattr_xattr_fs(systemd_machined_t)
 fs_read_nsfs_files(systemd_machined_t)
+fs_watch_memory_pressure(systemd_machined_t)
 
 selinux_getattr_fs(systemd_machined_t)
 
@@ -1126,6 +1128,7 @@ files_list_runtime(systemd_networkd_t)
 fs_getattr_all_fs(systemd_networkd_t)
 fs_search_cgroup_dirs(systemd_networkd_t)
 fs_read_nsfs_files(systemd_networkd_t)
+fs_watch_memory_pressure(systemd_networkd_t)
 
 auth_use_nsswitch(systemd_networkd_t)
 
@@ -1248,6 +1251,7 @@ fs_mount_tmpfs(systemd_nspawn_t)
 fs_remount_tmpfs(systemd_nspawn_t)
 fs_remount_xattr_fs(systemd_nspawn_t)
 fs_read_cgroup_files(systemd_nspawn_t)
+fs_watch_memory_pressure(systemd_nspawn_t)
 
 term_getattr_generic_ptys(systemd_nspawn_t)
 term_getattr_pty_fs(systemd_nspawn_t)
@@ -1505,6 +1509,7 @@ fs_getattr_all_fs(systemd_resolved_t)
 fs_search_cgroup_dirs(systemd_resolved_t)
 fs_search_tmpfs(systemd_resolved_t)
 fs_search_ramfs(systemd_resolved_t)
+fs_watch_memory_pressure(systemd_resolved_t)
 
 init_dgram_send(systemd_resolved_t)
 
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 90a71239e1..af9463a386 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -143,6 +143,7 @@ fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
 fs_search_tracefs(udev_t)
 fs_manage_efivarfs_files(udev_t)
+fs_watch_memory_pressure(udev_t)
 
 mls_file_read_all_levels(udev_t)
 mls_file_write_all_levels(udev_t)

From 8f7064490dd03bd0712523fefe19a8ef9d4a9f7c Mon Sep 17 00:00:00 2001
From: Guido Trentalancia <guido@trentalancia.com>
Date: Wed, 5 Apr 2023 16:06:19 +0200
Subject: [PATCH 209/257] The pulseaudio daemon and client do not normally need
 to use the network for most computer systems that need to play and record
 audio.

So, network access by pulseaudio should normally be restricted.

This patch restricts all network access by using tunable policy
and a new boolean to control it.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/pulseaudio.te |   47 ++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 17 deletions(-)
---
 policy/modules/apps/pulseaudio.te | 59 +++++++++++++++++++------------
 1 file changed, 36 insertions(+), 23 deletions(-)

diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 0a5985da27..4472d39a32 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -13,6 +13,14 @@ policy_module(pulseaudio)
 ## </desc>
 gen_tunable(pulseaudio_execmem, false)
 
+## <desc>
+##	<p>
+##	Determine whether pulseaudio
+##	can use the network.
+##	</p>
+## </desc>
+gen_tunable(pulseaudio_can_network, false)
+
 attribute pulseaudio_client;
 attribute pulseaudio_tmpfsfile;
 
@@ -54,7 +62,6 @@ allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched sign
 allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
 allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
 allow pulseaudio_t self:unix_dgram_socket sendto;
-allow pulseaudio_t self:tcp_socket { accept listen };
 allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
@@ -107,21 +114,6 @@ kernel_read_kernel_sysctls(pulseaudio_t)
 
 corecmd_exec_bin(pulseaudio_t)
 
-corenet_all_recvfrom_netlabel(pulseaudio_t)
-corenet_tcp_sendrecv_generic_if(pulseaudio_t)
-corenet_udp_sendrecv_generic_if(pulseaudio_t)
-corenet_tcp_sendrecv_generic_node(pulseaudio_t)
-corenet_udp_sendrecv_generic_node(pulseaudio_t)
-
-corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
-corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
-
-corenet_sendrecv_soundd_server_packets(pulseaudio_t)
-corenet_tcp_bind_soundd_port(pulseaudio_t)
-
-corenet_sendrecv_sap_server_packets(pulseaudio_t)
-corenet_udp_bind_sap_port(pulseaudio_t)
-
 dev_watch_dev_dirs(pulseaudio_t)
 dev_read_sound(pulseaudio_t)
 dev_write_sound(pulseaudio_t)
@@ -161,6 +153,25 @@ tunable_policy(`pulseaudio_execmem',`
 	allow pulseaudio_t self:process execmem;
 ')
 
+tunable_policy(`pulseaudio_can_network',`
+	allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+
+	corenet_all_recvfrom_netlabel(pulseaudio_t)
+	corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+	corenet_udp_sendrecv_generic_if(pulseaudio_t)
+	corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+	corenet_udp_sendrecv_generic_node(pulseaudio_t)
+
+	corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
+	corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+
+	corenet_sendrecv_soundd_server_packets(pulseaudio_t)
+	corenet_tcp_bind_soundd_port(pulseaudio_t)
+
+	corenet_sendrecv_sap_server_packets(pulseaudio_t)
+	corenet_udp_bind_sap_port(pulseaudio_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(pulseaudio_t)
 	fs_manage_nfs_files(pulseaudio_t)
@@ -258,13 +269,6 @@ xdg_config_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse")
 
 fs_getattr_tmpfs(pulseaudio_client)
 
-corenet_all_recvfrom_netlabel(pulseaudio_client)
-corenet_tcp_sendrecv_generic_if(pulseaudio_client)
-corenet_tcp_sendrecv_generic_node(pulseaudio_client)
-
-corenet_sendrecv_pulseaudio_client_packets(pulseaudio_client)
-corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
-
 pulseaudio_stream_connect(pulseaudio_client)
 pulseaudio_manage_home(pulseaudio_client)
 pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse")
@@ -277,6 +281,15 @@ userdom_read_user_tmpfs_files(pulseaudio_client)
 userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
 # userdom_delete_user_tmpfs_files(pulseaudio_client)
 
+tunable_policy(`pulseaudio_can_network',`
+	corenet_all_recvfrom_netlabel(pulseaudio_client)
+	corenet_tcp_sendrecv_generic_if(pulseaudio_client)
+	corenet_tcp_sendrecv_generic_node(pulseaudio_client)
+
+	corenet_sendrecv_pulseaudio_client_packets(pulseaudio_client)
+	corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_getattr_nfs(pulseaudio_client)
 	fs_manage_nfs_dirs(pulseaudio_client)

From a098f2bd52210244b9512bcee210755b6159c1b7 Mon Sep 17 00:00:00 2001
From: freedom1b2830 <freedom1b2830@gmail.com>
Date: Sat, 25 Mar 2023 17:11:04 +0000
Subject: [PATCH 210/257] mplayer:vlc paths

Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com>
---
 policy/modules/apps/mplayer.fc |  4 ++++
 policy/modules/apps/mplayer.te | 22 ++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc
index 755ebe2f5c..468cbae708 100644
--- a/policy/modules/apps/mplayer.fc
+++ b/policy/modules/apps/mplayer.fc
@@ -1,3 +1,7 @@
+HOME_DIR/\.cache/vlc(/.*)?			gen_context(system_u:object_r:mplayer_xdg_cache_t,s0)
+HOME_DIR/\.config/vlc(/.*)?			gen_context(system_u:object_r:mplayer_xdg_config_t,s0)
+HOME_DIR/\.local/share/vlc(/.*)?		gen_context(system_u:object_r:mplayer_xdg_data_t,s0)
+
 HOME_DIR/\.mplayer(/.*)?	gen_context(system_u:object_r:mplayer_home_t,s0)
 
 /etc/mplayer(/.*)?	gen_context(system_u:object_r:mplayer_etc_t,s0)
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index a943fe9b6d..25af73b664 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -43,6 +43,15 @@ optional_policy(`
 	pulseaudio_tmpfs_content(mplayer_tmpfs_t)
 ')
 
+type mplayer_xdg_cache_t;
+files_type(mplayer_xdg_cache_t)
+
+type mplayer_xdg_config_t;
+files_type(mplayer_xdg_config_t)
+
+type mplayer_xdg_data_t;
+files_type(mplayer_xdg_data_t)
+
 ########################################
 #
 # Mencoder local policy
@@ -148,6 +157,18 @@ manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
 manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
 fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
+manage_dirs_pattern(mplayer_t, mplayer_xdg_cache_t, mplayer_xdg_cache_t)
+manage_files_pattern(mplayer_t, mplayer_xdg_cache_t, mplayer_xdg_cache_t)
+xdg_cache_filetrans(mplayer_t, mplayer_xdg_cache_t, dir, "vlc")
+
+manage_dirs_pattern(mplayer_t, mplayer_xdg_config_t, mplayer_xdg_config_t)
+manage_files_pattern(mplayer_t, mplayer_xdg_config_t, mplayer_xdg_config_t)
+xdg_config_filetrans(mplayer_t, mplayer_xdg_config_t, dir, "vlc")
+
+manage_dirs_pattern(mplayer_t, mplayer_xdg_data_t, mplayer_xdg_data_t)
+manage_files_pattern(mplayer_t, mplayer_xdg_data_t, mplayer_xdg_data_t)
+xdg_data_filetrans(mplayer_t, mplayer_xdg_data_t, dir, "vlc")
+
 kernel_dontaudit_list_unlabeled(mplayer_t)
 kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
 kernel_dontaudit_read_unlabeled_files(mplayer_t)
@@ -183,6 +204,7 @@ files_read_non_security_files(mplayer_t)
 files_list_home(mplayer_t)
 files_read_etc_runtime_files(mplayer_t)
 files_read_usr_files(mplayer_t)
+files_map_usr_files(mplayer_t)
 
 fs_getattr_all_fs(mplayer_t)
 fs_search_auto_mountpoints(mplayer_t)

From cb068f09d224f90a97fa63a574fb423bbe1ceeda Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Wed, 25 Jan 2023 20:53:49 +0100
Subject: [PATCH 211/257] smartmon: add domain for update-smart-drivedb

update-smart-drivedb is a fsadm_t like but with access to network, so
Since it do network access, and dont access any hardware, let's add its own domain.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/services/smartmon.fc |  1 +
 policy/modules/services/smartmon.te | 50 +++++++++++++++++++-
 policy/modules/system/fstools.if    | 73 ++++++++++++++++++++++-------
 3 files changed, 106 insertions(+), 18 deletions(-)

diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc
index 3856d1b5d6..5bc5e49694 100644
--- a/policy/modules/services/smartmon.fc
+++ b/policy/modules/services/smartmon.fc
@@ -3,6 +3,7 @@
 /usr/bin/smartd	--	gen_context(system_u:object_r:fsdaemon_exec_t,s0)
 
 /usr/sbin/smartd	--	gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+/usr/sbin/update-smart-drivedb	--	gen_context(system_u:object_r:smartmon_update_drivedb_exec_t,s0)
 
 /run/smartd\.pid	--	gen_context(system_u:object_r:fsdaemon_runtime_t,s0)
 
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 82bfa992d8..d62bead95d 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -33,6 +33,10 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh)
 ')
 
+type smartmon_update_drivedb_t;
+type smartmon_update_drivedb_exec_t;
+init_system_domain(smartmon_update_drivedb_t, smartmon_update_drivedb_exec_t)
+
 ########################################
 #
 # Local policy
@@ -112,6 +116,10 @@ tunable_policy(`smartmon_3ware',`
 	seutil_read_file_contexts(fsdaemon_t)
 ')
 
+optional_policy(`
+	fstools_read_fsadm_db_files(fsdaemon_t)
+')
+
 optional_policy(`
 	mta_send_mail(fsdaemon_t)
 ')
@@ -120,6 +128,46 @@ optional_policy(`
 	seutil_sigchld_newrole(fsdaemon_t)
 ')
 
+########################################
+#
+# smartmon_update_drivedb policy
+#
+
+allow smartmon_update_drivedb_t self:fifo_file rw_fifo_file_perms;
+allow smartmon_update_drivedb_t self:unix_stream_socket connectto;
+
+corecmd_exec_bin(smartmon_update_drivedb_t)
+corecmd_exec_shell(smartmon_update_drivedb_t)
+
+corenet_sendrecv_http_client_packets(smartmon_update_drivedb_t)
+corenet_tcp_connect_http_port(smartmon_update_drivedb_t)
+
+files_read_etc_files(smartmon_update_drivedb_t)
+
+fstools_exec(smartmon_update_drivedb_t)
+
+kernel_dontaudit_read_system_state(smartmon_update_drivedb_t)
+
+miscfiles_read_generic_certs(smartmon_update_drivedb_t)
+miscfiles_read_localization(smartmon_update_drivedb_t)
+
+sysnet_dns_name_resolve(smartmon_update_drivedb_t)
+
+ifdef(`distro_gentoo',`
+	fstools_manage_fsadm_db_files(smartmon_update_drivedb_t)
+	fstools_watch_fsadm_db_dirs(smartmon_update_drivedb_t)
+')
+
 optional_policy(`
-	fstools_read_fsadm_db_files(fsdaemon_t)
+	cron_rw_inherited_system_job_tmp_files(smartmon_update_drivedb_t)
+	cron_system_entry(smartmon_update_drivedb_t, smartmon_update_drivedb_exec_t)
+')
+
+optional_policy(`
+	gpg_exec_agent(smartmon_update_drivedb_t)
+	gpg_exec(smartmon_update_drivedb_t)
+')
+
+optional_policy(`
+	xdg_read_config_files(smartmon_update_drivedb_t)
 ')
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index d82b4b2820..71ffbd02cb 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -118,6 +118,62 @@ interface(`fstools_read_pipes',`
 	allow $1 fsadm_t:fifo_file read_fifo_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read fsadm_db_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_read_fsadm_db_files',`
+	gen_require(`
+		type fsadm_db_t;
+	')
+
+	read_files_pattern($1, fsadm_db_t, fsadm_db_t)
+')
+
+########################################
+## <summary>
+##	Manage all fsadm_db_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_manage_fsadm_db_files',`
+	gen_require(`
+		type fsadm_db_t;
+	')
+
+	manage_dirs_pattern($1, fsadm_db_t, fsadm_db_t)
+	manage_files_pattern($1, fsadm_db_t, fsadm_db_t)
+	manage_sock_files_pattern($1, fsadm_db_t, fsadm_db_t)
+')
+
+########################################
+## <summary>
+##	Watch fsadm_db_t directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_watch_fsadm_db_dirs',`
+	gen_require(`
+		type fsadm_db_t;
+	')
+
+	allow $1 fsadm_db_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Relabel a file to the type used by the
@@ -265,20 +321,3 @@ interface(`fstools_manage_swap_files',`
 	allow $1 swapfile_t:file manage_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read fsadm_db_t files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fstools_read_fsadm_db_files',`
-	gen_require(`
-		type fsadm_db_t;
-	')
-
-	read_files_pattern($1, fsadm_db_t, fsadm_db_t)
-')

From ac6b47c71d0b3be4c103a30b3a7e4182b8c4f755 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe.montjoie@gmail.com>
Date: Tue, 21 Mar 2023 12:43:53 +0100
Subject: [PATCH 212/257] dovecot: add missing permissions

I use dovecot for IMAP hosting and several rules are missing.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
---
 policy/modules/services/dovecot.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index d3276777c2..3704787702 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -124,8 +124,9 @@ create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
 setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
 logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
 
+allow dovecot_t dovecot_spool_t:dir watch;
 manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+mmap_manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
 manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
 
 manage_dirs_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
@@ -337,6 +338,8 @@ optional_policy(`
 # Deliver local policy
 #
 
+allow dovecot_deliver_t self:process signal;
+
 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
 
 append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
@@ -355,6 +358,8 @@ can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
 
 allow dovecot_deliver_t dovecot_t:process signull;
 
+allow dovecot_deliver_t dovecot_spool_t:file map;
+
 fs_getattr_all_fs(dovecot_deliver_t)
 
 auth_use_nsswitch(dovecot_deliver_t)

From f52070b3cfd28466836dc76226eb262e01ea7905 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Tue, 18 Apr 2023 10:11:13 -0500
Subject: [PATCH 213/257] container: set default context for
 local-path-provisioner

The kubernetes local-path-provisioner uses either
/opt/local-path-provisioner or
/var/local-path-provisioner for its physical volumes

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
---
 policy/modules/services/container.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 056aa60234..49e5d59bb2 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -32,6 +32,8 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 
 /opt/cni(/.*)?		gen_context(system_u:object_r:container_plugin_t,s0)
 
+/opt/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+
 /etc/containers(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /etc/cni(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /etc/docker(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
@@ -100,6 +102,8 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 /var/lib/etcd(/.*)?             gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kube-proxy(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 
+/var/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+
 /var/log/containerd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/containers(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/crio(/.*)?		gen_context(system_u:object_r:container_log_t,s0)

From 232b4ab271afa77a9c115c5ee6df399027c2cc3d Mon Sep 17 00:00:00 2001
From: Grzegorz Filo <gf578@wp.pl>
Date: Wed, 3 May 2023 09:42:34 +0200
Subject: [PATCH 214/257] Shell functions used during boot by initrc_t shall be
 bin_t and defined in corecommands.fc

Signed-off-by: Grzegorz Filo <gf578@wp.pl>
---
 policy/modules/kernel/corecommands.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 1f006131f3..db1f1e1b35 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -109,6 +109,8 @@ ifdef(`distro_redhat',`
 /etc/xen/qemu-ifup		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/xen/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
+/etc/zfs/zfs-functions		--      gen_context(system_u:object_r:bin_t,s0)
+
 ifdef(`distro_debian',`
 /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
 ')

From d769f31966cc60809a4d6217f76f75589dd5eb88 Mon Sep 17 00:00:00 2001
From: Grzegorz Filo <gf578@wp.pl>
Date: Wed, 3 May 2023 10:54:59 +0200
Subject: [PATCH 215/257] Dir transition goes with dir create perms.

Signed-off-by: Grzegorz Filo <gf578@wp.pl>
---
 policy/modules/services/zfs.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index ed1ae77ba7..6cb4942190 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -84,6 +84,7 @@ list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)
 read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
 read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
 
+manage_dirs_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
 manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
 files_runtime_filetrans(zfs_t, zfs_runtime_t, { dir file })
 

From 80d52aa4f672c9a9ab9e5b61c45e1c0bafca057b Mon Sep 17 00:00:00 2001
From: Grzegorz Filo <gf578@wp.pl>
Date: Wed, 10 May 2023 16:15:07 +0200
Subject: [PATCH 216/257] Keep context of blkid file/dir when created by zpool.

Signed-off-by: Grzegorz Filo <gf578@wp.pl>
---
 policy/modules/services/zfs.te   |  5 +++++
 policy/modules/system/fstools.if | 28 ++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index 6cb4942190..c2b09142c6 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -128,6 +128,11 @@ userdom_use_user_terminals(zfs_t)
 
 zfs_rw_zpool_cache(zfs_t)
 
+optional_policy(`
+	fstools_manage_runtime_files(zfs_t)
+	fstools_runtime_filetrans(zfs_t, dir, "blkid")
+')
+
 optional_policy(`
 	kernel_rw_rpc_sysctls(zfs_t)
 
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 71ffbd02cb..188a740003 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -321,3 +321,31 @@ interface(`fstools_manage_swap_files',`
 	allow $1 swapfile_t:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create objects in the runtime directory with an automatic type transition to the fsadm runtime type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##      <summary>
+##      The object class of the object being created.
+##      </summary>
+## </param>
+## <param name="name" optional="true">
+##      <summary>
+##      The name of the object being created.
+##      </summary>
+## </param>
+#
+interface(`fstools_runtime_filetrans',`
+	gen_require(`
+		type fsadm_run_t;
+	')
+
+	files_runtime_filetrans($1, fsadm_run_t, $2, $3)
+')
+

From 6ac468d24eb9d0451f214773d422d56b5e46961a Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Thu, 25 May 2023 16:57:47 -0400
Subject: [PATCH 217/257] chromium: allow chromium-naclhelper to create user
 namespaces

Closes: https://github.com/SELinuxProject/refpolicy/issues/605
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/apps/chromium.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index e0ec30722e..9119ef184f 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -379,6 +379,7 @@ allow chromium_sandbox_t chromium_naclhelper_t:process share;
 # Chromium nacl helper local policy
 #
 
+allow chromium_naclhelper_t self:user_namespace create;
 allow chromium_naclhelper_t chromium_t:unix_stream_socket { getattr read write };
 allow chromium_naclhelper_t chromium_sandbox_t:unix_stream_socket { getattr read write };
 

From feaf607f3e78c33e1c0467c414ca8a11d31958b1 Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Date: Wed, 21 Jun 2023 09:24:25 +0200
Subject: [PATCH 218/257] container: fix cilium denial

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
---
 policy/modules/services/container.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 5de421fc3c..cdb854c6cb 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -866,6 +866,7 @@ allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay
 allow spc_t self:netlink_generic_socket create_socket_perms;
 allow spc_t self:netlink_netfilter_socket create_socket_perms;
 allow spc_t self:netlink_xfrm_socket create_socket_perms;
+allow spc_t self:perf_event { cpu kernel open read };
 
 allow container_engine_system_domain spc_t:process { setsched signal_perms };
 

From 34cba22df87d3cb16569c943b02de0ada365307c Mon Sep 17 00:00:00 2001
From: Renato Caldas <renato@calgera.com>
Date: Mon, 3 Jul 2023 18:01:43 +0100
Subject: [PATCH 219/257] kubernetes: allow kubelet to read /proc/sys/vm files.

Kubelet checks the value of '/proc/sys/vm/panic_on_oom' before starting.

Signed-off-by: Renato Caldas <renato@calgera.com>
---
 policy/modules/services/kubernetes.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index e9d8fcdd2f..47323322e3 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -273,6 +273,7 @@ kernel_read_irq_sysctls(kubelet_t)
 kernel_read_network_state(kubelet_t)
 kernel_read_system_state(kubelet_t)
 kernel_read_state(kubelet_t)
+kernel_read_vm_sysctls(kubelet_t)
 kernel_rw_kernel_sysctl(kubelet_t)
 kernel_rw_net_sysctls(kubelet_t)
 kernel_rw_vm_overcommit_sysctl(kubelet_t)

From cf09279eabcfec4912e97e3513f0de22bda2ea9a Mon Sep 17 00:00:00 2001
From: Florian Schmidt <flosch@nutanix.com>
Date: Thu, 29 Jun 2023 12:58:49 +0000
Subject: [PATCH 220/257] Add label and interfaces for kernel PSI files

The pressure stall information (PSI) special files in /proc/pressure
currently don't have a separate file context, and so default to proc_t.
Since users need read/write permissions to those files to use PSI, and
handing out blanket permissions to proc_t is strongly discouraged,
introduce a new proc_psi_t label, as well as interfaces for it.

Signed-off-by: Florian Schmidt <flosch@nutanix.com>
---
 policy/modules/kernel/kernel.if | 45 +++++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te |  3 +++
 2 files changed, 48 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index f35cccaff6..6abcc1be6c 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1535,6 +1535,51 @@ interface(`kernel_read_network_state_symlinks',`
 	list_dirs_pattern($1, proc_t, proc_net_t)
 ')
 
+########################################
+## <summary>
+##	Allow caller to receive pressure stall information (PSI).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_psi',`
+	gen_require(`
+		type proc_t, proc_psi_t;
+	')
+
+	read_files_pattern($1, { proc_t proc_psi_t }, proc_psi_t)
+	read_lnk_files_pattern($1, { proc_t proc_psi_t }, proc_psi_t)
+	list_dirs_pattern($1, { proc_t proc_psi_t }, proc_psi_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to set up pressure stall information (PSI).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_psi',`
+	gen_require(`
+		type proc_t, proc_psi_t;
+	')
+
+	rw_files_pattern($1, { proc_t proc_psi_t }, proc_psi_t)
+	read_lnk_files_pattern($1, { proc_t proc_psi_t }, proc_psi_t)
+	list_dirs_pattern($1, { proc_t proc_psi_t }, proc_psi_t)
+
+	# kernel requires writers to have CAP_SYS_RESOURCE
+	allow $1 self:capability sys_resource;
+')
+
 ########################################
 ## <summary>
 ##	Allow searching of xen state directory.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 31c5e8a2a9..586cbbeedc 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -109,6 +109,9 @@ genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
 type proc_net_t, proc_type;
 genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
 
+type proc_psi_t, proc_type;
+genfscon proc /pressure gen_context(system_u:object_r:proc_psi_t,s0)
+
 type proc_xen_t, proc_type;
 files_mountpoint(proc_xen_t)
 genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)

From 26eb377014bfd1f85591aca20f25ee0b546c245f Mon Sep 17 00:00:00 2001
From: Christian Schneider <christian.schneider3@gmx.net>
Date: Fri, 23 Jun 2023 22:56:08 +0200
Subject: [PATCH 221/257] systemd-generator: systemd_generator_t load kernel
 modules used for e.g. zram-generator

Fixes:
avc:  denied  { getsched } for  pid=171 comm="zram-generator" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1
avc:  denied  { execute } for  pid=173 comm="zram-generator" name="kmod" dev="sda2" ino=17417 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:kmod_exec_t tclass=file permissive=1

Signed-off-by: Christian Schneider <christian.schneider3@gmx.net>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index de5be835bd..a7ed453e86 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -524,6 +524,8 @@ kernel_dontaudit_getattr_proc(systemd_generator_t)
 # Where an unlabeled mountpoint is encounted:
 kernel_dontaudit_search_unlabeled(systemd_generator_t)
 
+modutils_domtrans(systemd_generator_t)
+
 # write for systemd-zram-generator
 storage_raw_rw_fixed_disk(systemd_generator_t)
 storage_raw_read_removable_device(systemd_generator_t)

From f1e7404baa056e00c658b06e06cd2d061ea6b7cf Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Thu, 25 May 2023 10:20:49 -0400
Subject: [PATCH 222/257] container: rework capabilities

Rework (primarily) non-namespaced capabilities. These accesses are
leftovers from earlier policy versions before the container module was
introduced that are most likely too coarse for most container
applications.

Put all non-namespaced capability accesses for containers behind
tunables, borrowing ideas from container-selinux. For the more
privileged capabilities (sysadmin, mknod), add a tunable to control both
namespaced and non-namespaced access to these operations.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/services/container.te | 88 ++++++++++++++++++++++++++--
 1 file changed, 84 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index cdb854c6cb..a5ad4686d0 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -58,6 +58,15 @@ gen_tunable(container_use_dri, false)
 ## </desc>
 gen_tunable(container_use_ecryptfs, false)
 
+## <desc>
+##	<p>
+##	Allow containers to use all capabilities in a
+##	non-namespaced context for various privileged operations
+##	directly on the host.
+##	</p>
+## </desc>
+gen_tunable(container_use_host_all_caps, false)
+
 ## <desc>
 ##	<p>
 ##	Allow containers to use huge pages.
@@ -65,6 +74,14 @@ gen_tunable(container_use_ecryptfs, false)
 ## </desc>
 gen_tunable(container_use_hugetlbfs, false)
 
+## <desc>
+##	<p>
+##	Allow containers to use the mknod syscall, e.g. for
+##	creating special device files.
+##	</p>
+## </desc>
+gen_tunable(container_use_mknod, false)
+
 ## <desc>
 ##	<p>
 ##	Allow containers to use NFS filesystems.
@@ -79,6 +96,41 @@ gen_tunable(container_use_nfs, false)
 ## </desc>
 gen_tunable(container_use_samba, false)
 
+## <desc>
+##	<p>
+##	Allow containers to use the sysadmin capability, e.g.
+##	for mounting filesystems.
+##	</p>
+## </desc>
+gen_tunable(container_use_sysadmin, false)
+
+## <desc>
+##	<p>
+##	Allow containers to use all capabilities in a
+##	namespaced context for various privileged operations
+##	within the container itself.
+##	</p>
+## </desc>
+gen_tunable(container_use_userns_all_caps, false)
+
+## <desc>
+##	<p>
+##	Allow containers to use the mknod syscall in a
+##	namespaced context, e.g. for creating special device
+##	files within the container itself.
+##	</p>
+## </desc>
+gen_tunable(container_use_userns_mknod, false)
+
+## <desc>
+##	<p>
+##	Allow containers to use the sysadmin capability in a
+##	namespaced context, e.g. for mounting filesystems
+##	within the container itself.
+##	</p>
+## </desc>
+gen_tunable(container_use_userns_sysadmin, false)
+
 ########################################
 #
 # Declarations
@@ -228,7 +280,8 @@ corenet_port(container_port_t)
 # Common container domain local policy
 #
 
-allow container_domain self:capability { dac_override kill setgid setuid sys_boot sys_chroot };
+dontaudit container_domain self:capability fsetid;
+dontaudit container_domain self:capability2 block_suspend;
 allow container_domain self:cap_userns { chown dac_override dac_read_search fowner kill setgid setuid };
 allow container_domain self:process { execstack execmem getattr getsched getsession setsched setcap setpgid signal_perms };
 allow container_domain self:dir rw_dir_perms;
@@ -410,7 +463,6 @@ optional_policy(`
 # Common container net domain local policy
 #
 
-allow container_net_domain self:capability { net_admin net_raw };
 allow container_net_domain self:cap_userns { net_admin net_bind_service net_raw };
 allow container_net_domain self:tcp_socket create_stream_socket_perms;
 allow container_net_domain self:udp_socket create_socket_perms;
@@ -446,8 +498,6 @@ corenet_tcp_connect_all_ports(container_net_domain)
 # Container local policy
 #
 
-allow container_t self:capability { chown dac_override dac_read_search fowner fsetid setpcap sys_admin sys_nice sys_ptrace sys_resource };
-dontaudit container_t self:capability2 block_suspend;
 allow container_t self:process setrlimit;
 
 allow container_t container_file_t:filesystem getattr;
@@ -475,6 +525,36 @@ logging_send_audit_msgs(container_t)
 
 userdom_use_user_ptys(container_t)
 
+tunable_policy(`container_use_host_all_caps',`
+	# omitted sys_module
+	allow container_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
+	# omitted mac_admin, mac_override
+	allow container_t self:capability2 { syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore };
+')
+
+tunable_policy(`container_use_mknod',`
+	allow container_t self:capability mknod;
+')
+
+tunable_policy(`container_use_sysadmin',`
+	allow container_t self:capability sys_admin;
+')
+
+tunable_policy(`container_use_userns_all_caps',`
+	# omitted sys_module
+	allow container_t self:cap_userns { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
+	# omitted mac_admin, mac_override
+	allow container_t self:cap2_userns { syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore };
+')
+
+tunable_policy(`container_use_userns_mknod || container_use_mknod',`
+	allow container_t self:cap_userns mknod;
+')
+
+tunable_policy(`container_use_userns_sysadmin || container_use_sysadmin',`
+	allow container_t self:cap_userns sys_admin;
+')
+
 optional_policy(`
 	rpm_read_db(container_t)
 ')

From a120ea8c25fc84dd41582431762e1c5770988f6c Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar@tresys.com>
Date: Fri, 14 Jul 2023 13:41:07 -0400
Subject: [PATCH 223/257] Allow local login to read /run/motd

node=localhost type=AVC msg=audit(1689384764.155:53945): avc:  denied  { getattr } for  pid=5125 comm="login" path="/run/motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689384764.155:53946): avc:  denied  { read } for  pid=5125 comm="login" name="motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689384764.155:53946): avc:  denied  { open } for  pid=5125 comm="login" path="/run/motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/system/authlogin.if  | 19 +++++++++++++++++++
 policy/modules/system/locallogin.te |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 4a2bfbccbb..442a37b16b 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -118,6 +118,25 @@ interface(`auth_use_pam_motd_dynamic',`
 	files_runtime_filetrans($1, pam_motd_runtime_t, file, "motd.dynamic.new")
 ')
 
+########################################
+## <summary>
+##	Read the pam module motd with dynamic support during authentication.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_read_pam_motd_dynamic',`
+	gen_require(`
+		type pam_motd_runtime_t;
+	')
+
+	files_search_runtime($1)
+	allow $1 pam_motd_runtime_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Make the specified domain used for a login program.
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 7728de8040..89311a323d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -128,6 +128,7 @@ auth_manage_pam_runtime_dirs(local_login_t)
 auth_manage_pam_runtime_files(local_login_t)
 auth_manage_pam_console_data(local_login_t)
 auth_domtrans_pam_console(local_login_t)
+auth_read_pam_motd_dynamic(local_login_t)
 
 init_dontaudit_use_fds(local_login_t)
 

From 5e0627bfc6597440c16acf9416e8cdc66cf9375a Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 7 Sep 2022 18:36:03 +0300
Subject: [PATCH 224/257] [meta-selinux] Import upstream meta-selinux patches

Squash patches from meta-selinux kirkstone ref
https://git.yoctoproject.org/meta-selinux/commit/?h=kirkstone&id=d3902c823895ed3f7fe3f79a455f0e8e4d04c431

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 config/file_contexts.subs_dist        | 16 ++++++++
 policy/modules/admin/brctl.fc         |  1 +
 policy/modules/admin/dmesg.fc         |  1 +
 policy/modules/admin/dmesg.te         |  2 +
 policy/modules/admin/rpm.fc           |  2 +
 policy/modules/admin/shutdown.fc      |  1 +
 policy/modules/admin/su.fc            |  2 +
 policy/modules/admin/usermanage.fc    |  6 +++
 policy/modules/admin/usermanage.te    |  2 +
 policy/modules/apps/screen.fc         |  1 +
 policy/modules/apps/vlock.fc          |  1 +
 policy/modules/kernel/corecommands.fc |  6 +++
 policy/modules/kernel/files.fc        |  1 +
 policy/modules/kernel/files.if        |  8 ++++
 policy/modules/kernel/kernel.te       |  5 +++
 policy/modules/kernel/terminal.if     |  3 ++
 policy/modules/roles/sysadm.te        |  2 +
 policy/modules/services/cron.fc       |  1 +
 policy/modules/services/kerberos.fc   | 10 +++++
 policy/modules/services/ldap.fc       |  5 +++
 policy/modules/services/ntp.fc        |  1 +
 policy/modules/services/postgresql.fc | 11 ++++++
 policy/modules/services/rngd.fc       |  1 +
 policy/modules/services/rpc.fc        |  2 +
 policy/modules/services/rpcbind.te    |  7 +++-
 policy/modules/services/ssh.fc        |  1 +
 policy/modules/system/authlogin.fc    |  1 +
 policy/modules/system/clock.fc        |  1 +
 policy/modules/system/fstools.fc      | 11 ++++++
 policy/modules/system/getty.te        |  1 +
 policy/modules/system/hostname.fc     |  2 +
 policy/modules/system/init.fc         |  1 +
 policy/modules/system/init.if         |  3 +-
 policy/modules/system/init.te         |  8 ++++
 policy/modules/system/locallogin.fc   |  1 +
 policy/modules/system/logging.fc      |  2 +
 policy/modules/system/logging.if      |  9 +++++
 policy/modules/system/logging.te      | 13 ++++++
 policy/modules/system/modutils.te     |  1 +
 policy/modules/system/mount.te        |  1 +
 policy/modules/system/setrans.te      |  2 +
 policy/modules/system/sysnetwork.fc   |  5 +++
 policy/modules/system/sysnetwork.te   |  8 +++-
 policy/modules/system/systemd.if      |  9 ++++-
 policy/modules/system/systemd.te      | 57 ++++++++++++++++++++++++++-
 policy/modules/system/udev.fc         |  2 +
 policy/modules/system/udev.te         |  2 +
 policy/modules/system/userdomain.if   | 18 +++++++++
 48 files changed, 251 insertions(+), 6 deletions(-)

diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index ba22ce7e78..f80499ebf0 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -33,3 +33,19 @@
 # not for refpolicy intern, but for /var/run using applications,
 # like systemd tmpfiles or systemd socket configurations
 /var/run /run
+
+# volatile aliases
+# ensure the policy applied to the base filesystem objects are reflected in the
+# volatile hierarchy.
+/var/volatile/log /var/log
+/var/volatile/tmp /var/tmp
+
+# busybox aliases
+# quickly match up the busybox built-in tree to the base filesystem tree
+/usr/lib/busybox/bin /usr/bin
+/usr/lib/busybox/sbin /usr/sbin
+/usr/lib/busybox/usr /usr
+
+# The genhomedircon.py will expand /root home directory to /home/root
+# Add an aliase for it
+/root /home/root
diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc
index ed472f0959..2a852b0fd2 100644
--- a/policy/modules/admin/brctl.fc
+++ b/policy/modules/admin/brctl.fc
@@ -1,3 +1,4 @@
 /usr/bin/brctl	--	gen_context(system_u:object_r:brctl_exec_t,s0)
 
 /usr/sbin/brctl	--	gen_context(system_u:object_r:brctl_exec_t,s0)
+/usr/sbin/brctl\.bridge-utils	--	gen_context(system_u:object_r:brctl_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
index e52fdfcf8a..526b92ed21 100644
--- a/policy/modules/admin/dmesg.fc
+++ b/policy/modules/admin/dmesg.fc
@@ -1 +1,2 @@
 /usr/bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
+/usr/bin/dmesg\.util-linux		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index f1da315a98..89478c38e5 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -52,6 +52,8 @@ miscfiles_read_localization(dmesg_t)
 userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
 userdom_use_user_terminals(dmesg_t)
 
+mls_file_read_to_clearance(dmesg_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(dmesg_t)
 ')
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index 3f842f9427..12973ac8b8 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -71,4 +71,6 @@ ifdef(`distro_redhat',`
 
 ifdef(`enable_mls',`
 /usr/sbin/cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/cpio\.cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
index bf51c103f6..91ed72be0b 100644
--- a/policy/modules/admin/shutdown.fc
+++ b/policy/modules/admin/shutdown.fc
@@ -5,5 +5,6 @@
 /usr/lib/upstart/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 
 /usr/sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+/usr/sbin/shutdown\.sysvinit	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 
 /run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_runtime_t,s0)
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
index 3375c96922..a9868cd58b 100644
--- a/policy/modules/admin/su.fc
+++ b/policy/modules/admin/su.fc
@@ -1,3 +1,5 @@
 /usr/(local/)?bin/ksu	--	gen_context(system_u:object_r:su_exec_t,s0)
 /usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
 /usr/bin/su		--	gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su\.shadow		--	gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su\.util-linux		--	gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index 7209a8dd00..de5b58969f 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -5,7 +5,11 @@ ifdef(`distro_debian',`
 /usr/bin/chage		--	gen_context(system_u:object_r:passwd_exec_t,s0)
 /usr/bin/chfn		--	gen_context(system_u:object_r:chfn_exec_t,s0)
 /usr/bin/chpasswd	--	gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/chfn\.shadow		--	gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chfn\.util-linux		--	gen_context(system_u:object_r:chfn_exec_t,s0)
 /usr/bin/chsh		--	gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chsh\.shadow		--	gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chsh\.util-linux		--	gen_context(system_u:object_r:chfn_exec_t,s0)
 /usr/bin/crack_[a-z]*	--	gen_context(system_u:object_r:crack_exec_t,s0)
 /usr/bin/cracklib-[a-z]* --	gen_context(system_u:object_r:crack_exec_t,s0)
 /usr/bin/gpasswd	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
@@ -15,6 +19,7 @@ ifdef(`distro_debian',`
 /usr/bin/grpconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
 /usr/bin/grpunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
 /usr/bin/passwd		--	gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/passwd\.shadow		--	gen_context(system_u:object_r:passwd_exec_t,s0)
 /usr/bin/pwconv		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
 /usr/bin/pwunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
 /usr/bin/useradd	--	gen_context(system_u:object_r:useradd_exec_t,s0)
@@ -41,6 +46,7 @@ ifdef(`distro_debian',`
 /usr/sbin/usermod	--	gen_context(system_u:object_r:useradd_exec_t,s0)
 /usr/sbin/vigr		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
 /usr/sbin/vipw		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/vipw\.shadow		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
 
 /usr/share/cracklib(/.*)?	gen_context(system_u:object_r:crack_db_t,s0)
 
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 7e71118c9f..4eb47f48f9 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -498,6 +498,7 @@ files_read_etc_runtime_files(useradd_t)
 
 fs_search_auto_mountpoints(useradd_t)
 fs_getattr_xattr_fs(useradd_t)
+fs_search_tmpfs(useradd_t)
 
 mls_file_upgrade(useradd_t)
 
@@ -543,6 +544,7 @@ userdom_home_filetrans_user_home_dir(useradd_t)
 userdom_manage_user_home_content_dirs(useradd_t)
 userdom_manage_user_home_content_files(useradd_t)
 userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_relabel_user_home_content_files(useradd_t)
 
 optional_policy(`
 	mta_manage_spool(useradd_t)
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
index e51e01d97c..238dc263ea 100644
--- a/policy/modules/apps/screen.fc
+++ b/policy/modules/apps/screen.fc
@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf	--	gen_context(system_u:object_r:screen_home_t,s0)
 /run/tmux(/.*)?			gen_context(system_u:object_r:screen_runtime_t,s0)
 
 /usr/bin/screen		--	gen_context(system_u:object_r:screen_exec_t,s0)
+/usr/bin/screen-.*		--	gen_context(system_u:object_r:screen_exec_t,s0)
 /usr/bin/tmux		--	gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc
index f668cde9c0..c4bc509842 100644
--- a/policy/modules/apps/vlock.fc
+++ b/policy/modules/apps/vlock.fc
@@ -1,4 +1,5 @@
 /usr/bin/vlock		--	gen_context(system_u:object_r:vlock_exec_t,s0)
+/usr/bin/vlock\.kbd		--	gen_context(system_u:object_r:vlock_exec_t,s0)
 /usr/bin/vlock-main	--	gen_context(system_u:object_r:vlock_exec_t,s0)
 
 /usr/sbin/vlock-main	--	gen_context(system_u:object_r:vlock_exec_t,s0)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index db1f1e1b35..e392789b9e 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -142,8 +142,10 @@ ifdef(`distro_gentoo',`
 /usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/bin(/.*)?				gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/start_getty	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/bash\.bash		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -152,6 +154,8 @@ ifdef(`distro_gentoo',`
 /usr/bin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/bin/mksh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/mountpoint		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/mountpoint\.sysvinit		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/mountpoint\.util-linux		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/bin/nologin		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -305,6 +309,8 @@ ifdef(`distro_debian',`
 /usr/sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/sbin/nologin		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/nologin\.shadow		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/nologin\.util-linux		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 9a6f9d2d44..0f511c8308 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -171,6 +171,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
 # /tmp
 #
 /tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp			-l	gen_context(system_u:object_r:tmp_t,s0)
 /tmp/.*				<<none>>
 /tmp/\.journal			<<none>>
 
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index cdd19e82c2..66ddfeee2c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4743,6 +4743,7 @@ interface(`files_search_tmp',`
 	')
 
 	allow $1 tmp_t:dir search_dir_perms;
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -4779,6 +4780,7 @@ interface(`files_list_tmp',`
 	')
 
 	allow $1 tmp_t:dir list_dir_perms;
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -4815,6 +4817,7 @@ interface(`files_delete_tmp_dir_entry',`
 	')
 
 	allow $1 tmp_t:dir del_entry_dir_perms;
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -4833,6 +4836,7 @@ interface(`files_read_generic_tmp_files',`
 	')
 
 	read_files_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -4851,6 +4855,7 @@ interface(`files_manage_generic_tmp_dirs',`
 	')
 
 	manage_dirs_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -4887,6 +4892,7 @@ interface(`files_manage_generic_tmp_files',`
 	')
 
 	manage_files_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -4923,6 +4929,7 @@ interface(`files_rw_generic_tmp_sockets',`
 	')
 
 	rw_sock_files_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -5130,6 +5137,7 @@ interface(`files_tmp_filetrans',`
 	')
 
 	filetrans_pattern($1, tmp_t, $2, $3, $4)
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 586cbbeedc..e2ecfce010 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -371,6 +371,11 @@ mls_process_read_all_levels(kernel_t)
 mls_process_write_all_levels(kernel_t)
 mls_file_write_all_levels(kernel_t)
 mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_use_all_levels(kernel_t)
+# https://bugzilla.redhat.com/show_bug.cgi?id=667370
+mls_file_downgrade(kernel_t)
+mls_key_write_all_levels(kernel_t)
 
 ifdef(`distro_redhat',`
 	# Bugzilla 222337
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index e5645c7c5b..6e9f654aca 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -335,9 +335,12 @@ interface(`term_use_console',`
 interface(`term_dontaudit_use_console',`
 	gen_require(`
 		type console_device_t;
+		type tty_device_t;
 	')
 
+	init_dontaudit_use_fds($1)
 	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 936381f250..2aef630852 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -45,6 +45,8 @@ logging_watch_all_logs(sysadm_t)
 logging_watch_audit_log(sysadm_t)
 
 mls_process_read_all_levels(sysadm_t)
+mls_file_read_all_levels(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
 
 selinux_read_policy(sysadm_t)
 
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 827363d888..e8412396d6 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -1,4 +1,5 @@
 /etc/rc\.d/init\.d/(anacron|atd)	--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/crond	--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
 
 /etc/cron\.d(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /etc/crontab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index df21fcc782..ce0166eddb 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -12,6 +12,8 @@ HOME_DIR/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
 /etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/krb5-admin-server	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/krb5-kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 
 /usr/bin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
 /usr/bin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
@@ -26,6 +28,8 @@ HOME_DIR/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
 
 /usr/sbin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
 /usr/sbin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/sbin/kadmin\.local	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/sbin/kpropd	--	gen_context(system_u:object_r:kpropd_exec_t,s0)
 
 /usr/local/var/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 /usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -41,6 +45,12 @@ HOME_DIR/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
 /var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 /var/kerberos/krb5kdc/principal.*\.ok	--	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 
+/var/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/krb5kdc/kadm5\.keytab	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/krb5kdc/principal.*\.ok	--	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
 /var/log/krb5kdc\.log.*	--	gen_context(system_u:object_r:krb5kdc_log_t,s0)
 /var/log/kadmin\.log.*	--	gen_context(system_u:object_r:kadmind_log_t,s0)
 /var/log/kadmind\.log.*	--	gen_context(system_u:object_r:kadmind_log_t,s0)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index 0a1d08d0f3..65b202962a 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -1,8 +1,10 @@
 /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
 /etc/openldap/certs(/.*)?	gen_context(system_u:object_r:slapd_cert_t,s0)
 /etc/openldap/slapd\.d(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
+/etc/openldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
 
 /etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
 
 /usr/bin/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
 
@@ -25,6 +27,9 @@
 /var/log/ldap.*	gen_context(system_u:object_r:slapd_log_t,s0)
 /var/log/slapd.*	gen_context(system_u:object_r:slapd_log_t,s0)
 
+/var/openldap(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
+/var/openldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
+
 /run/ldapi	-s	gen_context(system_u:object_r:slapd_runtime_t,s0)
 /run/openldap(/.*)?	gen_context(system_u:object_r:slapd_runtime_t,s0)
 /run/slapd.*	-s	gen_context(system_u:object_r:slapd_runtime_t,s0)
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
index cd69ea5d5a..49ffe6f68d 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
@@ -25,6 +25,7 @@
 /usr/lib/systemd/systemd-timesyncd	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 
 /usr/sbin/ntpd				--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpd\.ntp				--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 /usr/sbin/ntpdate			--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 /usr/sbin/sntp				--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index f31a52cf8e..f9bf46870a 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -27,6 +27,17 @@
 /usr/lib/postgresql(-.*)?/(.*/)?bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 /usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster		-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
 
+/usr/bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/pg_resetxlog	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/pg_standby		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/pg_upgrade		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/pg_xlogdump		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/postmaster		-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
+
 ifdef(`distro_redhat', `
 /usr/share/jonas/pgsql(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
 ')
diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
index 382c067f95..0ecc5acc4a 100644
--- a/policy/modules/services/rngd.fc
+++ b/policy/modules/services/rngd.fc
@@ -1,4 +1,5 @@
 /etc/rc\.d/init\.d/rngd	--	gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rng-tools	--	gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
 
 /usr/bin/rngd	--	gen_context(system_u:object_r:rngd_exec_t,s0)
 
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 75c2f0617d..fa881ba2ee 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -1,7 +1,9 @@
 /etc/exports	--	gen_context(system_u:object_r:exports_t,s0)
 
 /etc/rc\.d/init\.d/nfs	--	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfsserver	--	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/nfslock	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfscommon	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/rpcidmapd	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 
 /usr/bin/nfsdcld	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index 137c21ece6..105295a91c 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
 # Local policy
 #
 
-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
 # net_admin is for SO_SNDBUFFORCE
 dontaudit rpcbind_t self:capability net_admin;
 allow rpcbind_t self:fifo_file rw_fifo_file_perms;
@@ -73,6 +73,11 @@ logging_send_syslog_msg(rpcbind_t)
 
 miscfiles_read_localization(rpcbind_t)
 
+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
+# because the are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
+
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcbind_t)
 ')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 5c512e9720..0448c18774 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /etc/ssh/ssh_host.*_key(\.pub)?	--	gen_context(system_u:object_r:sshd_key_t,s0)
 
 /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh\.openssh	--	gen_context(system_u:object_r:ssh_exec_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 /usr/bin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 50efcff7bf..5cb48882c9 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -6,6 +6,7 @@
 /etc/tcb(/.*)?		--	gen_context(system_u:object_r:shadow_t,s0)
 
 /usr/bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)
+/usr/bin/login\.shadow		--	gen_context(system_u:object_r:login_exec_t,s0)
 /usr/bin/pam_console_apply	--	gen_context(system_u:object_r:pam_console_exec_t,s0)
 /usr/bin/pam_timestamp_check	--	gen_context(system_u:object_r:pam_exec_t,s0)
 /usr/bin/tcb_convert		--	gen_context(system_u:object_r:updpwd_exec_t,s0)
diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
index 301965892b..1394858350 100644
--- a/policy/modules/system/clock.fc
+++ b/policy/modules/system/clock.fc
@@ -3,3 +3,4 @@
 /usr/bin/hwclock	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
 
 /usr/sbin/hwclock	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
+/usr/sbin/hwclock\.util-linux	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 63423802d5..f8ceb60b00 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -58,7 +58,9 @@
 /usr/sbin/addpart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/badblocks		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/blkid			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/blkid\.util-linux			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/blockdev		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/blockdev\.util-linux		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/cfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/clubufflush		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/delpart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -72,10 +74,13 @@
 /usr/sbin/efibootmgr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fatsort		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/fdisk\.util-linux			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/findfs\.util-linux		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fsck.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/gdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/hdparm		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/hdparm\.hdparm		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/install-mbr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/jfs_.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/losetup.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -83,24 +88,30 @@
 /usr/sbin/make_reiser4		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkdosfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mke2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mke2fs\.e2fsprogs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mke4fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkreiserfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkswap		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkswap\.util-linux		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partprobe\.parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/partx			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/raidautorun		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/raidstart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/raw			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/reiserfs(ck|tune)	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/resize.*fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/scsi_info		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/smartctl		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/swapoff\.util-linux		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/tune2fs\.e2fsprogs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index bbc83a807f..f78ffb5ec9 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -68,6 +68,7 @@ files_read_etc_runtime_files(getty_t)
 files_read_etc_files(getty_t)
 files_search_spool(getty_t)
 files_dontaudit_search_var_lib(getty_t)
+fs_search_tmpfs(getty_t)
 
 fs_search_auto_mountpoints(getty_t)
 fs_getattr_cgroup(getty_t)
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
index 83ddeb5730..cf523bc4c5 100644
--- a/policy/modules/system/hostname.fc
+++ b/policy/modules/system/hostname.fc
@@ -1 +1,3 @@
 /usr/bin/hostname	--	gen_context(system_u:object_r:hostname_exec_t,s0)
+/usr/bin/hostname\.net-tools	--	gen_context(system_u:object_r:hostname_exec_t,s0)
+/usr/bin/hostname\.coreutils	--	gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index b7dba7fc84..b05fe183ce 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -48,6 +48,7 @@ ifdef(`distro_gentoo',`
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/init\.sysvinit	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
 
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 53aca4b030..73d1c896b4 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -996,10 +996,11 @@ interface(`init_stream_connect',`
 #
 interface(`init_unix_stream_socket_connectto',`
 	gen_require(`
-		type init_t;
+		type init_t, initrc_t;
 	')
 
 	allow $1 init_t:unix_stream_socket connectto;
+	allow $1 initrc_t:unix_stream_socket connectto;
 ')
 
 ########################################
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 799d23081c..34b8c92ee3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -234,6 +234,14 @@ mls_file_write_all_levels(init_t)
 mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 mls_process_set_level(init_t)
+mls_key_write_all_levels(init_t)
+
+# MLS trusted for lowering/raising the level of files
+mls_file_downgrade(init_t)
+mls_file_upgrade(init_t)
+
+# MLS trusted for reading from sockets at any level
+mls_socket_read_all_levels(init_t)
 
 # the following one is needed for libselinux:is_selinux_enabled()
 # otherwise the call fails and sysvinit tries to load the policy
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
index fc8d58507d..59e6e96014 100644
--- a/policy/modules/system/locallogin.fc
+++ b/policy/modules/system/locallogin.fc
@@ -2,4 +2,5 @@
 /usr/bin/sushell	--	gen_context(system_u:object_r:sulogin_exec_t,s0)
 
 /usr/sbin/sulogin	--	gen_context(system_u:object_r:sulogin_exec_t,s0)
+/usr/sbin/sulogin\.util-linux	--	gen_context(system_u:object_r:sulogin_exec_t,s0)
 /usr/sbin/sushell	--	gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 3b0dea51b3..8957366b0e 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -24,6 +24,7 @@
 /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/lib/systemd/systemd-kmsg-syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
@@ -52,6 +53,7 @@ ifdef(`distro_suse', `
 /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/log		-l	gen_context(system_u:object_r:var_log_t,s0)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
 /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
 /var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 8a4a05566b..1f1c29e15c 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1072,10 +1072,12 @@ interface(`logging_append_all_inherited_logs',`
 interface(`logging_read_all_logs',`
 	gen_require(`
 		attribute logfile;
+		type var_log_t;
 	')
 
 	files_search_var($1)
 	allow $1 logfile:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 	read_files_pattern($1, logfile, logfile)
 ')
 
@@ -1113,10 +1115,12 @@ interface(`logging_watch_all_logs',`
 interface(`logging_exec_all_logs',`
 	gen_require(`
 		attribute logfile;
+		type var_log_t;
 	')
 
 	files_search_var($1)
 	allow $1 logfile:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 	can_exec($1, logfile)
 ')
 
@@ -1178,6 +1182,7 @@ interface(`logging_manage_generic_log_dirs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir manage_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -1198,6 +1203,7 @@ interface(`logging_relabel_generic_log_dirs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir relabel_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -1218,6 +1224,7 @@ interface(`logging_read_generic_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 	read_files_pattern($1, var_log_t, var_log_t)
 ')
 
@@ -1319,6 +1326,7 @@ interface(`logging_manage_generic_logs',`
 
 	files_search_var($1)
 	manage_files_pattern($1, var_log_t, var_log_t)
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -1337,6 +1345,7 @@ interface(`logging_watch_generic_logs_dir',`
 	')
 
 	allow $1 var_log_t:dir watch;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index f10a1f6ba8..19bcac06c0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -169,6 +169,7 @@ dontaudit auditd_t auditd_etc_t:file map;
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t auditd_log_t:dir setattr;
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
 allow auditd_t var_log_t:dir search_dir_perms;
 
 manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
@@ -222,6 +223,8 @@ miscfiles_read_localization(auditd_t)
 
 mls_file_read_all_levels(auditd_t)
 mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
+mls_fd_use_all_levels(auditd_t)
+mls_socket_write_all_levels(auditd_t)
 
 seutil_dontaudit_read_config(auditd_t)
 
@@ -298,6 +301,7 @@ optional_policy(`
 allow audisp_remote_t self:capability { setpcap setuid };
 allow audisp_remote_t self:process { getcap setcap };
 allow audisp_remote_t self:tcp_socket create_socket_perms;
+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
 allow audisp_remote_t var_log_t:dir search_dir_perms;
 
 manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
@@ -420,6 +424,7 @@ files_search_spool(syslogd_t)
 
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
 
 # for systemd but can not be conditional
 files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
@@ -442,6 +447,9 @@ allow syslogd_t syslogd_runtime_t:file map;
 manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
 files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
 
+mls_trusted_object(syslogd_runtime_t)
+
+kernel_read_crypto_sysctls(syslogd_t)
 kernel_read_system_state(syslogd_t)
 kernel_read_network_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
@@ -500,8 +508,13 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
+fs_search_tmpfs(syslogd_t)
 
 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+mls_file_read_all_levels(syslogd_t)
+mls_socket_write_all_levels(syslogd_t) # Need to be able to sendto dgram
+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
+mls_fd_use_all_levels(syslogd_t)
 
 term_write_console(syslogd_t)
 # Allow syslog to a terminal
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 3da4d53548..77b84a0293 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -40,6 +40,7 @@ dontaudit kmod_t self:capability sys_admin;
 
 allow kmod_t self:udp_socket create_socket_perms;
 allow kmod_t self:rawip_socket create_socket_perms;
+allow kmod_t self:lockdown confidentiality;
 allow kmod_t self:key write;
 
 # Read module config and dependency information
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index bffc6b2f56..0d2ff91ac3 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -112,6 +112,7 @@ fs_dontaudit_write_all_image_files(mount_t)
 
 mls_file_read_all_levels(mount_t)
 mls_file_write_all_levels(mount_t)
+mls_process_write_to_clearance(mount_t)
 
 selinux_get_enforce_mode(mount_t)
 
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 12e66aad94..5510f7fac8 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -69,6 +69,8 @@ mls_net_receive_all_levels(setrans_t)
 mls_socket_write_all_levels(setrans_t)
 mls_process_read_all_levels(setrans_t)
 mls_socket_read_all_levels(setrans_t)
+mls_fd_use_all_levels(setrans_t)
+mls_trusted_object(setrans_t)
 
 selinux_compute_access_vector(setrans_t)
 
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 14505efe96..4ca1515246 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
 /usr/bin/dhcpcd		        --	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /usr/bin/ethtool		    --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/bin/ifconfig		    --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/bin/ifconfig\.net-tools		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/bin/ip			        --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/bin/ipx_configure		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/bin/ipx_interface		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -60,13 +61,16 @@ ifdef(`distro_redhat',`
 /usr/sbin/dhcpcd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /usr/sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ifconfig\.net-tools		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/sbin/ip			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ip\.iproute2			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/sbin/ipx_configure		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/sbin/ipx_interface		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/sbin/ipx_internal_net	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/sbin/iw			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/sbin/iwconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/sbin/mii-tool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/mii-tool\.net-tools		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/sbin/pump			--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /usr/sbin/tc			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 
@@ -84,6 +88,7 @@ ifdef(`distro_redhat',`
 /run/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_runtime_t,s0)
 /run/netns	-d		gen_context(system_u:object_r:ifconfig_runtime_t,s0)
 /run/netns/[^/]+	--	<<none>>
+/run/resolv\.conf.*    --  gen_context(system_u:object_r:net_conf_t,s0)
 
 ifdef(`distro_gentoo',`
 /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 47811a5543..cc429c39ee 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -61,7 +61,7 @@ ifdef(`distro_debian',`
 #
 # DHCP client local policy
 #
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setgid setpcap setuid sys_chroot sys_nice sys_resource sys_tty_config };
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setgid setpcap setuid sys_chroot sys_nice sys_resource sys_tty_config kill };
 dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@@ -74,8 +74,10 @@ allow dhcpc_t self:udp_socket create_socket_perms;
 allow dhcpc_t self:packet_socket create_socket_perms;
 allow dhcpc_t self:netlink_generic_socket create_socket_perms;
 allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
+allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow dhcpc_t self:rawip_socket create_socket_perms;
 allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
+allow dhcpc_t self:unix_stream_socket connectto;
 
 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -152,6 +154,7 @@ fs_getattr_all_fs(dhcpc_t)
 fs_getattr_nsfs_files(dhcpc_t)
 fs_search_auto_mountpoints(dhcpc_t)
 fs_search_cgroup_dirs(dhcpc_t)
+fs_read_nsfs_files(dhcpc_t)
 
 term_dontaudit_use_all_ttys(dhcpc_t)
 term_dontaudit_use_all_ptys(dhcpc_t)
@@ -191,6 +194,7 @@ ifdef(`init_systemd',`
 	optional_policy(`
 		systemd_dbus_chat_resolved(dhcpc_t)
 	')
+	udev_read_runtime_files(dhcpc_t)
 ')
 
 optional_policy(`
@@ -370,7 +374,7 @@ userdom_read_all_users_state(ifconfig_t)
 userdom_use_user_terminals(ifconfig_t)
 userdom_use_all_users_fds(ifconfig_t)
 
-ifdef(`distro_debian',`
+ifdef(`distro_debian',`fs_search_cgroup_dirs(systemd_backlight_t)
 	term_dontaudit_use_unallocated_ttys(ifconfig_t)
 ')
 
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 77a59c6621..cdd28ded1d 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -58,7 +58,7 @@ template(`systemd_role_template',`
 	allow $1_systemd_t self:process { getsched signal };
 	allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
+	allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
 	corecmd_shell_domtrans($1_systemd_t, $3)
 	corecmd_bin_domtrans($1_systemd_t, $3)
 
@@ -96,7 +96,11 @@ template(`systemd_role_template',`
 	fs_manage_cgroup_files($1_systemd_t)
 	fs_watch_cgroup_files($1_systemd_t)
 
+	files_watch_etc_dirs($1_systemd_t)
+	fs_getattr_xattr_fs($1_systemd_t)
+
 	kernel_dontaudit_getattr_proc($1_systemd_t)
+	kernel_read_network_state($1_systemd_t)
 	# if systemd exists in the initrd, the journal socket stays labeled kernel_t
 	# without this access, user services cannot log to the journal
 	kernel_stream_connect($1_systemd_t)
@@ -196,6 +200,9 @@ template(`systemd_role_template',`
 		xdg_read_config_files($1_systemd_t)
 		xdg_read_data_files($1_systemd_t)
 	')
+
+	mls_file_read_all_levels($1_systemd_t)
+	mls_file_write_all_levels($1_systemd_t)
 ')
 
 ######################################
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a7ed453e86..1e2dc1e398 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -10,7 +10,7 @@ policy_module(systemd)
 ## Enable support for systemd-tmpfiles to manage all non-security files.
 ## </p>
 ## </desc>
-gen_tunable(systemd_tmpfiles_manage_all, false)
+gen_tunable(systemd_tmpfiles_manage_all, true)
 
 ## <desc>
 ## <p>
@@ -376,6 +376,11 @@ files_search_var_lib(systemd_backlight_t)
 
 fs_getattr_all_fs(systemd_backlight_t)
 fs_search_cgroup_dirs(systemd_backlight_t)
+fs_getattr_tmpfs(systemd_backlight_t)
+fs_getattr_cgroup(systemd_backlight_t)
+
+mls_file_read_to_clearance(systemd_backlight_t)
+mls_file_write_to_clearance(systemd_backlight_t)
 
 #######################################
 #
@@ -502,6 +507,7 @@ files_dontaudit_read_etc_runtime_files(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
 fs_getattr_all_fs(systemd_generator_t)
+fs_getattr_tmpfs(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
 init_manage_runtime_dirs(systemd_generator_t)
@@ -539,6 +545,9 @@ term_use_unallocated_ttys(systemd_generator_t)
 
 udev_read_runtime_files(systemd_generator_t)
 
+mls_file_read_to_clearance(systemd_generator_t)
+mls_file_write_to_clearance(systemd_generator_t)
+
 ifdef(`distro_gentoo',`
 	corecmd_shell_entry_type(systemd_generator_t)
 ')
@@ -729,6 +738,10 @@ systemd_log_parse_environment(systemd_hostnamed_t)
 # Allow reading /run/udev/data/+dmi:id
 udev_read_runtime_files(systemd_hostnamed_t)
 
+fs_getattr_tmpfs(systemd_hostnamed_t)
+fs_search_cgroup_dirs(systemd_hostnamed_t)
+fs_getattr_cgroup(systemd_hostnamed_t)
+
 optional_policy(`
 	dbus_connect_system_bus(systemd_hostnamed_t)
 	dbus_system_bus_client(systemd_hostnamed_t)
@@ -938,6 +951,10 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
 userdom_relabelto_user_runtime_dirs(systemd_logind_t)
 userdom_setattr_user_ttys(systemd_logind_t)
 userdom_use_user_ttys(systemd_logind_t)
+domain_read_all_domains_state(systemd_logind_t)
+
+mls_file_read_to_clearance(systemd_logind_t)
+mls_file_write_to_clearance(systemd_logind_t)
 
 # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
 # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
@@ -1073,6 +1090,10 @@ dev_read_sysfs(systemd_modules_load_t)
 files_mmap_read_kernel_modules(systemd_modules_load_t)
 files_read_etc_files(systemd_modules_load_t)
 
+fs_getattr_tmpfs(systemd_modules_load_t)
+fs_search_cgroup_dirs(systemd_modules_load_t)
+fs_getattr_cgroup(systemd_modules_load_t)
+
 fs_getattr_all_fs(systemd_modules_load_t)
 fs_search_all(systemd_modules_load_t)
 
@@ -1128,6 +1149,8 @@ files_watch_root_dirs(systemd_networkd_t)
 files_list_runtime(systemd_networkd_t)
 
 fs_getattr_all_fs(systemd_networkd_t)
+fs_getattr_tmpfs(systemd_networkd_t)
+fs_getattr_cgroup(systemd_networkd_t)
 fs_search_cgroup_dirs(systemd_networkd_t)
 fs_read_nsfs_files(systemd_networkd_t)
 fs_watch_memory_pressure(systemd_networkd_t)
@@ -1453,6 +1476,9 @@ init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
 
 fs_getattr_all_fs(systemd_rfkill_t)
 
+mls_file_read_to_clearance(systemd_rfkill_t)
+mls_file_write_to_clearance(systemd_rfkill_t)
+
 kernel_getattr_proc(systemd_rfkill_t)
 kernel_read_kernel_sysctls(systemd_rfkill_t)
 
@@ -1467,6 +1493,10 @@ udev_read_runtime_files(systemd_rfkill_t)
 
 systemd_log_parse_environment(systemd_rfkill_t)
 
+fs_getattr_tmpfs(systemd_rfkill_t)
+fs_search_cgroup_dirs(systemd_rfkill_t)
+fs_getattr_cgroup(systemd_rfkill_t)
+
 #########################################
 #
 # Resolved local policy
@@ -1508,6 +1538,8 @@ files_watch_runtime_dirs(systemd_resolved_t)
 files_list_runtime(systemd_resolved_t)
 
 fs_getattr_all_fs(systemd_resolved_t)
+fs_getattr_tmpfs(systemd_resolved_t)
+fs_getattr_cgroup(systemd_resolved_t)
 fs_search_cgroup_dirs(systemd_resolved_t)
 fs_search_tmpfs(systemd_resolved_t)
 fs_search_ramfs(systemd_resolved_t)
@@ -1528,6 +1560,7 @@ optional_policy(`
 	dbus_system_bus_client(systemd_resolved_t)
 	dbus_watch_system_bus_runtime_dirs(systemd_resolved_t)
 	dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
+	sysnet_dbus_chat_dhcpc(systemd_resolved_t)
 ')
 
 #########################################
@@ -1583,6 +1616,10 @@ seutil_read_file_contexts(systemd_sessions_t)
 
 systemd_log_parse_environment(systemd_sessions_t)
 
+fs_getattr_tmpfs(systemd_sessions_t)
+fs_search_cgroup_dirs(systemd_sessions_t)
+fs_getattr_cgroup(systemd_sessions_t)
+
 ########################################
 #
 # sysctl local policy
@@ -1600,6 +1637,10 @@ kernel_dontaudit_getattr_proc(systemd_sysctl_t)
 
 files_read_etc_files(systemd_sysctl_t)
 
+fs_getattr_tmpfs(systemd_sysctl_t)
+fs_search_cgroup_dirs(systemd_sysctl_t)
+fs_getattr_cgroup(systemd_sysctl_t)
+
 fs_getattr_all_fs(systemd_sysctl_t)
 fs_search_cgroup_dirs(systemd_sysctl_t)
 fs_search_ramfs(systemd_sysctl_t)
@@ -1704,11 +1745,17 @@ files_relabelfrom_home(systemd_tmpfiles_t)
 files_relabelto_home(systemd_tmpfiles_t)
 files_relabelto_etc_dirs(systemd_tmpfiles_t)
 files_setattr_lock_dirs(systemd_tmpfiles_t)
+
+files_manage_non_auth_files(systemd_tmpfiles_t)
+files_relabel_non_auth_files(systemd_tmpfiles_t)
+
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
 fs_list_tmpfs(systemd_tmpfiles_t)
 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
+fs_search_cgroup_dirs(systemd_tmpfiles_t)
+fs_getattr_cgroup(systemd_tmpfiles_t)
 fs_getattr_all_fs(systemd_tmpfiles_t)
 fs_search_cgroup_dirs(systemd_tmpfiles_t)
 
@@ -1753,6 +1800,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
 
 systemd_log_parse_environment(systemd_tmpfiles_t)
 
+mls_file_write_all_levels(systemd_tmpfiles_t)
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_downgrade(systemd_tmpfiles_t)
+mls_file_upgrade(systemd_tmpfiles_t)
+
 userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
 userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
 
@@ -1802,6 +1854,9 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
 files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 
+fs_getattr_tmpfs(systemd_update_done_t)
+fs_getattr_cgroup(systemd_update_done_t)
+
 fs_getattr_all_fs(systemd_update_done_t)
 fs_search_cgroup_dirs(systemd_update_done_t)
 
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 7898ff01c4..bc717e60cc 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -24,6 +24,8 @@ ifdef(`distro_debian',`
 /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/wait_for_sysfs --	gen_context(system_u:object_r:udev_exec_t,s0)
 
+/usr/libexec/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
+
 ifdef(`distro_redhat',`
 /usr/sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
 ')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index af9463a386..c80c5eda70 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -67,6 +67,8 @@ ifdef(`init_systemd',`
 # for systemd-udevd to rename interfaces
 allow udev_t self:netlink_route_socket nlmsg_write;
 
+allow udev_t self:lockdown confidentiality;
+
 can_exec(udev_t, udev_exec_t)
 
 allow udev_t udev_helper_exec_t:dir list_dir_perms;
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 8c06366a9f..5df658498f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2432,6 +2432,24 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
 	dontaudit $1 user_home_t:file relabel_file_perms;
 ')
 
+########################################
+## <summary>
+##	Relabel user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabel_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	allow $1 user_home_t:file relabel_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read user home subdirectory symbolic links.

From a787bfbadd40895498bbae4081f21959fa102e80 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 14 Sep 2022 11:16:57 +0300
Subject: [PATCH 225/257] [refpolicy-targeted] Make unconfined_u the default
 selinux user

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 config/appconfig-mcs/failsafe_context | 2 +-
 config/appconfig-mcs/seusers          | 4 ++--
 policy/modules/system/unconfined.te   | 5 +++++
 policy/users                          | 6 +++---
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
index 999abd9a3e..a50bde775c 100644
--- a/config/appconfig-mcs/failsafe_context
+++ b/config/appconfig-mcs/failsafe_context
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
index ce614b41b8..c0903d98b3 100644
--- a/config/appconfig-mcs/seusers
+++ b/config/appconfig-mcs/seusers
@@ -1,2 +1,2 @@
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index d116a1b9b5..32720f68fa 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
 type unconfined_execmem_exec_t alias ada_exec_t;
 init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
 role unconfined_r types unconfined_execmem_t;
+role unconfined_r types unconfined_t;
+role system_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+allow unconfined_r system_r;
 
 ########################################
 #
diff --git a/policy/users b/policy/users
index ca203758c2..e737cd9cc2 100644
--- a/policy/users
+++ b/policy/users
@@ -15,7 +15,7 @@
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # user_u is a generic user identity for Linux users who have no
@@ -43,7 +43,7 @@ ifdef(`direct_sysadm_daemon',`
 # not in the sysadm_r.
 #
 ifdef(`direct_sysadm_daemon',`
-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+	gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 ',`
-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+	gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 ')

From 6f0667ec6ea1e091c00614a2d286f95df34caed7 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 14 Sep 2022 10:47:28 +0300
Subject: [PATCH 226/257] [files.if] Allow manage /var/run dir

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/kernel/files.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 66ddfeee2c..ad33afda37 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6152,6 +6152,24 @@ interface(`files_manage_var_lib_dirs',`
 	allow $1 var_lib_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	manage var_run_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_var_run_dirs',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	allow $1 var_run_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	relabel var_lib_t dirs

From 3e70ba7435534b47d3745ea1316602da13f3ab85 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 14 Sep 2022 10:50:33 +0300
Subject: [PATCH 227/257] [filesystem.if] Allow manage efivarfs filesystems

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/kernel/filesystem.if | 36 +++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index cbaab2c869..51d24d74f4 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2466,6 +2466,42 @@ interface(`fs_getattr_efivarfs',`
 	allow $1 efivarfs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Add entry dir of efivarfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_add_entry_dir_efivarfs',`
+	gen_require(`
+		type efivarfs_t;
+	')
+
+	allow $1 efivarfs_t:dir add_entry_dir_perms;
+')
+
+########################################
+## <summary>
+##	Add read write file of efivarfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_file_efivarfs',`
+	gen_require(`
+		type efivarfs_t;
+	')
+
+	allow $1 efivarfs_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	List dirs in efivarfs filesystem.

From f9cf3713b746423c86f4be3c5fc2b8552ef13a8d Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 14 Sep 2022 10:51:18 +0300
Subject: [PATCH 228/257] [kernel.if] Allow read kernel files

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/kernel/kernel.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 6abcc1be6c..abad01022e 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -146,6 +146,26 @@ interface(`kernel_setpgid',`
 	allow $1 kernel_t:process setpgid;
 ')
 
+########################################
+## <summary>
+##	Read kernel files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_files',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:dir search_dir_perms;
+	allow $1 kernel_t:file read_file_perms;
+')
+
+
 ########################################
 ## <summary>
 ##	Set the priority of kernel threads.

From e406c3afd752f342d8fad88c83fb5294f70ea3f7 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 14 Sep 2022 10:52:21 +0300
Subject: [PATCH 229/257] [dbus.if] Allow search udev dir

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/services/dbus.if | 38 +++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index ee497809bb..5f3e54eb89 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -499,6 +499,24 @@ interface(`dbus_connect_system_bus',`
 	allow $1 system_dbusd_t:dbus acquire_svc;
 ')
 
+########################################
+## <summary>
+##	Search udev dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_search_dir',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Send messages to the DBUS system bus.
@@ -518,6 +536,26 @@ interface(`dbus_send_system_bus',`
 	allow $1 system_dbusd_t:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##	Read the DBUS system files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_read_files',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:dir search_dir_perms;
+	allow $1 system_dbusd_t:file read_file_perms;
+	allow $1 system_dbusd_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to DBUS system bus.

From e704b9865ceb4038120f631e552cbed9e39bf00e Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 14 Sep 2022 10:53:09 +0300
Subject: [PATCH 230/257] [dnsmasq.if] Allow read dnsmasq files

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/services/dnsmasq.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
index 5bf375b185..51cbeae613 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -20,6 +20,26 @@ interface(`dnsmasq_domtrans',`
 	domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
 ')
 
+########################################
+## <summary>
+##	Read dnsmasq files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnsmasq_read_files',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:dir search_dir_perms;
+	allow $1 dnsmasq_t:file read_file_perms;
+	allow $1 dnsmasq_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute the dnsmasq init script in

From 9830562b14b30a762de2a7b53aaf9b627da6e9bb Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 14 Sep 2022 10:54:12 +0300
Subject: [PATCH 231/257] [init] Allow read init script and search key

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/system/init.if | 37 +++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 73d1c896b4..d3ab09f49d 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1156,6 +1156,24 @@ interface(`init_dontaudit_search_keys',`
 	dontaudit $1 init_t:key search;
 ')
 
+########################################
+## <summary>
+##	Attempts to search init keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_search_keys',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:key search;
+')
+
 ########################################
 ## <summary>
 ##	start service (systemd).
@@ -2244,6 +2262,25 @@ interface(`init_write_script_pipes',`
 	allow $1 initrc_t:fifo_file write;
 ')
 
+########################################
+## <summary>
+##	Read an init script.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:dir search_dir_perms;
+	allow $1 initrc_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attribute of init script entrypoint files.

From c352a9a014eae55de353c7fca40f70b09ae1e7a5 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 14 Sep 2022 10:54:53 +0300
Subject: [PATCH 232/257] [logging.if] Allow read files from syslogd

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/system/logging.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 1f1c29e15c..033b220a22 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -727,6 +727,26 @@ interface(`logging_use_syslogd_fd', `
 	allow $1 syslogd_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Read files from syslogd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`syslogd_read_files',`
+	gen_require(`
+		type syslogd_t;
+	')
+
+	allow $1 syslogd_t:dir search_dir_perms;
+	allow $1 syslogd_t:file read_file_perms;
+	allow $1 syslogd_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow domain to relabelto devlog sock_files

From f51e6a3e31ab72f0d9db0ffbfdec0d499c336657 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 14 Sep 2022 10:55:25 +0300
Subject: [PATCH 233/257] [aos] Add policies for aos components

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/system/aos.fc |   9 ++
 policy/modules/system/aos.if |  58 ++++++++++
 policy/modules/system/aos.te | 217 +++++++++++++++++++++++++++++++++++
 3 files changed, 284 insertions(+)
 create mode 100644 policy/modules/system/aos.fc
 create mode 100644 policy/modules/system/aos.if
 create mode 100644 policy/modules/system/aos.te

diff --git a/policy/modules/system/aos.fc b/policy/modules/system/aos.fc
new file mode 100644
index 0000000000..4aa13babe1
--- /dev/null
+++ b/policy/modules/system/aos.fc
@@ -0,0 +1,9 @@
+/usr/bin/aos_servicemanager             --  gen_context(system_u:object_r:aos_exec_t,s0)
+/usr/bin/aos_iamanager                  --  gen_context(system_u:object_r:aos_exec_t,s0)
+/usr/bin/aos_communicationmanager       --  gen_context(system_u:object_r:aos_exec_t,s0)
+/usr/bin/aos_updatemanager              --  gen_context(system_u:object_r:aos_exec_t,s0)
+/usr/bin/aos_vis                        --  gen_context(system_u:object_r:aos_exec_t,s0)
+
+/var/aos(/.*)?                              gen_context(system_u:object_r:aos_var_run_t,s0)
+
+/etc/aos(/.*)?                              gen_context(system_u:object_r:aos_conf_t,s0)
diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
new file mode 100644
index 0000000000..870f62f3d2
--- /dev/null
+++ b/policy/modules/system/aos.if
@@ -0,0 +1,58 @@
+## <summary>policy for aos components</summary>
+
+########################################
+## <summary>
+##	Execute aos_exec_t in the aos domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`aos_domtrans',`
+	gen_require(`
+		type aos_t, aos_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, aos_exec_t, aos_t)
+')
+
+######################################
+## <summary>
+##	Execute aos in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aos_exec',`
+	gen_require(`
+		type aos_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, aos_exec_t)
+')
+
+########################################
+## <summary>
+##	Read aos var PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aos_read_pid_files',`
+	gen_require(`
+		type aos_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, aos_var_run_t, aos_var_run_t)
+')
diff --git a/policy/modules/system/aos.te b/policy/modules/system/aos.te
new file mode 100644
index 0000000000..cd47983964
--- /dev/null
+++ b/policy/modules/system/aos.te
@@ -0,0 +1,217 @@
+policy_module(aos, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aos_t;
+type aos_exec_t;
+init_daemon_domain(aos_t, aos_exec_t)
+
+role aos_r;
+
+########################################
+#
+# aos local policy
+#
+allow aos_t self:fifo_file rw_fifo_file_perms;
+allow aos_t self:unix_stream_socket create_stream_socket_perms;
+allow aos_t self:process { getsched signal setsched };
+allow aos_t self:unix_dgram_socket { bind create getattr setopt write };
+allow aos_t self:netlink_route_socket { bind create getattr nlmsg_read write read };
+allow aos_t self:tcp_socket { bind listen accept create getattr setopt connect getopt read write ioctl };
+allow aos_t self:udp_socket { bind listen accept create getattr setopt connect getopt read write ioctl };
+allow aos_t self:capability { dac_read_search net_admin net_raw chown fowner fsetid dac_override sys_module mknod ipc_lock };
+allow aos_t self:rawip_socket { create getopt setopt };
+allow aos_t self:netlink_netfilter_socket { bind create };
+allow aos_t self:netlink_route_socket { nlmsg_write setopt };
+allow aos_t self:packet_socket { create write };
+allow aos_t self:key { search write read };
+allow aos_t self:sem { create destroy unix_write associate read unix_read write };
+
+allow aos_t aos_var_run_t:dir { manage_dir_perms mounton };
+allow aos_t aos_var_run_t:file { manage_file_perms map };
+allow aos_t aos_var_run_t:service { start stop enable disable status reload };
+allow aos_t aos_var_run_t:chr_file manage_chr_file_perms;
+allow aos_t aos_conf_t:dir manage_dir_perms;
+allow aos_t aos_conf_t:file manage_file_perms;
+
+
+
+files_read_usr_files(aos_t)
+fs_add_entry_dir_efivarfs(aos_t)
+fs_rw_file_efivarfs(aos_t)
+fs_getattr_efivarfs(aos_t)
+files_map_etc_files(aos_t)
+files_manage_var_files(aos_t)
+files_manage_var_dirs(aos_t)
+files_manage_var_lib_dirs(aos_t)
+files_manage_urandom_seed(aos_t)
+files_rw_runtime_files(aos_t)
+files_manage_var_run_dirs(aos_t)
+mounton_runtime_files(aos_t)
+
+init_read_state(aos_t)
+init_unix_stream_socket_connectto(aos_t)
+init_search_keys(aos_t)
+init_read_script(aos_t)
+
+syslogd_read_files(aos_t)
+systemd_read_logind_state(aos_t)
+
+dnsmasq_read_files(aos_t)
+dbus_read_files(aos_t)
+
+fs_getattr_nsfs(aos_t)
+fs_unmount_nsfs(aos_t)
+
+udev_search_dir(aos_t)
+
+systemd_watch_journal_dirs(aos_t)
+
+corecmd_search_bin(aos_t)
+corecmd_exec_shell(aos_t)
+corecmd_exec_bin(aos_t)
+
+logging_send_syslog_msg(aos_t)
+logging_search_logs(aos_t)
+
+systemd_manage_networkd_units(aos_t)
+systemd_read_logind_state(aos_t)
+systemd_tmpfilesd_managed(aos_t)
+systemd_read_networkd_units(aos_t)
+systemd_manage_journal_files(aos_t)
+
+dev_getattr_autofs_dev(aos_t)
+dev_getattr_lvm_control(aos_t)
+dev_read_cpuid(aos_t)
+dev_rw_pmqos(aos_t)
+dev_getattr_framebuffer_dev(aos_t)
+dev_read_sysfs(aos_t)
+dev_read_realtime_clock(aos_t)
+dev_getattr_input_dev(aos_t)
+dev_read_rand(aos_t)
+dev_getattr_mouse_dev(aos_t)
+dev_read_kmsg(aos_t)
+dev_rw_loop_control(aos_t)
+dev_read_raw_memory(aos_t)
+dev_rw_wireless(aos_t)
+dev_rw_generic_files(aos_t)
+dev_getattr_all_chr_files(aos_t)
+dev_getattr_fs(aos_t)
+dev_read_urand(aos_t)
+dev_write_urand(aos_t)
+dev_read_urand(aos_t)
+dev_rw_lvm_control(aos_t)
+
+corenet_rw_tun_tap_dev(aos_t)
+corenet_rw_ppp_dev(aos_t)
+term_use_ptmx(aos_t)
+
+modutils_exec(aos_t)
+modutils_read_module_config(aos_t)
+modutils_read_module_deps(aos_t)
+
+kernel_getattr_proc(aos_t)
+kernel_read_network_state(aos_t)
+kernel_read_kernel_sysctls(aos_t)
+kernel_read_modprobe_sysctls(aos_t)
+kernel_search_network_sysctl(aos_t)
+kernel_read_net_sysctls(aos_t)
+kernel_read_system_state(aos_t)
+kernel_rw_vm_sysctls(aos_t)
+kernel_read_vm_overcommit_sysctl(aos_t)
+kernel_request_load_module(aos_t)
+kernel_get_sysvipc_info(aos_t)
+kernel_write_key(aos_t)
+kernel_search_debugfs(aos_t)
+kernel_getattr_unlabeled_dirs(aos_t)
+kernel_load_module(aos_t)
+files_mmap_read_kernel_modules(aos_t)
+files_load_kernel_modules(aos_t)
+kernel_read_files(aos_t)
+
+storage_getattr_fixed_disk_dev(aos_t)
+storage_raw_read_fixed_disk(aos_t)
+storage_getattr_removable_dev(aos_t)
+storage_getattr_fuse_dev(aos_t)
+storage_manage_fixed_disk(aos_t)
+
+udev_read_state(aos_t)
+udev_read_runtime_files(aos_t)
+
+files_list_usr(aos_t)
+files_getattr_var_lib_dirs(aos_t)
+files_manage_generic_tmp_files(aos_t)
+files_search_kernel_modules(aos_t)
+files_read_etc_files(aos_t)
+files_search_home(aos_t)
+files_mounton_tmp(aos_t)
+files_manage_generic_tmp_dirs(aos_t)
+files_polyinstantiate_all(aos_t)
+files_list_mnt(aos_t)
+files_map_usr_files(aos_t)
+
+fs_getattr_cgroup(aos_t)
+fs_get_xattr_fs_quotas(aos_t)
+fs_set_xattr_fs_quotas(aos_t)
+fs_getattr_tmpfs(aos_t)
+fs_getattr_xattr_fs(aos_t)
+fs_mount_xattr_fs(aos_t)
+fs_mount_dos_fs(aos_t)
+fs_unmount_dos_fs(aos_t)
+fs_read_dos_files(aos_t)
+fs_search_dos(aos_t)
+fs_read_efivarfs_files(aos_t)
+fs_read_nsfs_files(aos_t)
+fs_unmount_nsfs(aos_t)
+
+miscfiles_read_generic_certs(aos_t)
+miscfiles_read_man_cache(aos_t)
+miscfiles_read_localization(aos_t)
+
+corenet_sctp_bind_generic_port(aos_t)
+corenet_tcp_bind_generic_node(aos_t)
+corenet_sctp_bind_all_unreserved_ports(aos_t)
+corenet_tcp_bind_all_ports(aos_t)
+corenet_tcp_connect_all_ports(aos_t)
+
+init_daemon_domain(aos_t, aos_exec_t)
+init_dbus_chat(aos_t)
+
+iptables_admin(aos_t, aos_r)
+logging_admin_syslog(aos_t, aos_r)
+rngd_admin(aos_t, aos_r)
+ntp_admin(aos_t, aos_r)
+dnsmasq_admin(aos_t, aos_r)
+init_admin(aos_t)
+
+domain_use_interactive_fds(aos_t)
+sysnet_read_config(aos_t)
+userdom_search_user_home_dirs(aos_t)
+iptables_exec(aos_t)
+fstools_exec(aos_t)
+dnsmasq_domtrans(aos_t)
+term_use_unallocated_ttys(aos_t)
+dbus_system_bus_client(aos_t)
+lvm_exec(aos_t)
+unconfined_domain_noaudit(aos_t)
+getty_domtrans(aos_t)
+locallogin_read_state(aos_t)
+
+
+########################################
+#
+# aos_var local policy
+#
+type aos_var_run_t;
+files_runtime_file(aos_var_run_t)
+
+
+########################################
+#
+# aos_conf local policy
+#
+type aos_conf_t;
+files_runtime_file(aos_conf_t)

From 3d2afed9df1ab00da94d7817663c134408a334e9 Mon Sep 17 00:00:00 2001
From: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
Date: Fri, 21 Jan 2022 10:49:50 +0200
Subject: [PATCH 234/257] [systemd] Allow getaatr access to cgroup domain

Signed-off-by: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
---
 policy/modules/system/systemd.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1e2dc1e398..39fa6bf352 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1647,6 +1647,9 @@ fs_search_ramfs(systemd_sysctl_t)
 
 systemd_log_parse_environment(systemd_sysctl_t)
 
+fs_getattr_cgroup(systemd_sessions_t)
+fs_search_cgroup_dirs(systemd_sessions_t)
+
 #########################################
 #
 # Sysusers local policy

From 3b953d8ddc9a53555c701b4cf6f74e473118ce47 Mon Sep 17 00:00:00 2001
From: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
Date: Fri, 17 Dec 2021 17:38:21 +0200
Subject: [PATCH 235/257] [systemd_networkd_t] Allow reading var_t

In case of ready-only rootfs, machine-id labeled as var_t.

Signed-off-by: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 39fa6bf352..f44c0d2c53 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1144,6 +1144,7 @@ dev_write_kmsg(systemd_networkd_t)
 
 files_read_etc_files(systemd_networkd_t)
 files_read_etc_runtime_files(systemd_networkd_t)
+files_read_var_files(systemd_networkd_t)
 files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
 files_list_runtime(systemd_networkd_t)

From 8a377efbc7e442c0d821e8293e84b860aa915b25 Mon Sep 17 00:00:00 2001
From: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
Date: Tue, 21 Dec 2021 14:06:56 +0200
Subject: [PATCH 236/257] [dnsmasq] Fix policies to use dnsmasq CNI plagin

Signed-off-by: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
---
 policy/modules/services/dnsmasq.te |  7 +++++++
 policy/modules/system/systemd.if   | 18 ++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 6d1799ba8f..8a29f7a3a3 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -49,6 +49,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
 allow dnsmasq_t dnsmasq_var_log_t:file append_file_perms;
 allow dnsmasq_t dnsmasq_var_log_t:file create_file_perms;
 allow dnsmasq_t dnsmasq_var_log_t:file setattr_file_perms;
+
+files_read_runtime_files(dnsmasq_t)
+systemd_read_resolved_dir(dnsmasq_t)
+files_map_etc_files(dnsmasq_t)
+
+systemd_read_resolved_runtime(dnsmasq_t)
+
 logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
 
 manage_dirs_pattern(dnsmasq_t, dnsmasq_runtime_t, dnsmasq_runtime_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index cdd28ded1d..d25aaea78e 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2447,6 +2447,24 @@ interface(`systemd_read_resolved_runtime',`
 	read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 ')
 
+#######################################
+## <summary>
+##  Allow to read and watch generated by systemd_resolved dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	domain allowed access
+##	</summary>
+## </param>
+#
+interface(`systemd_read_resolved_dir',`
+	gen_require(`
+		type systemd_resolved_runtime_t;
+	')
+
+	allow $1 systemd_resolved_runtime_t:dir { read watch };
+')
+
 ########################################
 ## <summary>
 ##	Execute the systemctl program.

From 1116aad1b720c5580789bf8d3fe810bb74fd690c Mon Sep 17 00:00:00 2001
From: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
Date: Tue, 21 Dec 2021 17:29:15 +0200
Subject: [PATCH 237/257] [systemd] Allow systemd_generator get aos_var_run
 file attributes

Signed-off-by: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
---
 policy/modules/system/aos.if     | 19 +++++++++++++++++++
 policy/modules/system/systemd.te |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
index 870f62f3d2..3942c474ad 100644
--- a/policy/modules/system/aos.if
+++ b/policy/modules/system/aos.if
@@ -56,3 +56,22 @@ interface(`aos_read_pid_files',`
 	files_search_pids($1)
 	read_files_pattern($1, aos_var_run_t, aos_var_run_t)
 ')
+
+########################################
+## <summary>
+##	Get attributes and search aos var run dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_search_aos_var_run_dir',`
+	gen_require(`
+		type aos_var_run_t;
+	')
+
+	allow $1 aos_var_run_t:dir { getattr search };
+')
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f44c0d2c53..2a7e3297ce 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -504,6 +504,7 @@ files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
 files_dontaudit_getattr_all_dirs(systemd_generator_t)
 files_dontaudit_read_etc_runtime_files(systemd_generator_t)
+files_getattr_search_aos_var_run_dir(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
 fs_getattr_all_fs(systemd_generator_t)

From 93eefcf4b7039ca8083087e679ca6c916129b68f Mon Sep 17 00:00:00 2001
From: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
Date: Tue, 4 Jan 2022 17:48:29 +0200
Subject: [PATCH 238/257] [mount] Allow mount access to var_aos

Signed-off-by: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
---
 policy/modules/system/aos.if   | 18 ++++++++++++++++++
 policy/modules/system/mount.te |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
index 3942c474ad..aab8c6ae68 100644
--- a/policy/modules/system/aos.if
+++ b/policy/modules/system/aos.if
@@ -75,3 +75,21 @@ interface(`files_getattr_search_aos_var_run_dir',`
 	allow $1 aos_var_run_t:dir { getattr search };
 ')
 
+########################################
+## <summary>
+##	mounton a /var/aos directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_aos_dirs',`
+	gen_require(`
+		type aos_var_run_t;
+	')
+
+	allow $1 aos_var_run_t:dir mounton;
+')
+
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 0d2ff91ac3..e90a8ee736 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -98,6 +98,7 @@ files_read_usr_files(mount_t)
 files_list_all_mountpoints(mount_t)
 files_dontaudit_write_all_mountpoints(mount_t)
 files_dontaudit_setattr_all_mountpoints(mount_t)
+files_mounton_aos_dirs(mount_t)
 
 fs_getattr_all_fs(mount_t)
 fs_mount_all_fs(mount_t)

From 0d773842a68bc880f819c4447acd638a48ca4c27 Mon Sep 17 00:00:00 2001
From: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
Date: Tue, 4 Jan 2022 18:16:06 +0200
Subject: [PATCH 239/257] [quota] Allow quota_t manage aos_var_run_t files

Signed-off-by: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
---
 policy/modules/admin/quota.te |  1 +
 policy/modules/system/aos.if  | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
index aa6bed8290..b5b152fb16 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -47,6 +47,7 @@ files_usr_filetrans(quota_t, quota_db_t, file)
 files_var_filetrans(quota_t, quota_db_t, file)
 files_spool_filetrans(quota_t, quota_db_t, file)
 userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
+files_manage_quota_aos(quota_t)
 
 kernel_request_load_module(quota_t)
 kernel_list_proc(quota_t)
diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
index aab8c6ae68..5876ce39df 100644
--- a/policy/modules/system/aos.if
+++ b/policy/modules/system/aos.if
@@ -93,3 +93,22 @@ interface(`files_mounton_aos_dirs',`
 	allow $1 aos_var_run_t:dir mounton;
 ')
 
+########################################
+## <summary>
+##	Manage quota files in /var/aos directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_quota_aos',`
+	gen_require(`
+		type aos_var_run_t;
+	')
+
+	allow $1 aos_var_run_t:dir { add_name remove_name write };
+	allow $1 aos_var_run_t:file { create rename setattr write quotaon unlink };
+')
+

From f350ab63c7472d7efee3be924319f22375d360ae Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 7 Sep 2022 11:00:33 +0300
Subject: [PATCH 240/257] [aos] Allow process execmem

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/system/aos.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/aos.te b/policy/modules/system/aos.te
index cd47983964..734af00d65 100644
--- a/policy/modules/system/aos.te
+++ b/policy/modules/system/aos.te
@@ -17,7 +17,7 @@ role aos_r;
 #
 allow aos_t self:fifo_file rw_fifo_file_perms;
 allow aos_t self:unix_stream_socket create_stream_socket_perms;
-allow aos_t self:process { getsched signal setsched };
+allow aos_t self:process { getsched signal setsched execmem };
 allow aos_t self:unix_dgram_socket { bind create getattr setopt write };
 allow aos_t self:netlink_route_socket { bind create getattr nlmsg_read write read };
 allow aos_t self:tcp_socket { bind listen accept create getattr setopt connect getopt read write ioctl };

From c943b26b330e109346446bd68041c53bd17bc5b1 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 7 Sep 2022 11:09:20 +0300
Subject: [PATCH 241/257] [modutils] Allow modprobe dac_read_search

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/system/logging.te  | 3 +++
 policy/modules/system/modutils.te | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 19bcac06c0..88b42a561d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -335,6 +335,7 @@ sysnet_dns_name_resolve(audisp_remote_t)
 allow klogd_t self:capability sys_admin;
 dontaudit klogd_t self:capability { sys_resource sys_tty_config };
 allow klogd_t self:process signal_perms;
+corecmd_bin_entry_type(klogd_t)
 
 manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
 manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
@@ -422,6 +423,8 @@ allow syslogd_t var_log_t:file map;
 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
 files_search_spool(syslogd_t)
 
+corecmd_bin_entry_type(syslogd_t)
+
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
 allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 77b84a0293..4b0a47df25 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -33,7 +33,7 @@ ifdef(`init_systemd',`
 # insmod local policy
 #
 
-allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
 allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 # for the radeon/amdgpu modules
 dontaudit kmod_t self:capability sys_admin;

From 2c52ceaa09d07af27fbc543f7db576a7a62006e2 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 7 Sep 2022 11:10:42 +0300
Subject: [PATCH 242/257] [unconfined] Allow systemd to watch utab

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/system/unconfined.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 32720f68fa..e232a207f2 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -41,6 +41,7 @@ logging_send_syslog_msg(unconfined_t)
 logging_run_auditctl(unconfined_t, unconfined_r)
 
 mount_run_unconfined(unconfined_t, unconfined_r)
+mount_watch_reads_runtime_files(unconfined_t)
 
 seutil_run_setfiles(unconfined_t, unconfined_r)
 seutil_run_semanage(unconfined_t, unconfined_r)

From 2c29efe1f6297a3ed872ab42ee5d96e696562e1f Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 7 Sep 2022 11:14:20 +0300
Subject: [PATCH 243/257] [dnsmasq] Allow dnsmasq read search dac

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/services/dnsmasq.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 8a29f7a3a3..9a4d8d1e73 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -32,7 +32,7 @@ logging_log_file(dnsmasq_var_log_t)
 # Local policy
 #
 
-allow dnsmasq_t self:capability { chown dac_override net_admin net_raw setgid setuid };
+allow dnsmasq_t self:capability { chown dac_override net_admin net_raw setgid setuid dac_read_search };
 dontaudit dnsmasq_t self:capability sys_tty_config;
 allow dnsmasq_t self:process { getcap setcap signal_perms };
 allow dnsmasq_t self:fifo_file rw_fifo_file_perms;

From 865fad0f83a2ab47fe07c766941045aad2d84d55 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 7 Sep 2022 11:15:49 +0300
Subject: [PATCH 244/257] [selinuxutil] Allow read unlabeled_t link files

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/kernel/kernel.if      | 18 ++++++++++++++++++
 policy/modules/system/selinuxutil.te |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index abad01022e..f0fac197d3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2631,6 +2631,24 @@ interface(`kernel_associate_proc',`
 	allow $1 proc_t:filesystem associate;
 ')
 
+########################################
+## <summary>
+##	Read unlabeled symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_link_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:lnk_file { read_lnk_file_perms ioctl lock };
+')
+
 ########################################
 ## <summary>
 ##	Send a kill signal to unlabeled processes.
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index f9b7350813..9f48d5fabc 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -592,6 +592,7 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t
 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
 allow setfiles_t file_context_t:file map;
 
+kernel_read_link_unlabeled(setfiles_t)
 kernel_read_system_state(setfiles_t)
 kernel_relabelfrom_unlabeled_dirs(setfiles_t)
 kernel_relabelfrom_unlabeled_files(setfiles_t)

From 03730f76463f03b11f3fb1007c7fa4e22de90932 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 7 Sep 2022 11:17:24 +0300
Subject: [PATCH 245/257] [aos.if] Allow quota for /var/aos filesystem

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/system/aos.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
index 5876ce39df..90db8cb10e 100644
--- a/policy/modules/system/aos.if
+++ b/policy/modules/system/aos.if
@@ -110,5 +110,6 @@ interface(`files_manage_quota_aos',`
 
 	allow $1 aos_var_run_t:dir { add_name remove_name write };
 	allow $1 aos_var_run_t:file { create rename setattr write quotaon unlink };
+	allow $1 aos_var_run_t:filesystem { quotaget quotamod };
 ')
 

From ea16aeb7e36ee9745404152162a44eba9811105d Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 7 Sep 2022 11:20:04 +0300
Subject: [PATCH 246/257] [mount] Allow relabeled aos_var_run_t

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/system/aos.if   | 17 +++++++++++++++++
 policy/modules/system/mount.te |  1 +
 2 files changed, 18 insertions(+)

diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
index 90db8cb10e..a8eeda49de 100644
--- a/policy/modules/system/aos.if
+++ b/policy/modules/system/aos.if
@@ -113,3 +113,20 @@ interface(`files_manage_quota_aos',`
 	allow $1 aos_var_run_t:filesystem { quotaget quotamod };
 ')
 
+########################################
+## <summary>
+##	Allow relabeled /var/aos directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_aos',`
+	gen_require(`
+		type aos_var_run_t;
+	')
+
+	allow $1 aos_var_run_t:filesystem { relabelfrom };
+')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index e90a8ee736..54bbcb5f1c 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -99,6 +99,7 @@ files_list_all_mountpoints(mount_t)
 files_dontaudit_write_all_mountpoints(mount_t)
 files_dontaudit_setattr_all_mountpoints(mount_t)
 files_mounton_aos_dirs(mount_t)
+files_relabel_aos(mount_t)
 
 fs_getattr_all_fs(mount_t)
 fs_mount_all_fs(mount_t)

From 09c11778a13011e5c31f7b5557c9fd6a8bfee4b3 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 7 Sep 2022 11:25:12 +0300
Subject: [PATCH 247/257] [files.if] Allow kernal_t load rootfs module

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/kernel/files.if | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ad33afda37..3838b416be 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4552,10 +4552,11 @@ interface(`files_kernel_modules_filetrans',`
 interface(`files_load_kernel_modules',`
 	gen_require(`
 		type modules_object_t;
+		type root_t;
 	')
 
 	files_read_kernel_modules($1)
-	allow $1 modules_object_t:system module_load;
+	allow $1 { modules_object_t root_t }:system module_load;
 ')
 
 ########################################
@@ -4571,10 +4572,11 @@ interface(`files_load_kernel_modules',`
 interface(`files_dontaudit_load_kernel_modules',`
 	gen_require(`
 		type modules_object_t;
+		type root_t;
 	')
 
 	dontaudit $1 modules_object_t:file read_file_perms;
-	dontaudit $1 modules_object_t:system module_load;
+	dontaudit $1 { modules_object_t root_t }:system module_load;
 ')
 
 ########################################

From b69cf2fd54b3d0a2ac1796cbe231e7cb1016b4f9 Mon Sep 17 00:00:00 2001
From: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
Date: Tue, 14 Dec 2021 15:58:24 +0200
Subject: [PATCH 248/257] [journald,mount] Allow using machine-id for ro rootfs

Signed-off-by: Leonid Komarianskyi <leonid_komarianskyi@epam.com>
---
 policy/modules/system/init.if    | 18 ++++++++++++++++++
 policy/modules/system/logging.te |  1 +
 policy/modules/system/mount.te   |  1 +
 3 files changed, 20 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d3ab09f49d..02fc2b169f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1632,6 +1632,24 @@ interface(`init_write_runtime_files', `
 	allow $1 init_runtime_t:file write_file_perms;
 ')
 
+######################################
+## <summary>
+##	Allow mount init runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_mount_runtime_files', `
+	gen_require(`
+		type init_runtime_t;
+	')
+
+	allow $1 init_runtime_t:file { getattr mounton };
+')
+
 ######################################
 ## <summary>
 ##	Create init runtime files, e.g. in /run/systemd.
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 88b42a561d..4f2bee99d6 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -451,6 +451,7 @@ manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
 files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
 
 mls_trusted_object(syslogd_runtime_t)
+init_read_runtime_files(syslogd_t)
 
 kernel_read_crypto_sysctls(syslogd_t)
 kernel_read_system_state(syslogd_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 54bbcb5f1c..b682111d24 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -47,6 +47,7 @@ dontaudit mount_t self:process setrlimit;
 
 allow mount_t mount_tmp_t:file manage_file_perms;
 allow mount_t mount_tmp_t:dir manage_dir_perms;
+init_mount_runtime_files(mount_t)
 
 can_exec(mount_t, mount_exec_t)
 

From 6d375b8cf220bb243f22728c14131a04cb25accf Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Thu, 8 Sep 2022 09:02:30 +0300
Subject: [PATCH 249/257] [README] Add how to edit SELinux

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 README | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 97 insertions(+)

diff --git a/README b/README
index 1fdc4e5bef..c6773262ef 100644
--- a/README
+++ b/README
@@ -274,3 +274,100 @@ refresh			Attempts to reinsert all modules that are currently
 xml			Build a policy.xml from the XML included with the
 			base policy headers and any XML in the modules in
 			the current directory.
+
+
+## How to work with SELinux
+### Introduction
+
+Each process or resource (file, dir etc.) has a label (type) that describes what can be accessed.
+
+SELinux considers subject-access-object rule set. On a Linux system, subjects are processes, and object is the resource
+on which an action is applied.
+
+Refpolicy contains the following file types:
+1. **te** - (type enforcement) the file contains rules describing what the domain can do (labels of the subjects or objects). This file
+does not say that this process can run another file, it just says that the process labeled A can read the file
+labeled B.
+2. **fc** - (file context) describes the security context (labels) on a file, directory, etc., which will be applied when the policy
+is installed. By default, directories or files inherit the context of their parents, but the desired context could
+be manually set using this file.
+3. **if** - (interface file) creates the macros that other modules will use to gain access to the resources.
+
+SELinux can run in one of three modes: **disabled**, **permissive**, or **enforcing**.
+Using the **disabled** mode means that no rules from the SELinux policy are applied and system is not protected.
+Therefore, the disabled mode is not recommended.
+In the **permissive** mode, SELinux is active, the security policy is loaded, the file system is labeled and access
+denial entries are logged. However, the policy is not enforced and thus no access is actually denied.
+In the **enforced** mode, the security policy is applied. Each access that is not explicitly allowed by the policy
+is denied.
+
+To be able to check SELinux for possible access denials, set the **permissive** mode in the **meta-aos-vm**
+for **refpolicy-aos** recipe to the **DEFAULT_ENFORCING** variable. This will make it possible to use SELinux,
+but in logging mode.
+
+To diagnose denials security policies, use the following command `journalctl | grep avc`, if the log contains
+**avc: denied** that means it is an SELinux policy denial. This log will include a line like this:
+
+```
+AVC avc:  denied  { write } for  pid=1248 comm="dnsmasq" name="dev-log" dev="tmpfs" ino=20945
+scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=0
+```
+
+- **scontext** - SELinux context of the process (source) that attempted the denied action
+- **tcontext** - SELinux context of the object (target) the process attempted to access
+- **comm** - name of the command that was used to access the target context name
+- **tclass** - target object class
+- **dev** - device on which the target resides
+- **name** - name of the target
+- can contained **path** -  path to the object (target) the process attempted to access.
+
+The next step is to analyze the received log and find the corresponding **te** file by **scontext**, for example,
+for **dnsmasq_t** there is a corresponding **dnsmasq.te** file and in this file a rule that allows
+**scontext** to access **tcontext** has to be added.
+
+### Recommended steps for editing refpolicy
+
+To find the required **te** file where to add the rule, find a line declaring the **scontext** type
+(label) as in example `type dnsmasq_t;`. Next, after the **Local policy comment**, add the desired rule.
+Sometimes the rules are logically grouped, for example, there are rules for working with the `/etc` directory, etc.
+
+**It is important** that before adding a rule, look for a possible macro for **tcontext** declared in a
+file with the **if** extension. To find the necessary file **if**, first find the corresponding **te** file
+in which the label will be declared and then take the **if** file with the same name. For example, the
+`syslogd_runtime_t` label is declared in the `logging.te` file, then the macro should be looked for in the
+`logging.if` file.
+
+If some file or directory is marked with an incorrect label or `unlabeled_t`, then find the **te**
+file where the label of interest is declared and take the file with the **fc** extension and declare the context for
+the label of interest there. For example:
+
+```
+/usr/bin/aos_vis  --  gen_context(system_u:object_r:aos_exec_t,s0)
+```
+
+which means that the `aos_vis` file will be labeled `aos_exec_t`, this is an executable process.
+
+To see what would be the correct or possible label in the `unlabeled_t`, run the `fixfiles -F -f relabel`
+command or another command `restorecon`. After that the resource or process's will be labeled with proper context.
+
+**It is important** If a new label needs to be created, it is important to create three files **te, fc, if** with the name
+of the label that with which is created. The **te** file that declares (or in which the new label is declared) should not
+be empty whereas **fc**, **if** files can be empty.
+
+Sometimes, logs may contain denials security policies that are not very critical, for example, reading
+file attribute or read a file that may not affect the system, or when login into the system being created
+policies to denial write to the system log:
+
+```
+avc:  denied  { write } for  pid=1034 comm="login" name="dev-log" dev="tmpfs" ino=20945
+scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=0
+```
+
+For these denials **rules may not be added** to the refpolicy if it is not necessary.
+
+After the corresponding security policy is added, it is necessary to build the refpolicy again through yocto.
+
+**It is important** not to add a rule to the `unlabled_t` label, unless the `scontext` is one of the labeling utilities
+like `fixfiles`. In this case, find the reason why this resource or process was not marked up and add the
+appropriate label through the `fc` file or in another way.

From 5cc8890b058bdc6138b142d7c017ef2da83fe570 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Thu, 8 Sep 2022 09:08:04 +0300
Subject: [PATCH 250/257] [systemd] Allow systemd-tmpfile map to /etc/group

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>

kernel: audit: type=1400 audit(1662573490.667:5): avc:
denied  { map } for  pid=481 comm="systemd-tmpfile" path="/etc/group"
dev="hda3" ino=180 scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2a7e3297ce..88354c52b3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1737,6 +1737,7 @@ files_manage_var_lib_dirs(systemd_tmpfiles_t)
 files_manage_all_locks(systemd_tmpfiles_t)
 files_purge_tmp(systemd_tmpfiles_t)
 files_read_etc_files(systemd_tmpfiles_t)
+files_map_etc_files(systemd_tmpfiles_t)
 files_read_etc_runtime_files(systemd_tmpfiles_t)
 files_relabel_config_dirs(systemd_tmpfiles_t)
 files_relabel_config_files(systemd_tmpfiles_t)

From 6948b20b18623786c48606367c16989f88e50572 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Fri, 9 Sep 2022 10:13:48 +0300
Subject: [PATCH 251/257] [logging] Allow klogd write into dev-log

AVC avc:  denied  { write } for  pid=1027 comm="klogd" name="dev-log"
dev="tmpfs" ino=21129 scontext=system_u:system_r:klogd_t:s0
context=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=0

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/system/logging.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 4f2bee99d6..933f9ff6f9 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -366,6 +366,7 @@ files_read_etc_runtime_files(klogd_t)
 files_read_etc_files(klogd_t)
 
 logging_send_syslog_msg(klogd_t)
+logging_manage_runtime_sockets(klogd_t)
 
 miscfiles_read_localization(klogd_t)
 

From f44cf4552f896598839476661ce067837ba2acf8 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Fri, 9 Sep 2022 21:26:00 +0300
Subject: [PATCH 252/257] [container] Allow containers works with host
 filesystem

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/kernel/files.if       | 19 +++++++++++++++++++
 policy/modules/kernel/kernel.if      | 18 ++++++++++++++++++
 policy/modules/services/container.te | 11 +++++++++++
 policy/modules/system/aos.if         | 28 +++++++++++++++++++++++-----
 policy/modules/system/systemd.te     |  1 +
 5 files changed, 72 insertions(+), 5 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 3838b416be..f72667f9f1 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6691,6 +6691,25 @@ interface(`files_dontaudit_getattr_runtime_dirs',`
 	dontaudit $1 var_run_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##	mounton a files of the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mounton_runtime_files',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	allow $1 var_run_t:file mounton;
+')
+
+
 ########################################
 ## <summary>
 ##	mounton a /var/run directory.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index f0fac197d3..1d0a304e0b 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1383,6 +1383,24 @@ interface(`kernel_read_core_if',`
 	typeattribute $1 can_dump_kernel;
 ')
 
+########################################
+## <summary>
+##	Allows getting attribute and mount the core kernel interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_mount_core_if',`
+	gen_require(`
+		type proc_kcore_t;
+	')
+
+	allow $1 proc_kcore_t:file { mounton getattr };
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read kernel messages
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index a5ad4686d0..f66575812c 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -796,6 +796,17 @@ optional_policy(`
 allow container_engine_system_domain container_domain:process { sigkill signal signull transition };
 allow container_engine_system_domain container_domain:key { create search setattr view };
 
+files_read_runtime_files(container_engine_system_domain)
+domain_setpriority_all_domains(container_engine_system_domain)
+aos_read_pid_files(container_engine_system_domain)
+files_mounton_aos_dirs(container_engine_system_domain)
+manage_aos_var_run_dir(container_engine_system_domain)
+files_manage_quota_aos(container_engine_system_domain)
+kernel_getattr_mount_core_if(container_engine_system_domain)
+use_aos_fd(container_engine_system_domain)
+files_mounton_runtime_dirs(container_engine_system_domain)
+mounton_runtime_files(container_engine_system_domain)
+
 ps_process_pattern(container_engine_system_domain, container_system_domain)
 allow container_system_domain container_engine_system_domain:fd use;
 allow container_system_domain container_engine_system_domain:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
index a8eeda49de..5c72a8b7fe 100644
--- a/policy/modules/system/aos.if
+++ b/policy/modules/system/aos.if
@@ -19,6 +19,24 @@ interface(`aos_domtrans',`
 	domtrans_pattern($1, aos_exec_t, aos_t)
 ')
 
+########################################
+## <summary>
+##	Use aos fd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`use_aos_fd',`
+	gen_require(`
+		type aos_t;
+	')
+
+    allow $1 aos_t:fd use;
+')
+
 ######################################
 ## <summary>
 ##	Execute aos in the caller domain.
@@ -53,13 +71,13 @@ interface(`aos_read_pid_files',`
 		type aos_var_run_t;
 	')
 
-	files_search_pids($1)
+	files_search_runtime($1)
 	read_files_pattern($1, aos_var_run_t, aos_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Get attributes and search aos var run dirs.
+##	Manage aos var run dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,12 +85,12 @@ interface(`aos_read_pid_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_getattr_search_aos_var_run_dir',`
+interface(`manage_aos_var_run_dir',`
 	gen_require(`
 		type aos_var_run_t;
 	')
 
-	allow $1 aos_var_run_t:dir { getattr search };
+	allow $1 aos_var_run_t:dir { add_entry_dir_perms read };
 ')
 
 ########################################
@@ -109,7 +127,7 @@ interface(`files_manage_quota_aos',`
 	')
 
 	allow $1 aos_var_run_t:dir { add_name remove_name write };
-	allow $1 aos_var_run_t:file { create rename setattr write quotaon unlink };
+	allow $1 aos_var_run_t:file { manage_file_perms quotaon exec_file_perms };
 	allow $1 aos_var_run_t:filesystem { quotaget quotamod };
 ')
 
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 88354c52b3..80aec24d8f 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -505,6 +505,7 @@ files_list_usr(systemd_generator_t)
 files_dontaudit_getattr_all_dirs(systemd_generator_t)
 files_dontaudit_read_etc_runtime_files(systemd_generator_t)
 files_getattr_search_aos_var_run_dir(systemd_generator_t)
+manage_aos_var_run_dir(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
 fs_getattr_all_fs(systemd_generator_t)

From f15e9dcb09b8513718c354c154cddf3712111720 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Sat, 10 Sep 2022 10:05:53 +0300
Subject: [PATCH 253/257] [dnsmasq] Allow write syslog to runtime dirs

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/services/dnsmasq.te  |  1 +
 policy/modules/services/rpc.te      |  4 ++++
 policy/modules/system/init.if       | 37 +++++++++++++++++++++++++++++
 policy/modules/system/logging.if    | 33 +++++++++++++++++++++++++
 policy/modules/system/mount.te      |  4 ++++
 policy/modules/system/sysnetwork.te |  2 +-
 policy/modules/system/systemd.te    |  1 -
 7 files changed, 80 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 9a4d8d1e73..87543cedf9 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -99,6 +99,7 @@ fs_search_auto_mountpoints(dnsmasq_t)
 auth_use_nsswitch(dnsmasq_t)
 
 logging_send_syslog_msg(dnsmasq_t)
+write_logging_runtime_dirs(dnsmasq_t)
 
 miscfiles_read_localization(dnsmasq_t)
 
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index e6eea666e2..bfe7126173 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -280,6 +280,8 @@ seutil_dontaudit_search_config(rpcd_t)
 
 userdom_signal_all_users(rpcd_t)
 
+write_logging_runtime_dirs(rpcd_t)
+
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcd_t)
 ')
@@ -351,6 +353,8 @@ storage_raw_read_removable_device(nfsd_t)
 
 miscfiles_read_public_files(nfsd_t)
 
+write_logging_runtime_dirs(nfsd_t)
+
 tunable_policy(`allow_nfsd_anon_write',`
 	miscfiles_manage_public_files(nfsd_t)
 ')
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 02fc2b169f..effd217538 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3057,6 +3057,43 @@ interface(`init_manage_utmp',`
 	allow $1 initrc_runtime_t:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete utmp dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_manage_dir_utmp',`
+	gen_require(`
+		type initrc_runtime_t;
+	')
+
+	files_search_runtime($1)
+	allow $1 initrc_runtime_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Remove chr file perms from utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_remove_chr_file_utmp',`
+	gen_require(`
+		type initrc_runtime_t;
+	')
+
+	allow $1 initrc_runtime_t:chr_file delete_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Add a watch on utmp.
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 033b220a22..70a2b47b2a 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -865,6 +865,39 @@ interface(`logging_watch_runtime_dirs',`
 	allow $1 syslogd_runtime_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Allow write to syslog runtime dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`write_logging_runtime_dirs',`
+	gen_require(`
+		type syslogd_runtime_t;
+	')
+
+	allow $1 syslogd_runtime_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete syslog PID sockets.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_manage_pid_sockets',`
+	refpolicywarn(`$0($*) has been deprecated, please use logging_manage_runtime_sockets() instead.')
+	logging_manage_runtime_sockets($1)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete syslog PID sockets.
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index b682111d24..b394d59c5e 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -138,6 +138,10 @@ init_dontaudit_getattr_initctl(mount_t)
 init_dontaudit_read_state(mount_t)
 init_dontaudit_write_runtime_socket(mount_t)
 
+init_manage_dir_utmp(mount_t)
+init_manage_utmp(mount_t)
+init_remove_chr_file_utmp(mount_t)
+
 logging_send_syslog_msg(mount_t)
 
 miscfiles_read_localization(mount_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index cc429c39ee..5b33368878 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -374,7 +374,7 @@ userdom_read_all_users_state(ifconfig_t)
 userdom_use_user_terminals(ifconfig_t)
 userdom_use_all_users_fds(ifconfig_t)
 
-ifdef(`distro_debian',`fs_search_cgroup_dirs(systemd_backlight_t)
+ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(ifconfig_t)
 ')
 
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 80aec24d8f..f932c28f95 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -504,7 +504,6 @@ files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
 files_dontaudit_getattr_all_dirs(systemd_generator_t)
 files_dontaudit_read_etc_runtime_files(systemd_generator_t)
-files_getattr_search_aos_var_run_dir(systemd_generator_t)
 manage_aos_var_run_dir(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)

From 571183090b2e3fba514404807a7c18bb70ba5a5f Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Mon, 14 Aug 2023 10:38:39 +0300
Subject: [PATCH 254/257] Add rules for login into system

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/services/dbus.if     | 19 +++++++++++
 policy/modules/services/dbus.te     |  2 ++
 policy/modules/services/ssh.te      |  7 ++++
 policy/modules/system/getty.te      |  1 +
 policy/modules/system/locallogin.te | 53 +++++++++++++++--------------
 policy/modules/system/logging.te    |  1 +
 policy/modules/system/unconfined.if | 18 ++++++++++
 policy/modules/system/userdomain.fc |  1 +
 policy/modules/system/userdomain.if | 18 ++++++++++
 9 files changed, 95 insertions(+), 25 deletions(-)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 5f3e54eb89..7e61c42d34 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -637,6 +637,25 @@ interface(`dbus_use_system_bus_fds',`
 	allow $1 system_dbusd_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Allow DBUS system bus to write to its own sockets.
+##	file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_write_system_bus_sockets',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:sock_file write;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4c6e5d7f13..9c08bae9a5 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -186,6 +186,8 @@ userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 # read a file in ~/.local/share
 userdom_read_user_home_content_files(system_dbusd_t)
 
+write_logging_runtime_dirs(system_dbusd_t)
+
 ifdef(`init_systemd', `
 	# gdm3 causes system_dbusd_t to want this access
 	dev_rw_dri(system_dbusd_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index a93f2447d9..0d42a2c923 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -254,6 +254,10 @@ term_use_all_ptys(sshd_t)
 term_setattr_all_ptys(sshd_t)
 term_relabelto_all_ptys(sshd_t)
 
+write_logging_runtime_dirs(sshd_t)
+files_read_var_files(sshd_t)
+domain_transition_to_unconfined(sshd_t)
+
 # for X forwarding
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -367,6 +371,9 @@ miscfiles_read_localization(ssh_keygen_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 
+files_manage_var_dirs(ssh_keygen_t)
+files_manage_var_files(ssh_keygen_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
 ')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index f78ffb5ec9..6e454de25d 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -98,6 +98,7 @@ locallogin_domtrans(getty_t)
 logging_send_syslog_msg(getty_t)
 
 miscfiles_read_localization(getty_t)
+write_logging_runtime_dirs(getty_t)
 
 ifdef(`distro_gentoo',`
 	# Gentoo default /etc/issue makes agetty
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 89311a323d..45b9ce02af 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -33,8 +33,8 @@ role system_r types sulogin_t;
 #
 
 allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
+# dontaudit local_login_t self:capability net_admin;
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched setpgid signal };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;
@@ -77,22 +77,22 @@ dev_getattr_power_mgmt_dev(local_login_t)
 dev_setattr_power_mgmt_dev(local_login_t)
 dev_getattr_sound_dev(local_login_t)
 dev_setattr_sound_dev(local_login_t)
-dev_dontaudit_getattr_acpi_bios_dev(local_login_t)
-dev_dontaudit_setattr_acpi_bios_dev(local_login_t)
-dev_dontaudit_read_framebuffer(local_login_t)
-dev_dontaudit_setattr_framebuffer_dev(local_login_t)
-dev_dontaudit_getattr_generic_blk_files(local_login_t)
-dev_dontaudit_setattr_generic_blk_files(local_login_t)
-dev_dontaudit_getattr_generic_chr_files(local_login_t)
-dev_dontaudit_setattr_generic_chr_files(local_login_t)
-dev_dontaudit_setattr_generic_symlinks(local_login_t)
-dev_dontaudit_getattr_misc_dev(local_login_t)
-dev_dontaudit_setattr_misc_dev(local_login_t)
-dev_dontaudit_getattr_scanner_dev(local_login_t)
-dev_dontaudit_setattr_scanner_dev(local_login_t)
-dev_dontaudit_search_sysfs(local_login_t)
-dev_dontaudit_getattr_video_dev(local_login_t)
-dev_dontaudit_setattr_video_dev(local_login_t)
+# dev_dontaudit_getattr_acpi_bios_dev(local_login_t)
+# dev_dontaudit_setattr_acpi_bios_dev(local_login_t)
+# dev_dontaudit_read_framebuffer(local_login_t)
+# dev_dontaudit_setattr_framebuffer_dev(local_login_t)
+# dev_dontaudit_getattr_generic_blk_files(local_login_t)
+# dev_dontaudit_setattr_generic_blk_files(local_login_t)
+# dev_dontaudit_getattr_generic_chr_files(local_login_t)
+# dev_dontaudit_setattr_generic_chr_files(local_login_t)
+# dev_dontaudit_setattr_generic_symlinks(local_login_t)
+# dev_dontaudit_getattr_misc_dev(local_login_t)
+# dev_dontaudit_setattr_misc_dev(local_login_t)
+# dev_dontaudit_getattr_scanner_dev(local_login_t)
+# dev_dontaudit_setattr_scanner_dev(local_login_t)
+# dev_dontaudit_search_sysfs(local_login_t)
+# dev_dontaudit_getattr_video_dev(local_login_t)
+# dev_dontaudit_setattr_video_dev(local_login_t)
 
 domain_read_all_entry_files(local_login_t)
 
@@ -110,10 +110,10 @@ files_read_var_symlinks(local_login_t)
 
 fs_search_auto_mountpoints(local_login_t)
 
-storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
-storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
-storage_dontaudit_getattr_removable_dev(local_login_t)
-storage_dontaudit_setattr_removable_dev(local_login_t)
+# storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
+# storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
+# storage_dontaudit_getattr_removable_dev(local_login_t)
+# storage_dontaudit_setattr_removable_dev(local_login_t)
 
 term_use_all_ttys(local_login_t)
 term_use_unallocated_ttys(local_login_t)
@@ -130,7 +130,7 @@ auth_manage_pam_console_data(local_login_t)
 auth_domtrans_pam_console(local_login_t)
 auth_read_pam_motd_dynamic(local_login_t)
 
-init_dontaudit_use_fds(local_login_t)
+# init_dontaudit_use_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
@@ -142,6 +142,9 @@ userdom_use_unpriv_users_fds(local_login_t)
 userdom_sigchld_all_users(local_login_t)
 userdom_create_all_users_keys(local_login_t)
 
+write_logging_runtime_dirs(local_login_t)
+userdom_manage_user_home_files(local_login_t)
+
 ifdef(`init_systemd',`
 	auth_manage_faillog(local_login_t)
 
@@ -231,7 +234,7 @@ optional_policy(`
 #
 
 allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
-dontaudit sulogin_t self:capability dac_override;
+# dontaudit sulogin_t self:capability dac_override;
 allow sulogin_t self:process setexec;
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_fifo_file_perms;
@@ -248,7 +251,7 @@ kernel_read_system_state(sulogin_t)
 kernel_stream_connect(sulogin_t)
 kernel_use_fds(sulogin_t)
 # because file systems are not mounted:
-kernel_dontaudit_search_unlabeled(sulogin_t)
+# kernel_dontaudit_search_unlabeled(sulogin_t)
 
 fs_search_auto_mountpoints(sulogin_t)
 fs_rw_tmpfs_chr_files(sulogin_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 933f9ff6f9..813b1a40d0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -75,6 +75,7 @@ init_script_file(syslogd_initrc_exec_t)
 
 type syslogd_runtime_t alias syslogd_var_run_t;
 files_runtime_file(syslogd_runtime_t)
+dbus_write_system_bus_sockets(syslogd_runtime_t)
 
 type syslogd_tmp_t;
 files_tmp_file(syslogd_tmp_t)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 4393242d55..0819d68fdf 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -622,3 +622,21 @@ interface(`unconfined_dbus_connect',`
 
 	allow $1 unconfined_t:dbus acquire_svc;
 ')
+
+########################################
+## <summary>
+##	Transition to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_transition_to_unconfined',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process { transition siginh noatsecure rlimitinh };
+')
\ No newline at end of file
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 173e314af7..e9b8754d96 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,4 +1,5 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 HOME_DIR/bin(/.*)?		gen_context(system_u:object_r:user_bin_t,s0)
 HOME_DIR/\.local/bin(/.*)?		gen_context(system_u:object_r:user_bin_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5df658498f..3feaefbdae 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1916,6 +1916,24 @@ interface(`userdom_manage_user_home_dirs',`
 	allow $1 user_home_dir_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Manage user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_home_files',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to manage user

From 6f2f1d169c38176a37d5e7075410771c41c5d520 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 16 Aug 2023 10:45:10 +0300
Subject: [PATCH 255/257] Add rules for provisioning

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/services/dnsmasq.te |  2 ++
 policy/modules/services/rpc.te     |  1 +
 policy/modules/system/aos.if       | 56 +++++++++++++++++++++++++++++-
 policy/modules/system/lvm.te       |  2 ++
 4 files changed, 60 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 87543cedf9..952a7826a3 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -106,6 +106,8 @@ miscfiles_read_localization(dnsmasq_t)
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
 userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
 
+files_manage_quota_aos(dnsmasq_t)
+
 optional_policy(`
 	cobbler_read_lib_files(dnsmasq_t)
 ')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index bfe7126173..a287c82d06 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -354,6 +354,7 @@ storage_raw_read_removable_device(nfsd_t)
 miscfiles_read_public_files(nfsd_t)
 
 write_logging_runtime_dirs(nfsd_t)
+search_aos_dirs(nfsd_t)
 
 tunable_policy(`allow_nfsd_anon_write',`
 	miscfiles_manage_public_files(nfsd_t)
diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
index 5c72a8b7fe..f7052ff508 100644
--- a/policy/modules/system/aos.if
+++ b/policy/modules/system/aos.if
@@ -37,6 +37,24 @@ interface(`use_aos_fd',`
     allow $1 aos_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Manage aos sem.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`manage_aos_sem',`
+	gen_require(`
+		type aos_t;
+	')
+
+    allow $1 aos_t:sem { create destroy unix_write associate read unix_read write };
+')
+
 ######################################
 ## <summary>
 ##	Execute aos in the caller domain.
@@ -111,6 +129,42 @@ interface(`files_mounton_aos_dirs',`
 	allow $1 aos_var_run_t:dir mounton;
 ')
 
+########################################
+## <summary>
+##	Search a /var/aos directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`search_aos_dirs',`
+	gen_require(`
+		type aos_var_run_t;
+	')
+
+	allow $1 aos_var_run_t:dir { search getattr };
+')
+
+########################################
+## <summary>
+##	Read a /var/aos files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`read_aos_files',`
+	gen_require(`
+		type aos_var_run_t;
+	')
+
+	allow $1 aos_var_run_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Manage quota files in /var/aos directory.
@@ -126,7 +180,7 @@ interface(`files_manage_quota_aos',`
 		type aos_var_run_t;
 	')
 
-	allow $1 aos_var_run_t:dir { add_name remove_name write };
+	allow $1 aos_var_run_t:dir manage_dir_perms;
 	allow $1 aos_var_run_t:file { manage_file_perms quotaon exec_file_perms };
 	allow $1 aos_var_run_t:filesystem { quotaget quotamod };
 ')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index c840594574..d28541232e 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -218,6 +218,8 @@ sysnet_write_config(lvm_t)
 
 userdom_use_inherited_user_terminals(lvm_t)
 
+manage_aos_sem(lvm_t)
+
 ifdef(`init_systemd',`
 	init_rw_stream_sockets(lvm_t)
 

From 9b81e58c490a7fe55528a53a2cfb2dd102a907fc Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Wed, 16 Aug 2023 16:09:45 +0300
Subject: [PATCH 256/257] Add rules for services

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 policy/modules/services/container.te |  1 +
 policy/modules/system/init.if        | 18 ++++++++++++++++++
 policy/modules/system/udev.te        |  1 +
 3 files changed, 20 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index f66575812c..3bb414a0a2 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -806,6 +806,7 @@ kernel_getattr_mount_core_if(container_engine_system_domain)
 use_aos_fd(container_engine_system_domain)
 files_mounton_runtime_dirs(container_engine_system_domain)
 mounton_runtime_files(container_engine_system_domain)
+init_setattr_stream_socket(container_engine_system_domain)
 
 ps_process_pattern(container_engine_system_domain, container_system_domain)
 allow container_system_domain container_engine_system_domain:fd use;
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index effd217538..a301ed3053 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1119,6 +1119,24 @@ interface(`init_rw_inherited_stream_socket',`
 	allow $1 init_t:unix_stream_socket { getattr read write ioctl };
 ')
 
+########################################
+## <summary>
+##	Set attribute init unix streams.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_setattr_stream_socket',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket setattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to read/write to
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index c80c5eda70..37cd2d400d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -206,6 +206,7 @@ sysnet_etc_filetrans_config(udev_t)
 
 systemd_map_hwdb(udev_t)
 systemd_read_hwdb(udev_t)
+files_read_var_files(udev_t)
 
 userdom_dontaudit_getattr_user_home_dirs(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)

From a49fd8c3470e027bfe080f42e95fbb0f06cb5781 Mon Sep 17 00:00:00 2001
From: Mykola Solianko <mykola_solianko@epam.com>
Date: Tue, 29 Aug 2023 12:10:25 +0300
Subject: [PATCH 257/257] Implement login policy

Signed-off-by: Mykola Solianko <mykola_solianko@epam.com>
---
 config/appconfig-mcs/root_default_contexts |  2 +-
 config/appconfig-mcs/seusers               |  2 +-
 policy/modules/services/setroubleshoot.te  |  2 +-
 policy/modules/services/ssh.te             |  1 +
 policy/modules/system/authlogin.if         | 25 ++++++++++--
 policy/modules/system/authlogin.te         | 16 ++++----
 policy/modules/system/getty.te             |  4 +-
 policy/modules/system/locallogin.te        | 18 ++++++++-
 policy/modules/system/logging.te           | 44 +++++++++++-----------
 policy/modules/system/selinuxutil.te       |  6 +--
 policy/modules/system/setrans.te           |  2 +-
 policy/modules/system/unconfined.if        |  8 ++++
 policy/modules/system/unconfined.te        |  6 +++
 policy/modules/system/xen.te               |  2 +-
 14 files changed, 93 insertions(+), 45 deletions(-)

diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts
index 498b429f55..fc5ed35303 100644
--- a/config/appconfig-mcs/root_default_contexts
+++ b/config/appconfig-mcs/root_default_contexts
@@ -9,4 +9,4 @@ user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:s
 #
 # Uncomment if you want to automatically login as sysadm_r
 #
-#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
index c0903d98b3..f83abae420 100644
--- a/config/appconfig-mcs/seusers
+++ b/config/appconfig-mcs/seusers
@@ -1,2 +1,2 @@
-root:unconfined_u:s0-mcs_systemhigh
+root:system_u:s0-mcs_systemhigh
 __default__:unconfined_u:s0
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index b21e2ffa21..ec92d629da 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -108,7 +108,7 @@ init_dontaudit_write_utmp(setroubleshootd_t)
 
 libs_exec_ld_so(setroubleshootd_t)
 
-locallogin_dontaudit_use_fds(setroubleshootd_t)
+#locallogin_dontaudit_use_fds(setroubleshootd_t)
 
 logging_send_audit_msgs(setroubleshootd_t)
 logging_send_syslog_msg(setroubleshootd_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 0d42a2c923..81d60bae4a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -253,6 +253,7 @@ kernel_search_key(sshd_t)
 term_use_all_ptys(sshd_t)
 term_setattr_all_ptys(sshd_t)
 term_relabelto_all_ptys(sshd_t)
+auth_allow_psw(sshd_t)
 
 write_logging_runtime_dirs(sshd_t)
 files_read_var_files(sshd_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 442a37b16b..257e6cf707 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -38,7 +38,15 @@ template(`auth_role',`
 
 	ps_process_pattern($2, chkpwd_t)
 
-	dontaudit $2 shadow_t:file read_file_perms;
+	#dontaudit $2 shadow_t:file read_file_perms;
+')
+
+interface(`auth_allow_psw',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	allow $1 shadow_t:file read_file_perms;
 ')
 
 ########################################
@@ -266,6 +274,15 @@ interface(`auth_domtrans_login_program',`
 	domtrans_pattern($1, login_exec_t, $2)
 ')
 
+interface(`auth_domtrans_login_program_test',`
+	gen_require(`
+		type login_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, login_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute a login_program in the target domain,
@@ -415,7 +432,7 @@ interface(`auth_domtrans_chk_passwd',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
 
-	dontaudit $1 shadow_t:file read_file_perms;
+	#dontaudit $1 shadow_t:file read_file_perms;
 
 	dev_read_rand($1)
 	dev_read_urand($1)
@@ -558,7 +575,7 @@ interface(`auth_dontaudit_getattr_shadow',`
 		type shadow_t;
 	')
 
-	dontaudit $1 shadow_t:file getattr;
+	#dontaudit $1 shadow_t:file getattr;
 ')
 
 ########################################
@@ -667,7 +684,7 @@ interface(`auth_dontaudit_read_shadow',`
 		type shadow_t;
 	')
 
-	dontaudit $1 shadow_t:file read_file_perms;
+	#dontaudit $1 shadow_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index ab15b40d67..82fc4e8f05 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -68,9 +68,9 @@ files_runtime_file(pam_var_console_t)
 
 type shadow_t;
 files_auth_file(shadow_t)
-neverallow ~can_read_shadow_passwords shadow_t:file read;
-neverallow ~can_write_shadow_passwords shadow_t:file { create write };
-neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
+# neverallow ~can_read_shadow_passwords shadow_t:file read;
+# neverallow ~can_write_shadow_passwords shadow_t:file { create write };
+# neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
 type shadow_lock_t;
 files_lock_file(shadow_lock_t)
@@ -247,11 +247,11 @@ files_read_etc_files(pam_domain)
 logging_send_audit_msgs(pam_domain)
 logging_send_syslog_msg(pam_domain)
 
-tunable_policy(`authlogin_pam',`
-	dontaudit pam_domain shadow_t:file read_file_perms;
-',`
-	allow pam_domain shadow_t:file read_file_perms;
-')
+#tunable_policy(`authlogin_pam',`
+#	dontaudit pam_domain shadow_t:file read_file_perms;
+#',`
+#	allow pam_domain shadow_t:file read_file_perms;
+#')
 
 optional_policy(`
 	nis_authenticate(pam_domain)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 6e454de25d..3b1acc309d 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -93,7 +93,9 @@ auth_use_nsswitch(getty_t)
 
 init_rw_utmp(getty_t)
 
-locallogin_domtrans(getty_t)
+#locallogin_domtrans(getty_t)
+login_unconfined_domtrans(getty_t)
+unconfined_domain(getty_t)
 
 logging_send_syslog_msg(getty_t)
 
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 45b9ce02af..e0f80536b6 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -9,6 +9,10 @@ type local_login_t;
 domain_interactive_fd(local_login_t)
 auth_login_pgm_domain(local_login_t)
 auth_login_entry_type(local_login_t)
+domain_obj_id_change_exemption(local_login_t)
+domain_subj_id_change_exemption(local_login_t)
+domain_role_change_exemption(local_login_t)
+role system_r types local_login_t;
 
 type local_login_lock_t;
 files_lock_file(local_login_lock_t)
@@ -33,7 +37,7 @@ role system_r types sulogin_t;
 #
 
 allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-# dontaudit local_login_t self:capability net_admin;
+allow local_login_t self:capability net_admin;
 allow local_login_t self:process { getcap setcap setexec setrlimit setsched setpgid signal };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -48,6 +52,9 @@ allow local_login_t self:msgq create_msgq_perms;
 allow local_login_t self:msg { send receive };
 allow local_login_t self:key { search write link };
 
+logging_send_syslog_msg(local_login_t)
+auth_allow_psw(local_login_t)
+
 allow local_login_t local_login_lock_t:file manage_file_perms;
 files_lock_filetrans(local_login_t, local_login_lock_t, file)
 
@@ -58,12 +65,15 @@ files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
 fs_getattr_cgroup(local_login_t)
 fs_search_cgroup_dirs(local_login_t)
 fs_getattr_xattr_fs(local_login_t)
+su_exec(local_login_t)
+auth_domtrans_login_program_test(local_login_t)
 
 kernel_read_system_state(local_login_t)
 kernel_read_kernel_sysctls(local_login_t)
 kernel_search_key(local_login_t)
 kernel_link_key(local_login_t)
 kernel_getattr_proc(local_login_t)
+userdom_read_user_home_content_files(local_login_t)
 
 corecmd_list_bin(local_login_t)
 # cjp: these are probably not needed:
@@ -186,6 +196,10 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_read_cifs_symlinks(local_login_t)
 ')
 
+optional_policy(`
+	init_admin(local_login_t)
+')
+
 optional_policy(`
 	alsa_domtrans(local_login_t)
 ')
@@ -234,7 +248,7 @@ optional_policy(`
 #
 
 allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
-# dontaudit sulogin_t self:capability dac_override;
+allow sulogin_t self:capability dac_override;
 allow sulogin_t self:process setexec;
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 813b1a40d0..7abcbb0ab4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -110,7 +110,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
 
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
-dontaudit auditctl_t auditd_etc_t:file map;
+#dontaudit auditctl_t auditd_etc_t:file map;
 
 corecmd_search_bin(auditctl_t)
 
@@ -119,7 +119,7 @@ files_getattr_all_dirs(auditctl_t)
 files_getattr_all_files(auditctl_t)
 files_read_etc_files(auditctl_t)
 
-kernel_dontaudit_getattr_proc(auditctl_t)
+#kernel_dontaudit_getattr_proc(auditctl_t)
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
 kernel_read_system_state(auditctl_t)
@@ -132,7 +132,7 @@ mls_file_read_all_levels(auditctl_t)
 
 term_use_all_terms(auditctl_t)
 
-init_dontaudit_use_fds(auditctl_t)
+#init_dontaudit_use_fds(auditctl_t)
 
 logging_set_audit_parameters(auditctl_t)
 logging_send_syslog_msg(auditctl_t)
@@ -146,9 +146,9 @@ ifdef(`init_systemd',`
 	systemd_stream_connect_userdb(auditctl_t)
 ')
 
-optional_policy(`
-	locallogin_dontaudit_use_fds(auditctl_t)
-')
+# optional_policy(`
+#	locallogin_dontaudit_use_fds(auditctl_t)
+# ')
 
 ########################################
 #
@@ -156,7 +156,7 @@ optional_policy(`
 #
 
 allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
-dontaudit auditd_t self:capability sys_tty_config;
+#dontaudit auditd_t self:capability sys_tty_config;
 allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
 allow auditd_t self:file rw_file_perms;
 allow auditd_t self:unix_dgram_socket create_socket_perms;
@@ -165,7 +165,7 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
 
 allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
-dontaudit auditd_t auditd_etc_t:file map;
+#dontaudit auditd_t auditd_etc_t:file map;
 
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t auditd_log_t:dir setattr;
@@ -227,13 +227,13 @@ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ dire
 mls_fd_use_all_levels(auditd_t)
 mls_socket_write_all_levels(auditd_t)
 
-seutil_dontaudit_read_config(auditd_t)
+#seutil_dontaudit_read_config(auditd_t)
 
 sysnet_dns_name_resolve(auditd_t)
 
 userdom_use_user_terminals(auditd_t)
-userdom_dontaudit_use_unpriv_user_fds(auditd_t)
-userdom_dontaudit_search_user_home_dirs(auditd_t)
+#userdom_dontaudit_use_unpriv_user_fds(auditd_t)
+#userdom_dontaudit_search_user_home_dirs(auditd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -334,7 +334,7 @@ sysnet_dns_name_resolve(audisp_remote_t)
 #
 
 allow klogd_t self:capability sys_admin;
-dontaudit klogd_t self:capability { sys_resource sys_tty_config };
+#dontaudit klogd_t self:capability { sys_resource sys_tty_config };
 allow klogd_t self:process signal_perms;
 corecmd_bin_entry_type(klogd_t)
 
@@ -373,7 +373,7 @@ miscfiles_read_localization(klogd_t)
 
 mls_file_read_all_levels(klogd_t)
 
-userdom_dontaudit_search_user_home_dirs(klogd_t)
+#userdom_dontaudit_search_user_home_dirs(klogd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -395,8 +395,8 @@ optional_policy(`
 # sys_nice for rsyslog
 # cjp: why net_admin!
 allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
-dontaudit syslogd_t self:capability { sys_ptrace };
-dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
+#dontaudit syslogd_t self:capability { sys_ptrace };
+#dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
@@ -469,7 +469,7 @@ kernel_change_ring_buffer_level(syslogd_t)
 # Read ring buffer for journald
 kernel_read_ring_buffer(syslogd_t)
 # /initrd is not umounted before minilog starts
-kernel_dontaudit_search_unlabeled(syslogd_t)
+#kernel_dontaudit_search_unlabeled(syslogd_t)
 
 corenet_all_recvfrom_netlabel(syslogd_t)
 corenet_udp_sendrecv_generic_if(syslogd_t)
@@ -528,7 +528,7 @@ term_write_unallocated_ttys(syslogd_t)
 
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
-init_dontaudit_write_utmp(syslogd_t)
+#init_dontaudit_write_utmp(syslogd_t)
 term_write_all_ttys(syslogd_t)
 
 auth_use_nsswitch(syslogd_t)
@@ -539,8 +539,8 @@ miscfiles_read_localization(syslogd_t)
 
 seutil_read_config(syslogd_t)
 
-userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-userdom_dontaudit_search_user_home_dirs(syslogd_t)
+#userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+#userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`init_systemd',`
 	# for systemd-journal
@@ -598,12 +598,12 @@ ifdef(`init_systemd',`
 	systemd_read_user_runtime_lnk_files(syslogd_t)
 ')
 
-ifdef(`distro_gentoo',`
+#ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
 	# and chown/chgrp/chmod /dev/tty12, which is denied
-	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
-')
+#	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
+#')
 
 ifdef(`distro_suse',`
 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 9f48d5fabc..f6484735fb 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -396,9 +396,9 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
-optional_policy(`
-	locallogin_dontaudit_use_fds(restorecond_t)
-')
+#optional_policy(`
+#	locallogin_dontaudit_use_fds(restorecond_t)
+#')
 
 optional_policy(`
 	rpm_use_script_fds(restorecond_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 5510f7fac8..2e57f6443d 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -79,7 +79,7 @@ term_dontaudit_use_unallocated_ttys(setrans_t)
 
 init_dontaudit_use_script_ptys(setrans_t)
 
-locallogin_dontaudit_use_fds(setrans_t)
+#locallogin_dontaudit_use_fds(setrans_t)
 
 logging_send_syslog_msg(setrans_t)
 
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 0819d68fdf..6e4ee6c861 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -177,6 +177,14 @@ interface(`unconfined_domtrans',`
 	domtrans_pattern($1, unconfined_exec_t, unconfined_t)
 ')
 
+interface(`login_unconfined_domtrans',`
+	gen_require(`
+		type unconfined_t, login_exec_t;
+	')
+
+	domtrans_pattern($1, login_exec_t, unconfined_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute specified programs in the unconfined domain.
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index e232a207f2..ce49dd4219 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -25,6 +25,7 @@ role system_r types unconfined_t;
 role_transition system_r unconfined_exec_t unconfined_r;
 allow system_r unconfined_r;
 allow unconfined_r system_r;
+auth_login_entry_type(unconfined_t)
 
 ########################################
 #
@@ -74,6 +75,11 @@ ifdef(`init_systemd',`
 	')
 ')
 
+
+optional_policy(`
+	ssh_basic_client_template(unconfined, unconfined_t, unconfined_r)
+')
+
 optional_policy(`
 	apache_run_helper(unconfined_t, unconfined_r)
 	apache_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 5311f3a348..a9f43c0dab 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -295,7 +295,7 @@ term_getattr_pty_fs(xend_t)
 
 init_stream_connect_script(xend_t)
 
-locallogin_dontaudit_use_fds(xend_t)
+#locallogin_dontaudit_use_fds(xend_t)
 
 logging_send_syslog_msg(xend_t)