9 changed files with 1180 additions and 1455 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-0113b35.tar.gz
+SOURCES/selinux-policy-6112821.tar.gz
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@ -1,2 +1,2 @@
-484f3f9e443621ccd65c42d11229424a36bf58b9 SOURCES/container-selinux.tgz
-430470dababaa6af18348fc2f8f0fe2108b50e05 SOURCES/selinux-policy-0113b35.tar.gz
+af02e18349519dd577a4cc9bef8a3a78b26923f9 SOURCES/container-selinux.tgz
+c39699459cb607824f45fae42aa452e6f84fbc68 SOURCES/selinux-policy-6112821.tar.gz
--- a/SOURCES/booleans-targeted.conf
+++ b/SOURCES/booleans-targeted.conf
@ -12,6 +12,7 @@ pppd_can_insmod = false
 privoxy_connect_any = true
 selinuxuser_direct_dri_enabled = true
 selinuxuser_execmem = true
+selinuxuser_execmod = true
 selinuxuser_execstack = true
 selinuxuser_rw_noexattrfile=true
 selinuxuser_ping = true
--- a/SOURCES/file_contexts.subs_dist
+++ b/SOURCES/file_contexts.subs_dist
@ -1,5 +1,5 @@
-/run /var/run
-/run/lock /var/lock
+/var/run /run
+/var/lock /run/lock
 /run/systemd/system /usr/lib/systemd/system
 /run/systemd/generator /usr/lib/systemd/system
 /run/systemd/generator.early /usr/lib/systemd/system
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@ -706,6 +706,13 @@ git = module
 # 
 glance = module

+# Layer: contrib
+# Module: glusterd
+#  
+#  policy for glusterd service
+#
+glusterd =  module
+
 # Layer: apps
 # Module: gnome
 #
@ -2650,6 +2657,13 @@ stratisd = module
 #
 ica = module

+# Layer: contrib
+# Module: fedoratp
+#
+# fedoratp
+#
+fedoratp = module
+
 # Layer: contrib
 # Module: insights_client
 #
@ -2684,7 +2698,7 @@ wireguard = module
 # mptcpd
 #
 mptcpd = module
-	
+
 # Layer: contrib
 # Module: rshim
 #
@ -2692,6 +2706,20 @@ mptcpd = module
 #
 rshim = module

+# Layer: contrib
+# Module: keyutils
+#
+# keyutils
+#
+keyutils = module
+
+# Layer: contrib
+# Module: cifsutils
+#
+#  cifsutils - Utilities for managing CIFS mounts
+#
+cifsutils = module
+
 # Layer: contrib
 # Module: boothd
 #
@ -2699,6 +2727,20 @@ rshim = module
 #
 boothd = module

+# Layer: contrib
+# Module: kafs
+#
+#  kafs - Tools for kAFS
+#
+kafs = module
+
+# Layer: contrib
+# Module: bootupd
+#
+#  bootupd - bootloader update daemon
+#
+bootupd = module
+
 # Layer: contrib
 # Module: fdo
 #
@ -2713,6 +2755,13 @@ fdo = module
 #
 qatlib = module

+# Layer: services
+# Module: virt_supplementary
+#
+# non-libvirt virtualization libraries
+#
+virt_supplementary = module
+
 # Layer: contrib
 # Module: nvme_stas
 #
@ -2733,17 +2782,3 @@ coreos_installer = module
 # afterburn
 #
 afterburn = module
-
-# Layer: contrib
-# Module: sap_unconfined
-#
-#  sap_unconfined
-#
-sap = module
-
-# Layer: contrib
-# Module: bootupd
-#
-#  bootupd - bootloader update daemon
-#
-bootupd = module
--- a/SOURCES/rpm.macros
+++ b/SOURCES/rpm.macros
@ -55,8 +55,10 @@ if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+  %{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+  %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
 fi \
 %{nil}

@ -71,8 +73,10 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if [ $1 -eq 0 ]; then \
  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    %{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
    %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+    %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
  fi \
 fi \
 %{nil}
--- a/SOURCES/selinux-policy-focal-moh-spi.patch
+++ b/SOURCES/selinux-policy-focal-moh-spi.patch
@ -0,0 +1,49 @@
+diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
+index 99ae622..b9542cc 100644
+--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
+@@ -39,6 +39,7 @@
+ /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+ /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+ /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
+/dev/focal_moh_spi		-c	gen_context(system_u:object_r:fprintd_device_t,s0)
+ /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
+ /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index b063e34..9365f3d 100644
+--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
+@@ -6841,6 +6841,7 @@ gen_require(`
+ 	type smartcard_device_t;
+ 	type mtrr_device_t;
+ 	type ecryptfs_device_t;
+	type fprintd_device_t;
+     type mptctl_device_t;
+     type hypervkvp_device_t;
+     type hypervvssd_device_t;
+@@ -7023,6 +7024,7 @@ gen_require(`
+ 	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7")
+ 	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8")
+ 	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9")
+	filetrans_pattern($1, device_t, fprintd_device_t, chr_file, "focal_moh_spi")
+ 	filetrans_pattern($1, device_t, null_device_t, chr_file, "full")
+ 	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0")
+ 	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1")
+diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
+index 8d414cb..52f4501 100644
+--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
+@@ -131,6 +131,12 @@ dev_node(event_device_t)
+ type framebuf_device_t;
+ dev_node(framebuf_device_t)
+ 
+#
+# Type for fpr /dev/focal_moh_spi
+#
+type fprintd_device_t;
+dev_node(fprintd_device_t)
+
+ #
+ # Type for hyperv devices
+ #
--- a/SOURCES/varrun-convert.sh
+++ b/SOURCES/varrun-convert.sh
@ -0,0 +1,80 @@
+#!/bin/bash
+### varrun-convert.sh
+### convert legacy filecontext entries containing /var/run to /run
+### and load an extra selinux module with the new content
+### the script takes a policy name as an argument
+
+# Set DEBUG=yes before running the script to get more verbose output
+if [ "${DEBUG}" = "yes" ]; then
+  set -x
+fi
+
+# Look for working files and log in OUTPUTDIR
+OUTPUTDIR="/run/selinux-policy"
+LOG="$OUTPUTDIR/log"
+mkdir -p ${OUTPUTDIR}
+
+if [ -z ${1} ]; then
+  [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
+  exit
+fi
+
+FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
+if [ ! -f ${FILE_CONTEXTS} ]; then
+  [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
+  exit
+fi
+
+SEMODULEOPT="-s ${1}"
+[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
+
+if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
+  [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
+  exit
+fi
+
+EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
+EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil"
+
+# Print only /var/run entries
+grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES}
+
+# Unify whitespace separators
+sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES}
+
+# Change /var/run to /run
+sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
+
+# Exception handling: packages with already duplicate entries
+sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
+sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
+sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
+
+# Change format to cil
+sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
+
+# Handle entries with <<none>> which do not match previous regexps
+sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
+
+# Wrap each line with an optional block
+i=1
+while read line
+do
+  echo "(optional extra_var_run_${i}"
+  echo "  $line"
+  echo ")"
+  ((i++))
+done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
+
+# Load module
+/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
+
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec