From 4235c61a2fc3e5e3d0cdf6705bbdc29894c9c791 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 31 Oct 2024 07:25:26 +0100
Subject: [PATCH] WIP: se: allow rules

---
 internal/pkg/selinux/policy/file_contexts     |  20 ++
 internal/pkg/selinux/policy/policy.33         | Bin 28139 -> 36108 bytes
 .../selinux/policy/selinux/common/files.cil   |  97 +++++++++
 .../policy/selinux/common/processes.cil       | 191 ++++++++++++++++++
 .../selinux/policy/selinux/services/cri.cil   |  56 +++++
 .../policy/selinux/services/kubelet.cil       |  45 +++++
 .../policy/selinux/services/machined.cil      |  13 ++
 .../selinux/services/system-containerd.cil    |  16 ++
 .../selinux/services/system-containers.cil    |  18 +-
 .../selinux/policy/selinux/services/udev.cil  |  16 ++
 10 files changed, 470 insertions(+), 2 deletions(-)
 create mode 100644 internal/pkg/selinux/policy/selinux/common/processes.cil

diff --git a/internal/pkg/selinux/policy/file_contexts b/internal/pkg/selinux/policy/file_contexts
index 47dd3491c2..eabe7f8f24 100644
--- a/internal/pkg/selinux/policy/file_contexts
+++ b/internal/pkg/selinux/policy/file_contexts
@@ -1,17 +1,37 @@
+/.extra(/.*)?	system_u:object_r:extra_t:s0
+/bin(/.*)?	system_u:object_r:bin_t:s0
+/etc(/.*)?	system_u:object_r:etc_t:s0
+/lib(/.*)?	system_u:object_r:lib_t:s0
 /opt(/.*)?	system_u:object_r:opt_t:s0
+/usr(/.*)?	system_u:object_r:usr_t:s0
 /sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
 /etc/cni(/.*)?	system_u:object_r:cni_conf_t:s0
+/etc/lvm(/.*)?	system_u:object_r:lvm_conf_t:s0
+/etc/pki(/.*)?	system_u:object_r:ssl_certificates_t:s0
+/etc/ssl(/.*)?	system_u:object_r:ssl_certificates_t:s0
 /opt/cni(/.*)?	system_u:object_r:cni_plugin_t:s0
+/usr/bin(/.*)?	system_u:object_r:bin_t:s0
+/usr/etc(/.*)?	system_u:object_r:udev_conf_t:s0
+/usr/lib(/.*)?	system_u:object_r:lib_t:s0
 /usr/sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
+/etc/selinux(/.*)?	system_u:object_r:selinux_conf_t:s0
+/opt/cni/bin(/.*)?	system_u:object_r:cri_plugin_bin_t:s0
+/usr/libexec(/.*)?	system_u:object_r:bin_t:s0
+/lib/firmware(/.*)?	system_u:object_r:firmware_t:s0
 /usr/lib/udev(/.*)?	system_u:object_r:udev_exec_t:s0
 /etc/kubernetes(/.*)?	system_u:object_r:k8s_conf_t:s0
 /opt/containerd(/.*)?	system_u:object_r:containerd_plugin_t:s0
+/usr/share/zoneinfo(/.*)?	system_u:object_r:timezone_t:s0
 /usr/lib/udev/rules.d(/.*)?	system_u:object_r:udev_rules_t:s0
+/etc/ca-certificates(/.*)?	system_u:object_r:ssl_certificates_t:s0
 /usr/libexec/kubernetes(/.*)?	system_u:object_r:k8s_plugin_t:s0
+/usr/share/ca-certificates(/.*)?	system_u:object_r:ssl_certificates_t:s0
+/usr/local/share/ca-certificates(/.*)?	system_u:object_r:ssl_certificates_t:s0
 /	system_u:object_r:rootfs_t:s0
 /bin/runc	system_u:object_r:containerd_exec_t:s0
 /sbin/init	--	system_u:object_r:init_exec_t:s0
 /sbin/udevadm	-l	system_u:object_r:udev_exec_t:s0
+/etc/localtime	system_u:object_r:timezone_t:s0
 /sbin/poweroff	system_u:object_r:init_exec_t:s0
 /sbin/shutdown	system_u:object_r:init_exec_t:s0
 /sbin/modprobe	--	system_u:object_r:modprobe_exec_t:s0
diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33
index f92e7fad825d216d472b079e005771d66a5c1e5a..54c1afc1b0ab1f25f1d013b23eb33af64b26802a 100644
GIT binary patch
literal 36108
zcmbWA>7E?LneI!CjAgS}HrRM(Y|{uC1VSK$SZ$+Z#{*t4t2c`3s;us$YonHynlY&C
zvB&n<<MD_2ov-IE&R6RW&MlnFIOoH-&-0JWCo8HtvsEIRP({7*#vAV*k&&6jpAUZZ
z|4uX-jW=J~d_5b?uH2*cF;!q+P)&*ojPk$oj{q;4jnAn;y+w6H^&g7b&3b9GJ?!^~
zgU<_ev+8y_ZB3_Rnm4Jo$7yStGVV*N<Fwb>N_*Y$u+Q{&sa|eP+dIw47TsSjzhBO#
zJIzr#?jIKj)Lu5&WeO<uhqJ+SIA98xZjDCipaXk%ss?(DLbl$pz02oG)ne}Hkj`6G
zhZ+XCuc_u-h}X`9E@W)YI@z?@YPZwLgqgphI#~$!Wqlo|gH}I<-tFOAs{<n6(<^Da
zKMYI(%7*P}4-Qe><#9Gm(ajfC`>hcO^f6{OP5FA8>PNHTw3SPFhrZ4Rr~rPys+#i~
z6ag;O08=NDIi1#9g{f+-f=-caB8}#ng7j84=#<))LPk@*1tkUD^DU@5n@rPS7dV!(
zhNCIQ!!DDZ*|amfJU}}LUTGSTb5*wYa1wM8>7B8Ni=CL0Zuy&LK_~{7iVjM$qJz`q
ziiSjcI2feuDI8;LY}iCZW`YnM)OKss+RA#_bpJx3PSBaS-)c99d+B(bby9>0ZW#Op
z)?kY&|LrO=&|uKws0%KXFSmBnW~<j4_n9;Bw3D`XN5gC|ZI08)bU03#2azWGliqL}
zu~GOIdTUN*6MP<0Fbq4bPCpw!A8M8$8?_@xpeG7X$mNazIt<SS*%eKnO90Cqu`(X+
zLl#y-e{f$$1feH#w@eYva5yd^gsI>RVpeGwh;uP;v#1Ll7mUWN%U#kjlo>UUQ;%Dh
z>Hnsx)WX+n$gI?Ez=q9#EV>6-JMb0UFP)Aw7rda#{_bGdAuEt}pp5;SlXSeNF--AK
zs!TCb0+=EVI@ry6JzRkAoyY}%eM>d)lum}TaXX~EMH(rUhIcbxFc-{HF%x!048-k9
zi&?NPxe2NPo$eyAwzCclkud3Q?~I4TDYQ2W$aK0dg$}w|@SI?(;GcrYqCEzGqd*-^
z$E{pZMW}V9DA*!BLw!rM`F?lteVX-C6p4qlccgZxk=a02)|>TGbc}j~YRAJ?r`?)_
zASD!gX={?Ac=V>MHoMZy`u*9owbct?Xro@7M>c7V+dGIJl3O~RWt|QPs))}_PpH!C
zqFG6nO?_&Gnx^Aso)ni-qmkoJGzdXFri$R2WFSF(b%ji8+Mn#T*JTF%LFIu}Dx*<P
z>rhW=Af)>1N`-kKgfqob?WX(dl5hkN7LdcCDE-OyN6Sfu-gNNMES;qRW91(VNqJBe
zJ5wo&Gp$+-W~%ORe7QC5G_$Z=5Juy)y@&6B@801o<Z#?@X>o@+7BGDrD!3`SxTqTI
z!Y<RzwiJrP-Pvee)u2@<-djU)lIAYHrm+Y#3PM1ZN||VLp!IB@@AS1<FbMH!dL=|Y
z9eb@_)=@TYDx?P!^aZ&PN26gcYwwd?NN-9ois~Nz9-?^IA8G5+%$EbKz*r%r11Y;5
z*0``-6nL#*3yAd;+s&LdLx^Y%6SJe%xYZ}fv6!}qfqr2ouy6!}XG*-FGO<Pn(Z=aV
zqj8?o@Cc*!)BaXE7T{1}FgkcgHMVT4x4o_@Q5I65Asoe}r(D8TH`?yHEB<6CDfC%Y
zNVq7SUT7lYV6s^5yrnQw{7Gg;l&4f<QS79X_9P1y9u3FSb%ld7h?3RuS%+{~)V0i~
zt$r0L1OdI+G);$UA1ctL!fecN9@SN350MZ63sOE%#XX!W*he+fy>u|eSA!ppW+3Aj
zVetwZC%z#R`+C|qp7$S+3TrS8sO-ubX-|zqg}nx{u(-ss1U+@O<<;xTgPTL?wG~RE
z(P(&OT_SdC;setmK4sdj%uvjUxx%Kluo)&~sJ1-$Mpx}a#q<1BJ+auk?X~4~>S~Du
zY?@WJHf;Uj0|RN3n{JcKkSUmxjY>!M&6K~U`+^=S?0eAVDb-jF4v8z>aV4LK74*^5
zQWbU-L}}1QfCQ%y<WRBm;ViWMU3;8q+J`LurEl7tv+02>vgG?8ts$)r`UvuBdzUGZ
zl5KI!Vvwve8TL}=;9{Wi-b}l0$T4Msiy!OTp#mCec}_L9TI<S%$Jg~RyD5$zCkA%c
zl|JT_aHK!6g@QBo#Z?9yYxPd6Sp3Wu<Enre&#1<_u#4;tw?5QmUvm~xN!8REc&J#z
ziF#t~WbOWER}Q(D@?BLtgi4W@WP@z0rE3xGU&!tVL~p+}Xl+Yhvn`1O>S{5c52+*8
zcc)#SC_)%;^&2IM5G>bA6ij|jHRfF_GYfWcVI6qZ;YRc0bX>V)Fb~2#saj>N?Nrx(
z+1i_Bi~o}qa@nLaxKUHTy+Whi%DU^)AYD+-s<J<#Qnc45ocWq>vb;iZp+Xyl?Pcj@
zutJgu*FE5eG>{)W(Ls{&vc_z+8O#~|2SSQ9+-|L{5gTb!Bx0v>NNEx3WUb2m)n^W4
zr=vGk*dAXQE03<Zi)ME684BA}by@7c7Ompo!6@;kz3RsT#wyHa?Y(tbaa#JeXv8`k
zZjt?!1Fg(#^hEb^71htIN^fP}T4g^?)2Gf~c=Yj$Rnx@^aNA3JTL7HSZk`RBx+)oL
zvxworJ{03hqBAjOyC070@Z8Bqx>)F`aj4i`Usq48>t1hdtDDPThy;^SDauQn;$AS9
zgTW}jLdvGuaDbM;91JHqTZlRsx>^tkPPsf_9dwzb{l#^#f$^us`?-Lzc$5Cx;^EAA
zBng2Faf`QdX~MYy-Nkuwb1=+hf&-4mw9gvvhaI!N94cU;k?*N)s=6p%4qd|>5jmIw
zUahN=%+7e7ODS*np4PZnTaJ}+r{7xFcTpRKMK|^ewlAm>Sbp9O(|9q54IDqKd8k<F
z#s#0!?cf@G)0G~8)v_r73m&IvN9KWUHcl_Mdc7+7P-j@7Z*)8B!=xXHK&;TM-b@GR
zL)~pzGqZX@Ll1~Tr4%vd1*<q`CPbJ{SM}pw*3YK&hojPLTc_M3^bbhraxioXT|9Ru
z%@6FuS#P#InDxS;C9A_=*y4m?HV&td;S6-AH4aC;P!O$=&PQpYE`6PdS~xF-*>K?;
z0-s)d6bz*Yr2^O`N#wj{gB?&%9j6krvF`VT6DK?h9w$?sS}}$yD)}&E!qEA-DhwBg
zw%P+Mul+h(31_}s2Qfoy1UvYtzI7)#GNkYqfiO`HWR7smoo$OtQ1HCYzCv3EKS4Uw
zN*b7C+nihT6%U1PZPoZn4pVP?rx((5I1iSlTLG6GpeaEIm+id1TCw;b453&x4;46~
zzMvYro8nh-wXUzBeW*OD%8ZV+>8x@GgQ`K({l}K>Db}7rq6W$@Rk?_xQnvCNG|a-z
zHP^I#5(wKaOpX2J@7v{79uxv#JPSU=3=F8<n_*`p`=M&ApDByTnvv)$tka@_FIWuc
z$ovLo1u-TkY6e9T>9xX@IPQ>xxOosp6ASpBF<YI{INQT4hm#O2<ao7Go8x<g8cS`C
z2VE|vD>xSZp@NR#1h?hW&N11ER$?qgCr1$aI8^Av4)3eR99`*DUfdlTFMv(?@(PLZ
za8h}FTSddBBT<k5y~s#0S(jKxIGvdkx1#CRri-s?9V!S!eN#0SYP2&H!FBbE<0Bgt
z*Kpa=jfa&Thr8lWhEeWU#R^nPtGHvRY-_<5i!VspANF}Bz=7w*7*k<$r5#<aa_X%w
zhYB7`Ij<UPGC%M09X=8+D%DcmY)#5rxqumzM}Ck}x85psj9$_4GpezU?aFO!v8Kay
zb?v}-tcF^~iSN3^P!!tVQjHDQ8Vm<IhtjU+I_KErQDl2hHI{9U$Xu5ThbQYdInzZ6
z?&ys&7G(CHsm8N&pJ_Z@`&J&#1sTZ2WY)|sP7E)t48MVMHEaL}|GYvX8+X>;yE2~o
z;tCDjNgS<zC(%@1S)tNN+c%I9Pzi-(Mcd!;ru<ZtjRNtbtq{)up#aPfJ@v!busHGv
zj|qi`SqOK+KRos#0{9H{$~$`ih*>9)u-^kX8-(XzAOOWcK!>Re1~yJZw_1k^46@sL
zL^bx&#o54xsCmTIj+5KNA_R|A$|z08^zofM25hx3F^mv(akz$HTO-jr<8?GXo|_v^
zO>P5BbQdOE=+K*|HZ=|vyXz(Ousgs^lu3J9xfa52*c%*mfCy2D*=Wl8`gW+`C6o)Q
z=*#-#sf_&AV3GMbsU-C```f|25Gm{H2GL|V(0xzFg#@n4Cp%Qw5qGQa8Qvj$g5y5b
zI7v8*cLwX<Un3l#_3kRI?%F##o1nQuqF-YIp&cqH3Ocwy7g~e_rIU@Lv=5ZbJnjpQ
z_QN$<IC4a9?5W17ZsF>J2Vz`D5J!7Dt&+JxVY}Drbi#Kv4;8yLDv8~?n{|il>>sSo
z?`wQ)nsH~c?h?duPWg^%92wCm`=~gVr8|Grj{&O%ox%??qYhk*qFYLfwG4&RsW?xw
zz2J(Bse2HCs6aQ5tH$!#^@=0;;o1wH754lJ!EAKH_Zqq4jjy+6)w^L#9IgY7x?O;-
zsQ3(8rW7|~#!2{={}Z>twT|<Zr5SL+F%9<vn-_4}jg4O8{EN@r^H(*g(0WPL<3{1(
zy5<z;SW0u@zFy&4%`Tbk<7n7)Jey2AO<mvd^pnx1B*9-rXtPebCnPP1%_*BYvYlt{
zY|ZqfRxeXbmE(y+!p}I`+vcog5pZ{=XJ*;BYgN^w9XQ&Vs9SfWyP6JG{xt@Rl(^CJ
zY<b^rqrSdGaUTjgAN6sNV|vd<@V$Qi?4kSEpPB9UAZw0#Go3{=!;@nBQD33C@N5r0
z>M=Uz>gyq&g1bLPJzU<KJACY1)YnP3X4|kp$9JO+`N>|>y!|Qa&|ybO4OO!Un}^nj
z179@Ym0Qh5ds{arbwUicKT$QdAHm5de>&>vav{Ow*ye21A+7-9Y(I*?1UU~v>k(%y
z(o=$ns~Jx;8z}m9Cot`V^{%Csu*ep#MOYk(m6DNpUXMEUxG)olLJ;F()TQnJUTX|n
z44Oqf*+4GV>oFOcdNS(T!m-1EQ3Rc6fo^g{)C`+BmQ%~1hjMede;omLvX1U5mrQfU
z^ikB!;vR(6?ax3IpME();119z8>MFc+v+1ZQ(A-lX1B?|BMkRbRr7*-qS5A*u;zNs
zJ+jY2#d_FK7dQ&E5KE{#LeowErqq_p^p~hl2W}l5Y1v_!;q9n<G>nY6m;n~IBedP8
z0wZD(Utz(tT>0bmrr(9FtI@!aam+XF_v5Hjex_TO!NFO=O|sy%i+ZUmVumC{P~aac
zeSy|LABK;?zgN|B6nQ(GXnq*s>;Cq%urBWM+)|hCeuq2s7@7QdO4U@+W_XDAooF1u
zDQjpy0)}i`JkVR(6((Pek&67tMF4xpQrJna*-pn&Ue;F56(hH+_wfiLx|mikM!6jK
zl2>dLWMD&O8G@r?e|FlQF$8=_Y%CkYs3%GW7AM5vCovAunR__)d?xDB8FQ*b-H@G7
z_|K!hDBhgCVfM6Y%<Sl-0B=R(R(v{Gi2)XdtPnB?zFY!zmmxPO5JP7Zg%muq0rjMd
zE6QdU#m`keAYX(WZS>x)>XFt^NFTw!xuoz|CvZHA1oy+JFFedL#S!jNE$QXEf>Ke<
zaL3}^Xq<vY-iHML5kYtN78wDRJ{0xom^t?tj<wAit8P;<qxVGeH2Xl*xiixRac>K@
zNiXk5UF;2-TE-Auc{_KboS)xEXw%VxAEFw)dFphullIebOA}-0an!Yv9>el>f7Gv2
z2$;f|-;2OOC!^gg=VK@8A<fy<2*wAaJ|1C*8Y_De!Ml1;=n5SehckOKURp)5mT!$P
z1D7>6UlcoC#C|>+t&=dt_dbL-1#U%ML8(yJlk%*F`NKEbiKn`JmJ_3<UWBjrFLty>
zml01IMhY{k3)XQfAJ&P$?Qywl3K4^CKZyEQZ0p&v9lA4hKVXdQb6enX?q$3BvCe(-
z&_jjp(OxzOvXwTlr{|x8lW`4dU|=NN>(S13*~xwvp<V7wy-bB=!q;6wX=D>!^-0w*
z{!}!kHJc7?^v5E&6xI&QJSIgk=4EF%nR=;&*nLr-vcgE6!BMzYvl}S5crHnsA+LOl
zd@~wZ91jP{w_-TqwUFE<AbGqIp@rvg!)qcxh@i;D%JAn1w##FP&R%r>Th!UtId9oX
zP~k`xyr-0sn-~XR>*StdsV!mvKmV7gH*65{?G!%Qjk>Ta7ZxFaacWcKjgO}GiFpA3
zChFnVkl9BIFGPKV?xaYCe~6$RJ(%ec%)$ERdDv+<c-V<!?C(YW+P_@ZJ<@V({Yum~
zn}meO67$yxtdl>PTUN_OhQ}A9?m^g(Gta+A(7lVxJLxp)>$E02TSMMP2*zxy%YK!|
zMV=JGZJJM`aY654nc0n?VfzzO+-5|`%T~Ap{{0BuSIRK_pAmedGdU|2FM1;CQ!eTD
zbwY+Sg;d4XDAxE;Z%)bXdI=}rHeHGO!xho$RW2^|NQ6{m9Q+$E<?_Y!I|BzNgMJb9
zghfFwCnynuOeG3EuyEp8A{f<hk`u*alJG762Uz^wUB>m;$@x0W{~=SJ(%$A<qJMDd
zYGYq}-p}WAZ+3O{eyiH|oM;@oSDT{E0_T*@j6bLL|J2yix^xET%Gv*`E4XRn>40;$
zUP5?BX%3oqE8^ZR>Ab7s!AAuDkr<+VSHQWXo%3m(cnJUC;OhHY;GqxC-NtUf+0^VW
z=x+gkSmy@Ev@_Z`wkw=ps?9#=O<k~tkqY%$<J$rMKzx3x7y)19_`6!GX@7F*zr(!u
zstunz`ZIlG`GVm8ed*xXmhRyhzNgFQ#|!+^;`z;@y)VsygHGPk-xlzLgJVN&Wu-p-
zHH5LRO*Zhq{rw(oGtSTs`stQ9r*yC1a-G)h09#16oA3-j=y|5U(_!qvO|(rDeLhjp
zq<v@6o)tQ5NQYe=F<W+I^jPfmJ@Ca_S6Cgj;rS8$S@xgmn$m6NZ3}}0eM%H9JAB?I
zIDB^HC-B_3hW<a*A*$$0Kj`5iZOM+^&F7x>6!3=5fm;@I=(*tE^r3T4K__jbI-L|v
zF?32}?UQ)bErP?(IsKV`eC8j(7kl`yamKQX;de!LM?dy|#(to&T)yA~uR}+&oR;lu
zuhZIFe_8N`MqSaL=S6R^|2$BP1@73vH>@Ap*3So;)pVH4dca=hr`c#mIHz^*E$0ne
zFXFKqV(@>9J#>!j=p5M{N55_Swxsi>y!@<iu1XqkVmqQ|#-jhP7juzMJQsSiywEYu
zwl4lH%e{)zFGA<w;21XbSmyG)(0Qhy-_l;yWB;nSb{km&9r1(zKUU!HYF@`6IU&Tg
z=E8RG7dXJtCp?_eg6SAR|E7aanz#KZrto>@#mC4GwjDMNIc<1w^<6Cm)-(QNe<m)@
zX)K-sKR;J1_oX*-|IreGEXIFJ-ff*QSCB>WGWMlnEPA$$h#mVgZTkr}a(odl@cDlf
zJNSw56Rj-^-QJSxM{|**(ADqm{Ct@A_F`Vf+D6FkJP)6Se^qDwrU{>U{wH?6S?Z^&
z!^j2wJRg#)kL%B4v5Wa1>kJKhsoab{od@pFb7#gUO79mAyCueYy+gN87W|)(ml(gJ
z4Cprb+%`HTOW2O5b(BIIyJOQu{(Lz2gZ1-VL7y10Zi(4b0e&^;-0KB&JQp~|CoZfj
z_^~Y5{i_B2?}-EROis3MU>Exjw!>H94cYAv<W=yI<r)2%4*ImeF&C>V{s|AZ?{{?$
zZG3RvEpX7YWhBPQjf$^J_?}~mwsCHeHcbcmp7%ao;~0J_ie+?VTa&{bv+(d<#Djeg
z|2NO*WHaDg74~Tz8anPCEY}YF)9WDl$9WjLIHzG3)9fnhtn*t%#XLW&7b4vz7EBYL
z2hN^hPseA@T?6gAjE^3k6%P9)<h4%jkJhG7wa(tEr!>jW@Uwv|$~lio%cgTmF|}Bm
z-q6}5f+rG5ezx@CU+GSc@sZa#6P}&7@nQQp{_`|*75-qHFDrAIPFMWnx10KVKjN9(
zZaqNLzKtHNLwK;S?lwMjjBmg*`2k;jUVom8EM^}@54P{;CAo2+>G=9%<Bui$-*g>n
z9QZkoTwyQtaPSA>h5Zci&VB~jy??`w@WVO?++#n8<VA<}A8;JMwCzjy6}G$k%E49q
z)Bb>ez6d|kGx*M3>@mIsKg!d{Wm|x=1-{lY=y*N4sFr1f=E;I4er|l|*e<MV$cvtd
z-ymZ_(|(9g+V1f0Sc8uFB)6E(CxV&>bQ1IIvE+YzRXV?$wb(X=emoa+{!8Km&;938
zh!Oh|@TUqHnalowe(c-iH|JP*w*HaJYbf~EA->@~61sK!OR|LJdPt|8ZZog_?JteL
zlyG>n58Ng0jsLaCXYgU?XL6VG0Bfstg?_AC=CWMm4eJ3qr-B~1zT*ln_tmjl<c*0u
z2z={dPy1EJAbK!O;>-JL^0wiZlugV(yjfT1=X99&;3njC-ar=X4IeX2cry>oYyF^e
z+k*VyYXsKx?}|PVz*=)(nCos)AC~@%?d+@2_t;(S8#g372Nvw>ydJTR*x%s6vA|l7
z{}T)3ALPA7m)FD*F-UCUKgVe+Z+xUZiFE=G$Vd)>&wC4ea<XNIXWNT>0-StuwwTK@
z+K0c<_(4e@{WyN{XWIpv+JBJoOfl~*k&m&TaqfbSb;W+wy26h38SHC5Pes0g?>W}6
z^^?V1tcmD>H4gpQAE57fv5RvBbUZJ5b3DR>X~KhT4cz+NE7pkf4>mUNlc2-D<$L2F
z7W_cpW1(+9#GlREUWg0n|0;Xkhf7-{mvcC=U>`uY9t&^2CWWT$#lFiq4L#UiFYETM
z{RCOOr{&xO{iqzn_gD+?J>uOy!#RxO6g^v?*gclZ{E+7h|2&}mkLW~u{-5d3JYW~E
zJLCa)mLFb1pKimy{fadaIBO#Mfd~Bjajj~miB9ZSv^&B<vbTzT%iC%Lw|zeqZ{Tw}
z*3;jD&bM=$Y7HV@&J}dfzsKILJ3Ge5udEaJcRSz39&7wfHv^E-zP+#51g9m1A*1sc
zKI8mJ?AsPxgEJPp+!n>u9~yrsc_5}7kF3{W-zBfW){aN`w@<QfckJVzvCl9Uy8VKz
zZW+I(!$-IA!k2|ZE<&Hqne4U9!`CA|fm?@N>HH>*-7IY3brzlz!5iv9SB|MSqx=cn
zK676A)BK=+%g8mRbw%4b7CqbN@n_Q^_ZGhTcl6-+Lgx$rf4HQB>_01He^YsY+|IG{
zOZqcE%(c+-S4w~QP2)Eu4s^a&(7~U*=Dw{n%$N>s_8!Ew+xUt3M3$R{Lk|B+q;ule
z{)2w3XYzI-?*Tf0NMjq)IeyYnn{VVC{1bosT=>i3%nJ|XSk5tm4izKV_kO{-=0%5I
zf6vG&mgP24bep-HhqFdj!pSG*;g`xR#)p6BUg%pEa;9Zuy;C>^pM+1-Cywj`$Yp%i
zqrkuP_GqEoToa3Z2-yw$@(2X;IyQ+l`!n-;Z;9O<3&`laNA5zO<SyWM6?|eN>lqyu
zcKQ21DGytA@@JvXgQv9e8P3{ayR(ivKf{ChL=V=<TqoEbix1e}9@N>d;WsHV-Trso
zws9MtZD0KM)q;Ow$8?yNcp-0GRu1%7@Hw9(S766QT-;pp58Qc`eHyt)zPAZYU-SN4
zCsqrZ`JP1EB3U9WeTMviK8Xcnv@c;J(<hG56?_uo_6O#&u4sFI2p!9QQodjw;Msd)
zcm|&D(>8)!oFm~grpXyQ_5zMRtvBG#S7_G0%2@jnz6yQf4jkttc(Ct5(|b$C#_{60
zfJ29T!dS1}j5VM5q5XEE9lPb_<l+vE6$|pJz0!xt|EAAa$38jjTf*mF5A-)^>#TtF
z(Xzk;wr1T&=cYqkTPM)>9)Jk{MZp7lus-pzN5fo~)H+-0hp}E4;K#bUpzB1-g)H_l
z@*&r%jRtGbVvYWN<M$;#G0RwN&0YvT@i+GK_9d=i!8wq!@E^x7eEt-;Vu7`oJkZcw
z*cY2Z2OA+5_nV;Ux&A{>y_n~&EC-It&7U+rDdEiJ-1wimi)s8@qjli{{mPx;=)`Lx
zab!P-&X(wNT@RnmC&vWySaP*(O^&jSkdeIyGU5-m>7H_h<wZuv*VD3!Y5uzL>#_}w
z{g4;|2c6?f<_FuE2l)3~;5&{u6L7r1+dBnsujvU-&%4_gS)a$rtInl&MtVb*g`b=b
z>n1Y7!-CH|x3F%KlkMB+(7yL@vCqePj5W?~bUzWeZNWax>lE?goW`D?Tqiom(El&h
z;=Uv{-3&5v-uOm-ZgXN&cWV~+7Kt_IhYdxh^+4P?rkJZOI^1_dZ?6QJ++*#QW0A{w
z130ljUZrjSVJ_1F?!7Mbt!L=JUC<{MtP}juV~IQ9tPA*nb0cdIcFFHC?UnJ4KiDVP
z2ikwYH*e_K{tpk|fCt6wRsC5ftlj9}Yqx2>B8@C?x<PNmEU_PQf?|jJK{shE_wSg?
z{)z4GV=nm*dlJh<zOpZY?-==1kC`~$ftv@ep{zs3o)b;{3Rzw#=yUzzoWO|;v7n8%
zEYU4($GV9u`TBBN4^Zd4p=a}nz0L~G*)L<Qe`HylD_$sbAn|K|fR1^1LK?T;z=3~!
z<~co}YB==a6FBi`-e@}($UnZ;AlA?i`Lh-I`FHd}ifQ79-UD#|&ie%Bf+lkzqw@)|
z6V?J<90Iqz$YOcZ#aZ#q*v0xmF2^AHvCk7P-_l&HiST3D-z)YH*baM{2WW19uXU4o
z9T(Wz^of1j9Y41(LC5?cugAU<tsT&@k8#HJ9nA#~?3YdlJ`Zj}7IcMv@a>>y`8IO-
zjDorBx9|WC`yBRK_5oyZ+@VkFkX@i{ge~AxbLl+xbeNZ1x~~^Rg5S;?@`t@L|G>ZZ
zJb0vi0REo}{NJs6R*Src4(&_KW&M!bS(}JQu4{s>bpPnjdZ5g_A)|c&{ulD*XZ83V
zxdI-1Ztq;pT;`Lp_FLl4JQK_24IJwVd67M*-!1bYcDL=2%XG+l&Y9@P`3;>|=h$u$
z3wtF#bQ~9~p|sIIdD!}aj`?SY2hZe8WVAnH3&$z4m<M?FSmv_-;3tlE^lZJc_L(2X
z-mkg1#w3m`3-j7n;nQn0GTsYsA;;#|Q~92)Tjn(K<XZ&}whKOXEsuBe-`BJ5_5t>;
z_;YTH{7itjAePS*bl}bL&fWuGV$C9Uf*ln*Te7ZclE-YX{pef~nz_y|$piKp$DyzD
z-j5Xv9!qSV6P%dkgfaM@-pfL_)&q1LQ}~1T30!Fx_{Uju?LVI?<J=^QTw5{LF@hZz
z>sPKT^nky4F7){td`jmZ>d$;)BgYFk&lfn*XI|D#a=Ud)?tMt`h88M#w%xJmGsRe9
z)@#b28h<M1!cWW(JbNtojw$AKJmRb9N3vXEF6RyMK+uWo^<uH-ha+fuEco_k_Uh2V
z*5q5S%gFmi!87w(|KJ3FkPeA`xA6z(nXkwvtwY8xbeNw7;m^d2WkeR!Ar`z(0LT9G
zR`d)5ynVmm4gU;0OJ3%(ZjsUJ5$mku0zMb~oYq}}-0obX*=NwXefwYa%A93+U2Bco
z@M)bemtz(lEEoQ4xoBJG*uwr#jM#r@n@?iozJj+WmGwODd!p_(wxG@a2VXTm%w^f3
z8QXo4yKXM$MPBRti{ilaS<B#uT>3lx8GffSpxgL>{SY2(FZ_xe$XMicuH!lv|74vd
z=Qu9l)BZzT+Yh<diGIje<aYBzj`h66j_rm1nHPL$S|{+Zko~PP?|}op*D2ctS)3b3
zy3Vq^_>W~|tk)xaz<Z>B(Z1LC#J;bgz;P^d&0_svYvh7wWO2R%|CHeDyLbx3X9&M2
z)?DJ6b5!er*bly>Siq|c#~&;gv6BRv>=|wgwh)<{u?zU*0r+t~;k?3d;Vl*37=s5Y
zdDqX&^F2{@q0e|fiQ0(~^eGoEabAzwiP|p5)i51DM!!0j-)sP0N9X2<P8|-{kDjXz
z$4@68H5X6Rn~q-y;CrI#!Xwhg`Ek@vjG#{*mNw3hqIROT%dKh{$8RpJ&c(Cf#;KFb
z@BV;Shr@p6dUX84z)^Jkn!-^yekbK9oIBRw$1fHfMaPfAABE$`*^k2U8!1QO@OC-<
zN8#|I=k;)SljV9iajd=;;U{X>72ddmE-|$=)eFI%q%Qc3oDTGY_}a*0z2CDAGU2Zm
zr7qk6?qfHAdvP6H(t>!ns8=i2L5Jn;h4sWE1M2<Gb;$~KZB1<JCA@X$V(1UMYZ8Xv
z57(nh!tLqj5yt5{T%coqCRV>Xw+=d4c=FLqFX61m3_{Mfvh|Q5zL)7e-!**{rRY_}
zb@&GL<Ljfcc%nafoL*fs;rj$}J5k#OY<L!Sc=ggauL|aNqP7e8EK%hPq(*u`K(`aM
zUCd5D{CJ`<?pL?liBa_lHu?^~Kw*S40=S*1?E*4N(eLxQ`+9VjWUNDmCd+4dXPh4w
zzP{2Kg3|M!5->M)Y0uca&wYK`B3l-IB7)Ja#jr={^o)MhjqeE^MPa3nUobcR(%{F1
z<c_2m$OnSuZ&kW?X_#NWT%8j)VOaRFtQ#6h7Ubt4DhEBOPIn|~yI`^CMKz-=vFexF
z=uA9NpQuzXQCE(6NPX@|)OJBD`R{tTcWJ7J)$NYNWAsU~%7>NNc&%~hq#Y%pr9pLO
z4}*rCmKj-V5b1!|LbGUbSsKVOzbPhayM#Q_`gpb*<-VnXb!?)O;%8V)cWK-?^}8eS
zZ2DwE|MrOcmj+%Gf;$qmU9fkzHFek082{7(orwqNlTCM5uYdCc-!;+qicm~5QQIY~
z>iR(!_btswNV_BP2z{ayeg#Iqj_K|j8mIUEKf}22VtnN|cykAB7mTpo>ge|bZcr;2
zAzFf$gsU?GO3@g-@L#TMYmMWoVeunf#gBnlnk5R)3DX^k+Ad_X@&$h*ERB3#816_s
zOrP+qm(`zs;)(FmC@4$g{8Bp|iK+_;W_c5|G^{R|SU&rc&hW+*#Hc|#+V-tA7bdI=
zhC2QT28}6q&udLo4C+|FOM_kzMRz1>yM#e{JKKFrgI*MtI}(r3XBbrH%1627K!eUb
zwr!eAlhutw>!a3Z(ICI>f%chhX{z%Dkd8#v1-Ty4E75#6kB>&}gpQ&R(%|mtx99*F
zzm9g;`Gj9VGv*RYFGVC0=oN)w`A>9I4tr4D?nsIue2|D2Kig!Cr5RrqiaQduT^PFf
z$rfWQ4ZR=~cO)LCPvXCPOWg=dBl+TvL~R$0Jn8GF1>CtbsxC~zD1Pg!a@1MTbVuTe
z^of-*ocorh@{gO*nW(yupo(9|s2um0`rVOukUsIhS*Lo}RF~9nE&a}dHg`3Wy&{CF
z$<Rmmfd+RjiB>miL!<VdtQ=CO4ZL!1Yj|Z+E!eX){Gs{18{Jc&jn%8gCAsQm!(_$J
z=T!<<H!cX*->KW#)eS@WSM+~wtaiq_Q5qEdEYT-iQuKL(W4@%QhRaZuaH+KtF3o+t
zijH8F@J;=~VHLjksH8uyflGi&{KiHN{CM@e+PhZMIaveWtf7<Cz~?pa#<5C0=+e6e
ze!K>LqEgTLpIg+xH*4TY4O|vbNs4Me(bv$dfXjs{@rleTIs{)895<<gZ`Qz*8u+{h
z9t2<zHIl2bQNUK=2movqjsR8gDnA$Mne)~7PyM(We&(+=@RMRXDf%M*&z#(-flGi&
zd<jqqmjIRU%^J9nEAi(waA~~~zp+sRKVAbrQ3F3&1K+HHCpGYS4ZLxzn*YW|4g7cw
z{6r1>WDR_?2A<Tw=fLNx8>&Sq^ND>YQO8`h3dgXcaEK2|qB>Xg7&XheLa+;vsLoZZ
zaO8HOB>H!*T7|PII3-b?t5)IAM@dxYsu9jZ%#o<hRVj(;Toqj;s!j;B=fzjrCPI6@
z_^MXpo2J<~&esLaXx<YgPN9fIcyrYVr_`062Mi_AzjM`+w@rOfNmS>mB^-cCqB>VC
z;e1g^ROhNCJhZCdIXA}7ziFTfKX;kXXdDm!Ci-`-8sW?rIJuCAapns>6ha=x$$yj^
zc%!iy{!R4nTs4|YkA#??M6J9%*Jp$i%|%Zo&O+z8dV-8#M|5JG08Z3@1Wr&;1y00I
zI614Dt6YmUMeu^_(Ai|N>)<47;LO*+2{#6=GgmmPHqOG|a<4Hw(rv7hpp*)n$ggsx
zRNzGZkb6x9PHe}Zv+Lo^8`srs@R|xbua@yH8aPu0P83tZkpT|l#PK4WV!fWLDUwB5
z!O_HtdgiLNIGa^CjU_!pME|YOX)M``&I+7m*_CT5aF*v1r-yM?<dT98<K(}q3_LIS
zeqgRI8wG?9ZpkM!Ldo|AbG7SnHY?^@<tJGKXI_D`%1^$RSmtMSuEs{vIAn_zJvYK0
zV=lZ%u4Q}4gDU8(;)K1&3Y`^uH8u~^ImB~v7^iXjQd~$RaIUFFJcspkE*SZPlBix&
zjc@{;c?3(;z7~B~v!tWY3MJ9M*Ho+M#QT#voRE+;K2cr4Dd*Z$A0<(}rW(yv;?PG)
zRIjO4;mif6B&yd`t8lEKBXNp>N8%I;Iua+^w_Iz~@KY%0NIIJutdgi+Q>~PXPL)LU
Qnreg-e045ZNKE?p|4tv(!T<mO

literal 28139
zcmbW9X`9@(k;mH;MR8&$>ujRjiQD&W%d#xlxlG5h<lBy~WSpai(`3)k)0av1Xyi?v
z?GLbT_7iMA#lGFIwfiEE_x}S?Y;-p{LkaVs8!S{6stSby2%zUbzWUq$-QDZ;K6<_X
zPBvYfJfQMj%D}#<9Qh24^xxH&gZpCd>nf1%QQlGhvCpGyoDPPw$z(SDhCt_)57II&
z%beoZl!tj5mnn4rqMWDWct0JF^4Wyuf2e#jE{BJMVxQ_C)z3Gx@^COu^T|1ZKpkh(
zBbtEIWVV==vnfp=bUdG@(**Ipuk83ig>K{7@QCmGlzrRfjLLhJXCi~$50on@Bx_Po
zg^uwe$;v@I9HvD<%m1oetd#q%9`ke>Pg3}O$34Xfh&-n!>2NZ0LIKKV!*Yy-8181C
zl_|FQmhvQ?gFqcLi!$Z$+sa=oW@TJy`8_=@rkDVEFDO^?Izxa9H^AgVI;UlOuh3L$
zuV7O&D`e5iQn237rb%sW8Dw7a<c#EO&yzEER+Oph7bKRkX7iHHqhE@{MVZWQPO%P(
zH+Bukl_`hEI0?20><%sJ(oeKWwfs%3pcKTlp`DS;(9UTpL&IV?n@-bViNtg^eK<fx
zT7nT3<Y7FI_p@<U-n!(?2|5i=;^AO+oaT9!q$uOu(D@6ZAr@KwJJQI&g3gNb5x8)^
z86TyCcpT>w+H^7<ro*H8ESr{tJT1yup3)8~6}O7<>;Sbf_&#<U6pI3%hZO=NPMl1#
zDg5DP8f5cf;0V+N!xMIuBY=*;i)nVE<|_>lIgu#&>=tYh#nn6ag~BOa$lWrHaLAF^
zj}V$dGMJf39U;yIVc+MKjlH0u=yI1dhci@DIdvZ2r2gm1G7FE{j8@4bhmDv&@zv98
z=;U(lmzHz2g)EqIax|SKL<PbQoaz5Tk><yup^2X=)5Kf>phO#NaFmV5xB$;d-~zyY
zq3mQzi`gO{x{$XDBel`+ZrXF*g|KA0iGD>5)E&u+nd@C*6I>lS)qY?dWC;QhFsU9M
z=CfG|@4knW<t-U>I?9~qxUO>kDVTb64DruA>b%V3%20l&jbtdqB0R%=U%Yv~-#?ex
zB*l<;$na2RhZ~U%WJSHjIK{@8*O@k-#mO)(+#qErj?=hEF+6rtR9l=3vdLso#`|Lj
zhBxNLdDJIyK0HKq7u?cvktGQT%BW9ESCpx>q*e)*1AS|TD${&W1;w?{XvpC=7K9-l
z)5NeN8(5Iv*kBWvlj3;TRT%6CmnSy4%;#gxLt}*j7wXT{itd3C&J=2Ol-}yf!bSkY
z0(LkQX;K_~u^wcoO{ZTh(nabpHa_S`(v!;cGnu4urdbPOni|dWn{l2DGB;f?jPi7N
zjPHPNwX=nb;ke=2<c@GmVEWohxGA={tQ^|HTxOK*Ybef+7W1yA!K!e4sD)#ZRxaML
zvlwV3lz=UnRA_Oa`Ro?Y)D4+17~*Am;zm9d$MHBz6paTO($fNa!Oo4N`D~mGZxLMx
zZwfFP)nokKjpEs4uBFGInhxj%XoZwcW$dAw<J@%N@nY8(FdJ)Z4=Ub}Frq~!Vdrrk
zPZ;F%n3jl+zwaina0CM{6nH_UVNpBP^7M;&Ud1##!cZsaWIxRX*h&y%gHM&io{h%`
zUAq!vp#>JgQ7nxWOIYd#%U!Dqzab@r{#F?lmK07e4bX8~tfo6#QW#SBO=L!umy|<Q
z%t?!3k+~k8&+@XXa!3YKqB=fnL)cB~n&#7Z(!>fyK=+HLa;EZDf-f0iLxHPN-Nbf_
zg#h#*X-^sVuvo!5YLFhM(-L2GemGx%jAOXT%PpLELMhhulyN*;f56Jk!4%+fq~1u!
zDr_az8tB6066)gYlpM&byXu3R!|Ck}PV@PEcG8uJxi#a1u0wrNIc$tjv`KflMXm2M
zx)4$=d8&o3%3I0W*;P%b_R+Ajz81P-u|P}{m8A_!f8?Npw8%{lh-K*Hx|4-UqW;Yk
zzsg&JZY9<|*z!T;&<r*tPDXj7oT%mOG1gS&Ruqg<XAK8&P9exvGUvltDBH8vIAuD4
zE&in^EzVi=z!qJq^^fL|IKduHUoG!41yZ6dj_HZiJH>3AS`7AtihB#Kx?x9?9v45>
z(^divv%IPt_F8;$>BX)dW^Rh(hk=3Bb)%12NI2D>SVAEg>*A&k%QbtaO(NcLkMUMO
zi;pXZwlEhtn(cqC*S^8Rg_5SGMYxsB!jWo1>tw^pog0T(O!~Dl9zrI`OR{OUAM0I2
z>ldOs3Q;?Wr}2U8wb++Bpl&9U^J!It_D+WFfx-;~-hP8X;RefDfr7@LQ4VF-%*=%C
zU#y+X+T0j?ndXgC2JN8SRpqAMI!N{Imvvq&oBAJau*-^Mdb?fy$p(*MoQ=BjAY721
zQf7TbCTXqBaOSaEWZ4YGiwb27cATX*!E!;uz4w6c!a%k0L<K>{rZrk?jbIkh-xX45
z;bGj_BGyTLu?U^YhLk3uB#Rr@S9d&&Egb!RL+tz{R~+rQil%kq83yYsTUxEZRwcjj
zU?}0YdDRC3h9=Aw!{e@^SXg>QJVG1J_KE(Afo9BXer0sCiR&Gk(v~tGZ;GF$=}Q+c
zJ^$k6rshHeSlOobp#V6Yxp_7l=&fXWz$AtT+ol+A5=mj0!-?Cj!*h!-^s+EkVJn%t
zzN4DZ*5h&KUN<TKEEY6ICMhnli+jnWoKEM}8&Xzgvnf^rb2=-uw-8i7x|vW3NqIeB
z9<)@Xlhu2$0mE-o?@t1T>J^jD>fy|IBmsdJaZ_*O)r5Tms{MZQU^=UGLISqNw9d+J
zxfQb>wh~xa<TuKFWlI__TkkNZj2yZGS<O~8o5Q@ztCTJGUKU+wEgLI&GKstTE@mS!
z>4sjx@&!`@tM<DQ8ZTzEf$e7%w~`s%aKR^y5?q5Pz3BniOnm{E@YqE=H4cojJiQr@
z$4&ZSPB%l}?sC>PlinAD(4hO{g*MP<I&J9~S#3hY4yZyV`7ve_mfvS)h|rwg>hp0n
z$x7<oR%v#iUG6#d2PAYk7&e73o_m;98}@FmH#?Xv#%|M+*<m`1*<o1ZZWq$+fgZ-W
z+v<gbc+IsxN)dDEu@E=6Uy88q#n}yfYVlDp6dn``5SJiP$(l_MLBVwFN-T1n_qZJ=
zJPH|$QoB~rkj14ULnk`A+E+zjziF#A!1~;;y%o3T%X<(l#B;>KPxUk^Dr8vUF9Oj;
z6_7UEHg|R)DM7*Wl3N<u+W2wWVOGLGksYva%_AO)+*+#fNDNc$@Nn$Hv)d1rrDKOn
z3{aDxgUfPWk7ihW5P>kPidzYZ$ge4f?xyjpan;q=us&R#SEfZ9YvrPG1%s(U)A?hp
zGsV_DNX$U`i!v{9WYT_hKtn66Tq{ePPXb}tMOV}R^7n)KEe{S3kT0AM(E<dmYcu*8
z&E8WE?Nc&|bR3EHhV`&`;0vaP#mMRavw<0nGis(jh>T<RCXPE)APx^4HDdwaGt4-d
z=h-pcvK@pFp~7p`+9ZBJsG-&-@pQz?bc4jg-%8jRNpM@f%{hw0U?!%gsALO5Ut5Vf
z`r)t2p+qN1<ICL^y#Usg*Ed+?v!e0+wuy&z9f5)XXp@W#lZ_bbD5pIWe-ur%7F|55
zw3SeZ{E>2~)ckNJhF$H8<D(lH*RZs&gNKb3hgF5&kdYo!rWeSh*q<0G+L~gk$rmK8
z4=3CSuz_cjF<nKUE9~fXm0fQ=Y$ZIFbWu69WVPRCCwv54Osc7R5Eu1PE?|hNk?*wB
z(OaX9u`4$IrE+LvbLF9ySmms%t!-eu(84Wa$G0mp42AXgmBWsUr?aW{p|t8bV;`G1
zif(^Y4s|<bWOkLph9~nkG1HO)-02HtdXUyXQx03_oGC9mALZd(uz_93rek!m!0`G8
z`EBg0(FaKI)&`3#Pdcw%p(kJ4;GvVmdH0h<<8otzOOg(6BOqWB62XeHJ>yN)t|$uy
z#*dal+yTM>bVG3K2U<5da)rkjxyvjJcZR>a_96!O4E*YoJphbZ3m|U22XHZU_h4WE
zN5?>$sSpFpQ&+9hRzg5lThA$nKDyc)xD*smdE2qz_N*8oBbhW$)0{e<iDSSv6AdE>
zqb?k-Zm@L-v=;Fa(T8nw;56VEpwKCdd(ok`3T-NEC3DwTRKx0kZXy-KvT-g%Ubi+l
zZ37XeFtbim)YsEi!b?b(l(CoDlUo_p(V&m~>{Jr^2a^NmUZ|8!bU;+hraJe8&ING2
zKAA(g74fL~%<y}{XK*~K90m!C;>oo8`5MCkUVqr+HR`;gvo08Hu$Z)TfzY-RhJp|7
z&x;mAf|O)=5cYu*ne&O@Sl_*qxh+TR#+oWmb%d)I9+>eS!8khBZk4(l6qb8&lDKCT
zx01OvCJEhol#OOx)(>XRH$@+IO`a58ry!<t(yx@mkrC{&&;7nE)zwu$2sRToMILm<
z9Jm-sM@p-?41-gtah_(!&K03)yNJN3z&0-`hx(c8`7QZb=LydY_PY&++5EQ88hPUl
z-?tXct6{p>y$76jT!5{}_zYGi`Gc4|a!=JqSO(W@T+J*4hYODJuzFxiWqVeUv=ixL
z+`IQb-&0KZyUJwvVsGOycNgsjC5}Qkt3#eU<MVDd7!l<T1F|w-6lF5dyB;^846TI2
z=K<OxNsoo3$#GD!z++d^T2A&Cy0taVG`?zjq#$@0&e1|wWm&IlGS!U^{0pbCY8^z6
z#F<v-A-Eh4)Ud9xRdrtkbrVT#b=aaG)UkhK{A?Oib?<mmT{*P6w*s2sG#kvv3vEFR
z+y$|Npw1h~$;Z5BV)O29GT=Z&A*)N${lx(dQSo$8AtyK<m;@(5g?2J(ZiKNUsEg<9
z=AtLT&Dt0q=;Tq`zYLe(1#r7xQ#JlXP&48!fyU_pBB8O8RDkI>CQSn~g1P0a`^%bv
zOGe0kP`#LHXzQ3SP26M_t0XK!fyF5md+c}Bnh{oht!ypmE-(#<gHz+-ph|1|<2Xkw
zh=xH;HkBid$25ke9t*1W@l;2^d$6@qX!aej|1)qaHMF-X-MFpvW;QqAVV3B~xE7iX
zBqlPeX6AOv>TJ_7#dEI&2psRsvw4c}^v;_>9iE2S1|@?r4r<g1D?94Cpk7flW}MqG
zoUL^qMr4~x@P7;Hv}KlPQ_8%O7G4jk=d+-vRxKdnCjr{gOHL4pNMDYF8W#vmFw7VQ
zmGTyyE;=`b&O(qEW`vOlZ5w*%9k`+azES6R@m{(C&lw5?B5T9j#BDnMF~HXmbm{wu
z1rob&#%eWnx<hojilqc-#uan9d$!jDI)Ek9+@AuV3xfX6ZQXGQ`BI4FV;RfbM*?{8
zHY*`8T^iOh_RZu-2)RiZPj3y}RqW>i3O6WS@WDiX32K4?Yr;DBdNRP#PHw8LQx_&M
z#@j(%;P@6SkqB#q63v-)uLX1)e&^aG))>+1y=yQ+y-7e@#ccCvYT<5_riL4b&cz-K
zXe|=bxkQTJ26gVrN69-Ax#m~Rm$jk;x37OApp(DK0dVFo1L)E5YSdv8mYwEl+KjEb
z^??A$BsGxR>em!iykcc(6o(7FHjeiZn<4yOP{mX_(0qX63V>B#SMrnrS~*|IL-^Fv
zq2`{>57SAS$7&c;?gdpFA;`@WNMM5LUEN~Z8v)qaWPX%Ya(o)p5K7Ed7!RyFjTslc
z;l>nsF@TSBo#uoJI_BM=qV5$9h-xK)YP@L~OYI3M2Hk?VFYxb!DrY!2=*~D(M|BNF
zYtmFNk_xk!;<Er>zeG6HgjNqd%<w@_ztIuKhR(;;Od>6<s!n`A06JQC;-EFvdMD-q
z+Rdb_LpjEKDyYi}y?aPa;ExCJcu~&Gs1F5jce#)XJQuT>fQPf9v~UkICV8vVsGF<O
zHS$^j_gj$8IX?{HIOj?)vkCTiH9&KBJ>5?ceiJ|uj^KAIfE{tw&Bi{JMNm1>USeHI
zV8He!x}OmOKgohxH;+|wH{SPgP(|OcR&|D&1r;16m?&uULQppy6+S2|0%)R(d`5wL
zVP2DuY0q4Y#U0)9Oi-`M^rp_#>ebrSpl(sP&_D#`UBFmsr$|vnJy0ozjF*GzsaxXF
z&dmUNe0hCw_EAum#KqzMjN9ujdL9K;&VUZO8$jK3>&7!nraGopzeO3iL(!K5bbEP1
zroRR7xwdJ{Zgl#iL7i4|qlq?6=zBM2=|8goMxE)$H0nV8E~A>JM?t+?M{mCDFc|I+
zko+xo+>wP5+4v_@8z~UI6V$i}sQc>ipahv5_O|!NMI<=c7_uHB8BOG#st;h{vsD?c
z(H0lmFh5g8qQ95L|EpK-mz#gwd%%~!uUY$HSN`g2-_|na>ng)%sJ|;72ihO{^1Uh<
z&M)*DV&&_->ow0Cy&L-NK-Jd1-V}c6%d~6d=d?v>w7_5VIPmGa^1n;63p#GC_)z}P
zmy!9ZFF&KvVtjtCS1&6g|KlEKCy;qhEBNz*YaE`3=Nlde9j#qtHhHdT0b{!VOw+mX
zhxU)2_9LB3{m7S*Ewr22`Tal!Xy5nv*y=%7{&&|eCIdJ>2yh<t<!h4uUP=GD`sg+N
zJtjB-;F}x#uh+EiI(>z*gKbT(-QJPYt0%3|*L(wAOy6@_E||X9^RnlOY@Y??ck1$Q
zB@5mY^$zrBentPj<Z&pQ%op?u_-nzTz;0#-+Iqp`)7JB@{EEi^qqRKnH<_`a;iJnh
z9De0LZ+Sj{(E`}?0>}F6f@Y-qgu^iXj;;uqzSzoec6FHQedZkUJmGoX(9r+3%Kv=j
ztGmEAc^;F7#s~i~KFDnS3%=PCn|$B%+|xSD?DK-OGCs&`{tUjAk>@*}7Pz%V+3bmJ
z%?~eV@$2-JB*<gq=%|;Oj^}CXCC~F4+IBS==ocH;@Hg6BZ3Nvb{N9pxfD76>SdD$t
z3tM4BZ1tcdGoIMNbh#(+VfxhUL)pgEWkHP=|F=Hf)fKNDWRUY6X*#t2I+CB8O|I#!
z&T!D(Yyyt)!6(iBv}=8eUY~lsh!rLeWz%uDw_DRbqE|bU^J(q;Sow#6j>urTV^5Re
zy#R-H|KQuDA8q_XYyAsO6v$?MgkGl0p6ZDku^(%zG4iVGuio8}w7pTwfIO!AwIF7`
zu_4=EgLaMQ1G22?i_csQa7_NEw2Czx^fH<8lWz(iKl!n?*$wANJ&OEe$-k>_-@o$I
z{aVMbZOHbjZ}*0x{5MoSdFp@rjCU8K?(WO;uGg|*!#6!Xwl)6;{<?>QZ}S&=nf<{x
zJ0p+z2DH~aE%vk+g&+P|a27_1Uh-}1z{hZ~iOE1)=3~SM^XC`k4Q3zOwb+7BnmovC
zeg*tdFAuW4?aQ=laPX}!u+?{kLu}kt#5Xy?F*$#rS;}N!Jeq9q|G@L7PqDxH^p*2L
zAK`DN<3+vt86U=x@gZ)TF6d}uc31l@CeJ6@wKCdIHA=1gb(O6AxJH_l@rQdPkNiQs
z@^P*2uHwdye2WF{uC`L|(jTX&&+E@<Ukh*&tpL0q?qFNf1%2U<4}UAr7n^(}IBT%C
z^k+PQ(;D!*1N<lTn^MDJ9x*#0KVt;>DSykC;q!aXr!Q|XT4Fx&p(hw}n%`o78;|&y
zjbHeD?D=3HgC7L?(nsc3Kh++xwS_$N3$k6(pTQrJm90#>HjZd(*SGbAW>&+&_EttV
z^KHuJtLS2}rLy2%z5mf>0XWtdZ_CS#4{d$o+XBbdC(rhtt#N>xUd#o*5<Zp#ZoWsm
zHaAf=K8#t5nc!QQ@nz$evW+jsk=d5A#f|&*9%3@%OV|@%!vC!;bh+Sl+0)k5j+3$%
zVSjw`@2~t*EgjUlAe)U@C~tV$*8)GMU(ClY$l@jg_<!>F=xcnyw{dz!(i=YT&{o#h
z=xDx&Jl3bgG_yH68V+sQ{0L9OM=xs^xZyx+{($|hUEt<3Khf5c$$3q?N{sjG>R)su
z)-eXp>(6jLkYrXKDq>?>rStG#+3Hoz@W3PSx?cA+eaG0O@8~0o`46iXjVH31KVTEn
z1$o}}@?2NR+GQ-WzUs*utkqXCTyQcVKeCy9ex#DM#aK4~`8eQ-JuMF4KdfmPzvyE4
zcLjF9=H|DQ&9^@caCUvHkf1xXYvTpIn17LzcFpI}tFmEV{4Uh}1^#;;A3lZ;j`i=G
znz>C!RzlwsK65Lwnf&Ml&OJL7-24RlhrVaN{n0AcoxdutGXBVHx?pFs+kwtg8K+tU
zyLSPLKiJTG4;|fns=kBI%7*Va{{JPR(aY?a^hU;0aed{7(3<Xy5$kJoG1=f_W$b1$
zFrOMevW5P`djb9OnsjGeu%)w^?6eRMlqrSVLu;2KeOsc=;J*vXks;`tJ~A9T4CFad
zwqzUDz-^as6UX-ZfVc5s7mWJTaO^zrG#uN_ISt3QqQH4IXg5;Xl5Hn}6Djj;Wffgw
zbIIU#9J`6bo|)m;vBoA2duN8zW*_!V&%$A!;Vc~XH_yUhQ}8StP2*?ca4dBeACA7x
z!r|QNEF9Yo2d~YB91Wbs$L>3v#^=W!_}Br;X?()5`m2Cvq;gxbiv^6S{Zhy7rcm49
zqaNgRs>>Fgk#ikRbU|kL>vG(s+rWL{HgGR@!6ht6hRfQD?t+fUqf6b?BLeD#wkunq
zcDBTUPUyPurSCo;b!3dZpLgR+z#Z#WQJ!{@0vq#7OZ{-83p!D__+p`RiEhH6<YGVT
zh79xLEY}YyyWwLLol|y^8`Lk)MrHEEe)2e-yBXs!1VyT~1U51Y+nviAzTG+CIa0O+
zK2ubEx@-ht+=&cZ-zLt){r<?X!)UjOjlJD%E<+B(-X=0e(NA0q^(?+?I<_Ihlj+ml
z>EQRdXB!<7j9y*XF=^Vuo?&w%<80nyTPIGwppI8$&rxYD+UXz95fwf$(}!0?41bOI
z5g}Pc<O%sgvFb?JYS+jfSG83{DqF%$AanQ44WSbyQIJbmjYN;B(kddAEzx7a!JeV4
zHTbA-tRgZ(ePdGHu&}B%nxCo8Dk7CFVU_CkoYk(8*<46vWHkCFSXE?oH10%)O@=`b
zS|e)fc1JWz;zkMEhzJMOm5>%EqiN$9scgx`k@(BSQ4sq&iHS}8Wk=(?M)z~oTSa88
z>6-@ahM(215k4#gtB6##M1POs`jmBz=1J8x(Xi+q>GBi5k#8}~)fQ5^foqe-cCEc9
zT8J<TMEZf*9ntAh&>hgZTQiMx7hB|{6At1;myK@IDs)0H1+N*UtrIYcXmlH>p4mFl
z@z$_)S+7ye=Y?q%k;;~cX7$Y=Ls)D3k}#|yGBSN5vu@hFeC3KeWCvx9?kNG9=m;?D
zi=Z{Kw&Bb4IVqCa?HLHF=`dLKb!v+)Y#R)1@-Y}hQ?H&oHROpBv(p-pU812fQnuuX
zbYZ2D$ZoYX61BPVX>K_c(K9a`G&a^oht=otomh~oe^{U9){N2jz$U$((-jg`*WUI(
zP>!hZi6IT{v3|}0$aLxl<w#{qcxv_I0mEDq=|xprMPxMkhOD~3XSHi&;ah4*Mj&2Y
zj&3BqA{49GBwgL-G>o-YA8a9I{MWa78Y%7m50zn~baFA#ZL3DAwqfF^xKZCo6~3K^
zZQ=5CTqDubs<eubhydlU_F46sNgisU!~YgZ^Qx&WsNq_=dZxu)i)L+eDE4r7)*3}@
zquLSG@zq9>Hf!LO$NRIBqFJ$LRc-ttl`UcU<J(<RV2#bU#WmBnwMLiupQ4yBo#>o$
zlfz)!pc5I!KhZxwZFa^sAw}c{LZok`B;B>=zP8{y{bu;N7WmzJ&G`4V!22!ms0F_4
z_gsqfNjCX)Hsum9at(h_4@!~GHT+?q4RE@?3C<p96TI)h+x(*z__77=C5DV#%h}t}
zQ-hrD)^`)UQXuj)D?XJ1TkyTUFdO*nMJ@1U3%n8;DstWKUe77e0B2-6T<QXRrvR`G
zxKp43-WO^UA5fd%%NDqkA@VeVJiQ$cqb`J_05Eb0M*(2u5RL-C$RWJ%VViKCEr<Ba
z7C20s@OwKga4FD;F9jOmQlJsuZ-EQB5r5eNmjaFWy`2{Lxfb}{E%5tV;QbbOv<;v4
zl$P6Y!0OgWALP2fR94!F^g*uS7xkc@ZbbSZ*YLg`^adU2gIvS+^q`-|MEW4taFvz%
zkv_;9@Tdj81in-TKl0!Da^<Cej`Y2wOp273%Jy9S$g_gWja-WKxl~@^u=!ZwR8gra
zF9oY{9tWd>Gd@U>@>03R(cvj6Qtm60BITuW6ApExNO`GT<Mj2Q6e%y2Ns;nWxyISk
zgHptYHzwt!awCoho{Do$#7dF!Qn}{S*Mm~Thc^)ArE(*VH_)j#eGw}~%1h-&K2$12
z%1h-&94eF|<)v~XjyKThI2Gj<j{mhiaQjCJl$XkNTS32@fwpk=M4%M8&&oiQm&!Gt
zJv}Hz?z8VcDKC|4oW35EqK(g`o@<<cxJr*hO@&XX#?e7MDRQ5cfhaGPYn;I64IHVk
zv<H3b&WKA<^>vOf%1h-IKF))-aMtXs^M9o+oIcPBuCKn8mnzh4{R3!?6IpqwLXETD
z7FFAAt?T6s6bWysyyC+_aov`KM|xf=x8Y!*NO`H;hJ%43<)w0svmp-#ij<eiZ8&|^
zMaoO%8pr+8u!0Nh>LYzGm1~@hwy2Ag`L1#Pp$DbNed<Foi1Jdo#_8)pDRQ6sPzB{>
zRn#YG6?@&|xdxmKd5A%gkeAA0S*45BSL7e@Aj(VSR-AqZoTvki8WGy*ZOK4q<5cSh
zv1^yPSFI&Z$Ens8r{h#>jMH)Y9b}F=;4C}fRBMvc<>~E2y|e6GtyPx7+fjCD(>MIO
SWvR*<r|&SGoK>lJ-~R(H@XL<?

diff --git a/internal/pkg/selinux/policy/selinux/common/files.cil b/internal/pkg/selinux/policy/selinux/common/files.cil
index 0bcacbbc97..d8566f0ea2 100644
--- a/internal/pkg/selinux/policy/selinux/common/files.cil
+++ b/internal/pkg/selinux/policy/selinux/common/files.cil
@@ -1,3 +1,56 @@
+(type usr_t)
+(call system_f (usr_t))
+(filecon "/usr(/.*)?" any (system_u object_r usr_t (systemLow systemLow)))
+
+(type lib_t)
+(call system_f (lib_t))
+(context lib_t (system_u object_r lib_t (systemLow systemLow)))
+(filecon "/lib(/.*)?" any lib_t)
+(filecon "/usr/lib(/.*)?" any lib_t)
+
+(type bin_t)
+(call system_f (bin_t))
+(context bin_t (system_u object_r bin_t (systemLow systemLow)))
+(filecon "/bin(/.*)?" any bin_t)
+(filecon "/usr/bin(/.*)?" any bin_t)
+; (filecon "/sbin(/.*)?" any bin_t)
+; (filecon "/usr/sbin(/.*)?" any bin_t)
+(filecon "/usr/libexec(/.*)?" any bin_t)
+
+(type ssl_certificates_t)
+(call common_f (ssl_certificates_t))
+(context ssl_certificates_t (system_u object_r ssl_certificates_t (systemLow systemLow)))
+(filecon "/etc/ssl(/.*)?" any ssl_certificates_t)
+(filecon "/etc/pki(/.*)?" any ssl_certificates_t)
+(filecon "/usr/share/ca-certificates(/.*)?" any ssl_certificates_t)
+(filecon "/usr/local/share/ca-certificates(/.*)?" any ssl_certificates_t)
+(filecon "/etc/ca-certificates(/.*)?" any ssl_certificates_t)
+
+(type timezone_t)
+(call common_f (timezone_t))
+(filecon "/usr/share/zoneinfo(/.*)?" any (system_u object_r timezone_t (systemLow systemLow)))
+(filecon "/etc/localtime" any (system_u object_r timezone_t (systemLow systemLow)))
+
+(type etc_t)
+(call filesystem_f (etc_t))
+(filecon "/etc(/.*)?" any (system_u object_r etc_t (systemLow systemLow)))
+
+(type lvm_conf_t)
+(call system_f (lvm_conf_t))
+(filecon "/etc/lvm(/.*)?" any (system_u object_r lvm_conf_t (systemLow systemLow)))
+
+(type selinux_conf_t)
+(call system_f (selinux_conf_t))
+(filecon "/etc/selinux(/.*)?" any (system_u object_r selinux_conf_t (systemLow systemLow)))
+
+(type extra_t)
+(call system_f (extra_t))
+(filecon "/.extra(/.*)?" any (system_u object_r extra_t (systemLow systemLow)))
+
+(type firmware_t)
+(call system_f (firmware_t))
+(filecon "/lib/firmware(/.*)?" any (system_u object_r firmware_t (systemLow systemLow)))
+
 ; Runtime and mounted filesystems
 (type system_t)
 (call filesystem_f (system_t))
@@ -14,6 +67,10 @@
 
 (type ephemeral_t)
 (call filesystem_f (ephemeral_t))
+(type boot_t)
+(call filesystem_f (boot_t))
+(type boot_efi_t)
+(call filesystem_f (boot_efi_t))
 (type system_state_t)
 (call filesystem_f (system_state_t))
 
@@ -41,3 +98,43 @@
 (type hosts_conf_t)
 (call common_f (hosts_conf_t))
 (allow hosts_conf_t tmpfs_t (filesystem (associate)))
+
+; TODO: modules as a separate class
+(allow any_p lib_t (fs_classes (ro)))
+
+; Random programs might want to do this on all FS's
+(allow any_p fs_t (filesystem (getattr)))
+
+(allow any_f self (filesystem (associate)))
+(allow common_device_f device_t (filesystem (associate)))
+(allow protected_device_f device_t (filesystem (associate)))
+
+(allow any_p unconfined_f (fs_classes (rw)))
+(allow any_p self (fs_classes (rw)))
+(allow any_p self (anon_inode (
+    append
+    audit_access
+    create
+    execmod
+    execute
+    getattr
+    ioctl
+    link
+    lock
+    map
+    mounton
+    open
+    quotaon
+    read
+    relabelfrom
+    relabelto
+    rename
+    setattr
+    unlink
+    watch
+    watch_mount
+    watch_reads
+    watch_sb
+    watch_with_perm
+    write
+)))
diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil
new file mode 100644
index 0000000000..cb55418b5e
--- /dev/null
+++ b/internal/pkg/selinux/policy/selinux/common/processes.cil
@@ -0,0 +1,191 @@
+(allow any_p self (fs_classes (ro)))
+; All but ptrace and setcurrent
+(allow any_p self (process (
+    dyntransition
+    execheap
+    execmem
+    execstack
+    fork
+    getattr
+    getcap
+    getpgid
+    getrlimit
+    getsched
+    getsession
+    noatsecure
+    rlimitinh
+    setcap
+    setexec
+    setfscreate
+    setkeycreate
+    setpgid
+    setrlimit
+    setsched
+    setsockcreate
+    share
+    sigchld
+    siginh
+    sigkill
+    signal
+    signull
+    sigstop
+    transition
+)))
+(allow any_p null_device_t (chr_file (ioctl read write getattr lock append open)))
+(allow any_p sysfs_t (fs_classes (ro)))
+(allow any_p proc_sysctl_t (fs_classes (ro)))
+(allow any_p procfs_t (fs_classes (ro)))
+(allow any_p device_t (fs_classes (ro)))
+(allow any_p rootfs_t (fs_classes (ro)))
+
+; BPF, observability
+(allow any_p self (bpf (map_create map_read map_write prog_load prog_run)))
+
+; All caps, except sys_boot and sys_modules
+(allow any_p self (capability (
+    audit_control
+    audit_write
+    chown
+    dac_override
+    dac_read_search
+    fowner
+    fsetid
+    ipc_lock
+    ipc_owner
+    kill
+    lease
+    linux_immutable
+    mknod
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    setfcap
+    setgid
+    setpcap
+    setuid
+    sys_admin
+    sys_chroot
+    sys_nice
+    sys_pacct
+    sys_ptrace
+    sys_rawio
+    sys_resource
+    sys_time
+    sys_tty_config
+)))
+(allow any_p self (cap_userns (
+    audit_control
+    audit_write
+    chown
+    dac_override
+    dac_read_search
+    fowner
+    fsetid
+    ipc_lock
+    ipc_owner
+    kill
+    lease
+    linux_immutable
+    mknod
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    setfcap
+    setgid
+    setpcap
+    setuid
+    sys_admin
+    sys_chroot
+    sys_nice
+    sys_pacct
+    sys_ptrace
+    sys_rawio
+    sys_resource
+    sys_time
+    sys_tty_config
+)))
+; All but mac_admin, mac_override and syslog
+(allow any_p self (capability2 (
+    audit_read
+    block_suspend
+    bpf
+    checkpoint_restore
+    perfmon
+    wake_alarm
+)))
+(allow any_p self (cap2_userns (
+    audit_read
+    block_suspend
+    bpf
+    checkpoint_restore
+    perfmon
+    wake_alarm
+)))
+
+(allow system_p any_p (process (
+    dyntransition
+    execheap
+    execmem
+    execstack
+    fork
+    getattr
+    getcap
+    getpgid
+    getrlimit
+    getsched
+    getsession
+    noatsecure
+    ptrace
+    rlimitinh
+    setcap
+    setcurrent
+    setexec
+    setfscreate
+    setkeycreate
+    setpgid
+    setrlimit
+    setsched
+    setsockcreate
+    share
+    sigchld
+    siginh
+    sigkill
+    signal
+    signull
+    sigstop
+    transition
+)))
+
+(allow system_p any_p (unix_stream_socket (connectto)))
+
+(allow any_p self (fd (use)))
+(allow any_p self (key (view read write search link setattr create)))
+(allow any_p self (sem (associate create destroy getattr read setattr unix_read unix_write write)))
+(allow any_p self (msgq (
+    associate create destroy getattr read setattr unix_read unix_write write
+    enqueue
+)))
+(allow any_p self (msg (
+    associate create destroy getattr read setattr unix_read unix_write write
+    send receive
+)))
+; used by X Server
+(allow any_p any_p (shm (
+    associate create destroy getattr read setattr unix_read unix_write write
+    lock
+)))
+; TODO: restrict (boolean)?
+(allow any_p self (perf_event (open cpu kernel tracepoint read write)))
+; Used by chromium, wine, other. Might be useful to disable to protect from kernel null-deref exploits
+(allow any_p self (memprotect (mmap_zero)))
+; TODO: kernel_service, anon_inode
+(allow any_p self (io_uring (sqpoll cmd override_creds)))
+(allow any_p self (user_namespace (create)))
+
+(allow pod_t pod_t (fs_classes (rw)))
+; TODO: constrain more
+(allow system_p any_f_any_p (fs_classes (full)))
+; All spawned by init need to use fd of parent
+(allow service_p init_t (fd (use)))
\ No newline at end of file
diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil
index 58440404a1..9f276d0236 100644
--- a/internal/pkg/selinux/policy/selinux/services/cri.cil
+++ b/internal/pkg/selinux/policy/selinux/services/cri.cil
@@ -6,8 +6,14 @@
 (call system_socket_f (pod_containerd_socket_t))
 (typetransition pod_containerd_t run_t sock_file pod_containerd_socket_t)
 
+(allow pod_containerd_t self (user_namespace (create)))
+(allow pod_containerd_t self (unix_stream_socket (connectto)))
+(allow init_t pod_containerd_t (unix_stream_socket (connectto)))
+
 (allow pod_containerd_t pod_p (process2 (nnp_transition nosuid_transition)))
 (allow pod_containerd_t pod_p (process (transition)))
+(allow pod_containerd_t self (key (view read write search link setattr create)))
+(allow pod_containerd_t pod_p (key (view read write search link setattr create)))
 
 (type pod_t)
 (call pod_p (pod_t))
@@ -44,6 +50,47 @@
 (type containerd_state_t)
 (call common_f (containerd_state_t))
 
+; access procfs
+(allow pod_p any_p (fs_classes (ro)))
+(allow pod_p any_p (process (
+    getattr
+    getcap
+    getpgid
+    getrlimit
+    getsched
+    getsession
+)))
+(allow pod_p sysfs_t (fs_classes (ro)))
+(allow pod_p device_t (fs_classes (ro)))
+(allow pod_p tun_device_t (fs_classes (rw)))
+
+(allow pod_p pod_containerd_t (fd (use)))
+(allow pod_p pod_containerd_t (fifo_file (open ioctl read write append)))
+
+(allow pod_p self (unix_stream_socket (connectto)))
+
+; kube-proxy demands
+(allow pod_p proc_sysctl_t (fs_classes (rw)))
+; comm="loopback"
+(allow pod_p nsfs_t (fs_classes (ro)))
+; flannel
+; FIXME: specifics, protect kubelet config with staic pods and other importants
+(allow pod_p etc_t (fs_classes (rw)))
+; flannel
+(allow pod_p init_t (fd (use)))
+; flannel
+; FIXME: specifics
+(allow pod_p run_t (fs_classes (rw)))
+; used in networking
+(allow pod_p kernel_t (fd (use)))
+; kube-controller
+(allow pod_p cgroup_t (fs_classes (ro)))
+; TODO: add a boolean to disable this for extra hardening
+(allow pod_p self (process (ptrace)))
+
+(allow pod_p pod_containerd_t (netlink_classes (full)))
+(allow pod_containerd_t pod_p (netlink_classes (full)))
+
 (type kube_apiserver_config_t)
 (call protected_f (kube_apiserver_config_t))
 (allow kube_apiserver_config_t tmpfs_t (filesystem (associate)))
@@ -66,3 +113,12 @@
 (typeattributeset kube_secret_f kube_apiserver_secret_t)
 (typeattributeset kube_secret_f kube_controller_manager_secret_t)
 (typeattributeset kube_secret_f kube_scheduler_secret_t)
+
+; FIXME: add context for kube services
+(allow pod_p kube_secret_f (fs_classes (rw)))
+
+; CNI and other plugins
+(type cri_plugin_bin_t)
+(call system_f (cri_plugin_bin_t))
+(filecon "/opt/cni/bin(/.*)?" any (system_u object_r cri_plugin_bin_t (systemLow systemLow)))
+(allow pod_containerd_t cri_plugin_bin_t (file (execute_no_trans)))
diff --git a/internal/pkg/selinux/policy/selinux/services/kubelet.cil b/internal/pkg/selinux/policy/selinux/services/kubelet.cil
index d451bf6e61..20a1e5c838 100644
--- a/internal/pkg/selinux/policy/selinux/services/kubelet.cil
+++ b/internal/pkg/selinux/policy/selinux/services/kubelet.cil
@@ -13,3 +13,48 @@
 
 (type kubelet_state_t)
 (call system_f (kubelet_state_t))
+
+; procfs access
+(allow kubelet_t any_p (fs_classes (ro)))
+
+; Manage cgroups
+(allow kubelet_t cgroup_t (fs_classes (rw)))
+
+; D-Bus socket used for shutdown notification, owned by machined
+(allow kubelet_t dbus_client_socket_t (sock_file (append getattr open write)))
+(allow kubelet_t init_t (unix_stream_socket (connectto getattr)))
+
+; CRI socket
+(allow kubelet_t pod_containerd_socket_t (sock_file (append getattr open write)))
+(allow kubelet_t pod_containerd_t (unix_stream_socket (connectto getattr)))
+
+; Read misc kernel properties
+(allow kubelet_t proc_sysctl_t (fs_classes (ro)))
+
+; Manage filesystem quotas and mounts
+(allow kubelet_t filesystem_f (filesystem (
+    associate
+    getattr
+    mount
+    quotaget
+    quotamod
+    relabelfrom
+    relabelto
+    remount
+    unmount
+    watch
+)))
+(allow kubelet_t run_t (fs_classes (full)))
+
+; pipe to machined
+(allow kubelet_t init_t (fd (use)))
+(allow kubelet_t init_t (fifo_file (write)))
+
+; syslog
+(allow kubelet_t kernel_t (system (syslog_read)))
+(allow kubelet_t self (capability2 (syslog)))
+
+; TODO: constrain
+(allow kubelet_t device_f (fs_classes (rw)))
+(allow kubelet_t sysfs_t (fs_classes (ro)))
+(allow kubelet_t securityfs_t (fs_classes (ro)))
diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil
index 0a57ecac2a..eec1eaa77f 100644
--- a/internal/pkg/selinux/policy/selinux/services/machined.cil
+++ b/internal/pkg/selinux/policy/selinux/services/machined.cil
@@ -43,3 +43,16 @@
 ; Typically machined executes LVM, cryptsetup and similar utilities
 ; They are short-running, come from the rootfs and do not accept user input, so can be started in init_t domain
 (allow init_t sbin_exec_t (file (execute execute_no_trans)))
+
+(allow init_t kernel_t (fd (use)))
+(allow init_t kernel_t (system (
+    ipc_info
+    module_load
+    module_request
+    syslog_console
+    syslog_mod
+    syslog_read
+)))
+(allow init_t self (capability2 (syslog)))
+
+(allow init_t self (unix_stream_socket (connectto)))
\ No newline at end of file
diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil
index 2b515625f4..1e41419c68 100644
--- a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil
+++ b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil
@@ -13,15 +13,31 @@
 (call system_socket_f (sys_containerd_socket_t))
 (typetransition sys_containerd_t system_t sock_file sys_containerd_socket_t)
 
+(allow sys_containerd_t self (user_namespace (create)))
+(allow sys_containerd_t self (unix_stream_socket (connectto)))
+(allow init_t sys_containerd_t (unix_stream_socket (connectto)))
+
 (allow sys_containerd_t system_container_p (process2 (nnp_transition nosuid_transition)))
 (allow sys_containerd_t system_container_p (process (transition)))
+(allow sys_containerd_t self (key (view read write search link setattr create)))
+(allow sys_containerd_t system_container_p (key (view read write search link setattr create)))
 
 ; Typically a system extension
 ; Possibly a service misconfigured by machined
 (type unconfined_container_t)
 (call system_container_p (unconfined_container_t))
 
+(allow system_container_p sys_containerd_t (netlink_classes (full)))
+(allow sys_containerd_t system_container_p (netlink_classes (full)))
+
+(allow system_container_p sys_containerd_t (fd (use)))
+
 ; Talos installer
 (type installer_t)
 (call system_container_p (installer_t))
 (allow installer_t system_var_t (file (entrypoint execute_no_trans)))
+(allow installer_t init_t (unix_stream_socket (connectto)))
+(allow installer_t any_f_any_p (fs_classes (full)))
+(allow installer_t fs_t (filesystem (unmount mount)))
+; TODO: constrain more
+(allow installer_t any_f_any_p (fs_classes (full)))
diff --git a/internal/pkg/selinux/policy/selinux/services/system-containers.cil b/internal/pkg/selinux/policy/selinux/services/system-containers.cil
index c45640aac8..df375f1811 100644
--- a/internal/pkg/selinux/policy/selinux/services/system-containers.cil
+++ b/internal/pkg/selinux/policy/selinux/services/system-containers.cil
@@ -1,6 +1,6 @@
 (type apid_t)
 (call system_container_p (apid_t))
-(allow apid_t init_exec_t (file (entrypoint execute)))
+(allow apid_t init_exec_t (file (entrypoint execute read open map getattr)))
 
 (type apid_socket_t)
 (call system_socket_f (apid_socket_t))
@@ -8,12 +8,26 @@
 (call system_socket_f (apid_runtime_socket_t))
 (allow apid_t apid_socket_t (sock_file (relabelto)))
 (allow apid_t apid_runtime_socket_t (sock_file (relabelto)))
+(allow apid_t system_t (sock_file (relabelfrom)))
+
+(allow apid_t system_t (fs_classes (rw)))
+(allow apid_t apid_socket_t (fs_classes (rw)))
+(allow apid_t apid_runtime_socket_t (fs_classes (rw)))
+(allow apid_t init_t (unix_stream_socket (connectto)))
+(allow apid_t sys_containerd_t (fifo_file (ioctl read write getattr lock append)))
+
+(allow apid_t machine_socket_t (fs_classes (rw)))
 
 (type trustd_t)
 (call system_container_p (trustd_t))
-(allow trustd_t init_exec_t (file (entrypoint execute)))
+(allow trustd_t init_exec_t (file (entrypoint execute read open map getattr)))
+(allow trustd_t init_t (unix_stream_socket (connectto)))
+(allow trustd_t sys_containerd_t (fifo_file (ioctl read write getattr lock append)))
 
 (type trustd_runtime_socket_t)
 (call system_socket_f (trustd_runtime_socket_t))
 (allow trustd_t trustd_runtime_socket_t (sock_file (write)))
 (allow trustd_t trustd_runtime_socket_t (sock_file (relabelto)))
+(allow trustd_t system_t (sock_file (relabelfrom)))
+
+(allow trustd_t system_t (dir (search)))
diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil
index c141df305e..8fb852abde 100644
--- a/internal/pkg/selinux/policy/selinux/services/udev.cil
+++ b/internal/pkg/selinux/policy/selinux/services/udev.cil
@@ -11,6 +11,11 @@
 (filecon "/usr/lib/udev/rules.d(/.*)?" any (system_u object_r udev_rules_t (systemLow systemLow)))
 (filecon "/usr/lib/udev(/.*)?" any udev_exec_t)
 
+(type udev_conf_t)
+(call system_f (udev_conf_t))
+(filecon "/usr/etc(/.*)?" any (system_u object_r udev_conf_t (systemLow systemLow)))
+(allow udev_conf_t filesystem_f (filesystem (associate)))
+
 (type udev_t)
 (call service_p (udev_t udev_exec_t))
 
@@ -20,6 +25,11 @@
 ; udevadm called by machined in its context
 (allow init_t udev_t (unix_stream_socket (connectto)))
 
+; TODO: special label?
+(allow udev_t lib_t (system (module_load)))
+(allow udev_t self (capability (sys_module)))
+(allow udev_t self (cap_userns (sys_module)))
+
 ; Device subsystems, labeled by udev rules
 (type block_device_t)
 (call protected_device_f (block_device_t))
@@ -60,3 +70,9 @@
 (allow udev_t modprobe_exec_t (file (execute execute_no_trans)))
 (typetransition kernel_t modprobe_exec_t process udev_t)
 (typetransition init_t modprobe_exec_t process udev_t)
+
+(allow kernel_t self (capability (sys_module)))
+(allow kernel_t self (cap_userns (sys_module)))
+
+(allow udev_t kernel_t (key (search)))
+