diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 839a4d634a..74831a1894 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -732,6 +732,24 @@ interface(`fs_create_bpf_dirs',`
create_dirs_pattern($1, bpf_t, bpf_t)
')
+########################################
+##
+## Manage bpf directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_manage_bpf_dirs',`
+ gen_require(`
+ type bpf_t;
+ ')
+
+ manage_dirs_pattern($1, bpf_t, bpf_t)
+')
+
########################################
##
## Manage bpf files.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index f985a1cacf..f1c3098ce3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2885,6 +2885,24 @@ interface(`kernel_rw_unlabeled_dirs',`
allow $1 unlabeled_t:dir rw_dir_perms;
')
+########################################
+##
+## Create unlabeled directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_create_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir create_dir_perms;
+')
+
########################################
##
## Delete unlabeled directories.
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 6b75b94774..8fcd88e1e6 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -389,6 +389,7 @@ libs_dontaudit_setattr_lib_files(container_domain)
miscfiles_read_localization(container_domain)
miscfiles_dontaudit_setattr_fonts_cache_dirs(container_domain)
miscfiles_read_fonts(container_domain)
+miscfiles_read_generic_certs(container_domain)
mta_dontaudit_read_spool_symlinks(container_domain)
@@ -1084,7 +1085,7 @@ fs_mounton_cgroup(spc_t)
fs_manage_cgroup_dirs(spc_t)
fs_manage_cgroup_files(spc_t)
fs_mount_bpf(spc_t)
-fs_create_bpf_dirs(spc_t)
+fs_manage_bpf_dirs(spc_t)
fs_manage_bpf_files(spc_t)
fs_manage_bpf_symlinks(spc_t)
fs_mounton_fusefs(spc_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 6d60bcb683..b83f822a60 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -295,7 +295,7 @@ optional_policy(`
# Common session bus local policy
#
-dontaudit session_bus_type self:capability sys_resource;
+dontaudit session_bus_type self:capability { net_admin sys_resource };
allow session_bus_type self:process { getattr sigkill signal };
dontaudit session_bus_type self:process { ptrace setrlimit };
allow session_bus_type self:file rw_inherited_file_perms;
diff --git a/policy/modules/services/haproxy.te b/policy/modules/services/haproxy.te
index fd5bc38043..e4046dd2dd 100644
--- a/policy/modules/services/haproxy.te
+++ b/policy/modules/services/haproxy.te
@@ -91,6 +91,8 @@ corecmd_search_bin(haproxy_t)
dev_dontaudit_read_sysfs(haproxy_t)
+domain_use_interactive_fds(haproxy_t)
+
kernel_read_kernel_sysctls(haproxy_t)
kernel_read_state(haproxy_t)
kernel_read_system_state(haproxy_t)
@@ -102,6 +104,8 @@ miscfiles_read_localization(haproxy_t)
logging_send_syslog_msg(haproxy_t)
+userdom_use_user_terminals(haproxy_t)
+
can_exec(haproxy_t, haproxy_exec_t)
tunable_policy(`haproxy_bind_all_tcp_ports',`
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 3ce6b43923..99e76d2e90 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -249,10 +249,8 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
corenet_tcp_bind_generic_node(kubelet_t)
-corenet_tcp_connect_http_port(kubelet_t)
corenet_tcp_bind_kubernetes_port(kubelet_t)
-corenet_tcp_connect_kubernetes_port(kubelet_t)
-corenet_tcp_connect_all_unreserved_ports(kubelet_t)
+corenet_tcp_connect_all_ports(kubelet_t)
corecmd_exec_bin(kubelet_t)
corecmd_watch_bin_dirs(kubelet_t)
@@ -313,6 +311,9 @@ kernel_rw_vm_overcommit_sysctl(kubelet_t)
# haven't been relabeled yet (fsGroup)
kernel_list_unlabeled(kubelet_t)
kernel_setattr_all_unlabeled(kubelet_t)
+# create subPath mountpoints in a volume that
+# hasn't been relabeled yet
+kernel_create_unlabeled_dirs(kubelet_t)
storage_getattr_fixed_disk_dev(kubelet_t)
storage_dontaudit_read_fixed_disk(kubelet_t)
diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 78f8fc086a..54eeda28d2 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -93,6 +93,12 @@ ifdef(`init_systemd',`
# podman auto-update will restart the unit for
# the container when it is updated
container_start_units(podman_t)
+
+ # podman auto-update can restart containers created
+ # via quadlet as well, which are runtime units
+ init_get_runtime_units_status(podman_t)
+ init_start_runtime_units(podman_t)
+ init_stop_runtime_units(podman_t)
')
########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index bcd35eedc8..c0fbe16729 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -84,6 +84,7 @@ domain_use_interactive_fds(iptables_t)
files_read_etc_files(iptables_t)
files_read_etc_runtime_files(iptables_t)
+files_read_usr_files(iptables_t)
auth_use_nsswitch(iptables_t)