From a867f85e4cb662a17b0738f1f0de4f1485ad925a Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Mon, 4 Nov 2024 22:28:07 +0100
Subject: [PATCH] feat: label system socket and runtime files

Set SELinux labels so that services could gain access permissions.

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
---
 internal/app/apid/main.go                     |   5 +
 .../app/machined/pkg/controllers/etcd/pki.go  |   5 +
 .../k8s/render_config_static_pods.go          |  34 +++---
 .../k8s/render_secrets_static_pod.go          |  45 ++++----
 .../app/machined/pkg/system/services/apid.go  |   5 +
 .../machined/pkg/system/services/machined.go  |   5 +
 .../machined/pkg/system/services/trustd.go    |   5 +
 internal/integration/api/selinux.go           |  91 +++++++++++++++-
 internal/pkg/logind/broker.go                 |  11 ++
 internal/pkg/selinux/policy/policy.33         | Bin 24234 -> 25413 bytes
 .../policy/selinux/common/classmaps.cil       |  99 ++++++++++++++++++
 .../selinux/policy/selinux/services/cri.cil   |  27 +++++
 .../policy/selinux/services/machined.cil      |  11 ++
 .../selinux/services/system-containers.cil    |  12 +++
 pkg/machinery/constants/constants.go          |  36 +++++++
 15 files changed, 359 insertions(+), 32 deletions(-)

diff --git a/internal/app/apid/main.go b/internal/app/apid/main.go
index cee48a5080..2785651b81 100644
--- a/internal/app/apid/main.go
+++ b/internal/app/apid/main.go
@@ -31,6 +31,7 @@ import (
 	apidbackend "github.com/siderolabs/talos/internal/app/apid/pkg/backend"
 	"github.com/siderolabs/talos/internal/app/apid/pkg/director"
 	"github.com/siderolabs/talos/internal/app/apid/pkg/provider"
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/grpc/factory"
 	"github.com/siderolabs/talos/pkg/grpc/middleware/authz"
 	"github.com/siderolabs/talos/pkg/grpc/proxy/backend"
@@ -157,6 +158,10 @@ func apidMain() error {
 		return fmt.Errorf("error creating listner: %w", err)
 	}
 
+	if err = selinux.SetLabel(constants.APISocketPath, constants.APISocketLabel); err != nil {
+		return err
+	}
+
 	networkServer := func() *grpc.Server {
 		mode := authz.Disabled
 		if *rbacEnabled {
diff --git a/internal/app/machined/pkg/controllers/etcd/pki.go b/internal/app/machined/pkg/controllers/etcd/pki.go
index 781148ef1f..8bdd126b4c 100644
--- a/internal/app/machined/pkg/controllers/etcd/pki.go
+++ b/internal/app/machined/pkg/controllers/etcd/pki.go
@@ -17,6 +17,7 @@ import (
 	"github.com/siderolabs/gen/optional"
 	"go.uber.org/zap"
 
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/filetree"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/etcd"
@@ -92,6 +93,10 @@ func (ctrl *PKIController) Run(ctx context.Context, r controller.Runtime, _ *zap
 			return err
 		}
 
+		if err = selinux.SetLabel(constants.EtcdPKIPath, constants.EtcdPKISELinuxLabel); err != nil {
+			return err
+		}
+
 		if err = os.WriteFile(constants.EtcdCACert, rootScrts.TypedSpec().EtcdCA.Crt, 0o400); err != nil {
 			return fmt.Errorf("failed to write CA certificate: %w", err)
 		}
diff --git a/internal/app/machined/pkg/controllers/k8s/render_config_static_pods.go b/internal/app/machined/pkg/controllers/k8s/render_config_static_pods.go
index d3fbb27586..d5ec27d0dc 100644
--- a/internal/app/machined/pkg/controllers/k8s/render_config_static_pods.go
+++ b/internal/app/machined/pkg/controllers/k8s/render_config_static_pods.go
@@ -22,6 +22,7 @@ import (
 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
 	schedulerv1 "k8s.io/kube-scheduler/config/v1"
 
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/k8s"
 )
@@ -124,17 +125,19 @@ func (ctrl *RenderConfigsStaticPodController) Run(ctx context.Context, r control
 		)
 
 		for _, pod := range []struct {
-			name      string
-			directory string
-			uid       int
-			gid       int
-			configs   []configFile
+			name         string
+			directory    string
+			selinuxLabel string
+			uid          int
+			gid          int
+			configs      []configFile
 		}{
 			{
-				name:      "kube-apiserver",
-				directory: constants.KubernetesAPIServerConfigDir,
-				uid:       constants.KubernetesAPIServerRunUser,
-				gid:       constants.KubernetesAPIServerRunGroup,
+				name:         "kube-apiserver",
+				directory:    constants.KubernetesAPIServerConfigDir,
+				selinuxLabel: constants.KubernetesAPIServerConfigDirSELinuxLabel,
+				uid:          constants.KubernetesAPIServerRunUser,
+				gid:          constants.KubernetesAPIServerRunGroup,
 				configs: []configFile{
 					{
 						filename: "admission-control-config.yaml",
@@ -147,10 +150,11 @@ func (ctrl *RenderConfigsStaticPodController) Run(ctx context.Context, r control
 				},
 			},
 			{
-				name:      "kube-scheduler",
-				directory: constants.KubernetesSchedulerConfigDir,
-				uid:       constants.KubernetesSchedulerRunUser,
-				gid:       constants.KubernetesSchedulerRunGroup,
+				name:         "kube-scheduler",
+				directory:    constants.KubernetesSchedulerConfigDir,
+				selinuxLabel: constants.KubernetesSchedulerConfigDirSELinuxLabel,
+				uid:          constants.KubernetesSchedulerRunUser,
+				gid:          constants.KubernetesSchedulerRunGroup,
 				configs: []configFile{
 					{
 						filename: "scheduler-config.yaml",
@@ -163,6 +167,10 @@ func (ctrl *RenderConfigsStaticPodController) Run(ctx context.Context, r control
 				return fmt.Errorf("error creating config directory for %q: %w", pod.name, err)
 			}
 
+			if err = selinux.SetLabel(pod.directory, pod.selinuxLabel); err != nil {
+				return err
+			}
+
 			for _, configFile := range pod.configs {
 				var obj runtime.Object
 
diff --git a/internal/app/machined/pkg/controllers/k8s/render_secrets_static_pod.go b/internal/app/machined/pkg/controllers/k8s/render_secrets_static_pod.go
index a9fa9fe6b6..321b4c013d 100644
--- a/internal/app/machined/pkg/controllers/k8s/render_secrets_static_pod.go
+++ b/internal/app/machined/pkg/controllers/k8s/render_secrets_static_pod.go
@@ -21,6 +21,7 @@ import (
 	"github.com/siderolabs/gen/xslices"
 	"go.uber.org/zap"
 
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/k8s"
 	"github.com/siderolabs/talos/pkg/machinery/resources/secrets"
@@ -162,18 +163,20 @@ func (ctrl *RenderSecretsStaticPodController) Run(ctx context.Context, r control
 		}
 
 		for _, pod := range []struct {
-			name      string
-			directory string
-			uid       int
-			gid       int
-			secrets   []secret
-			templates []template
+			name         string
+			directory    string
+			selinuxLabel string
+			uid          int
+			gid          int
+			secrets      []secret
+			templates    []template
 		}{
 			{
-				name:      "kube-apiserver",
-				directory: constants.KubernetesAPIServerSecretsDir,
-				uid:       constants.KubernetesAPIServerRunUser,
-				gid:       constants.KubernetesAPIServerRunGroup,
+				name:         "kube-apiserver",
+				directory:    constants.KubernetesAPIServerSecretsDir,
+				selinuxLabel: constants.KubernetesAPIServerSecretsDirSELinuxLabel,
+				uid:          constants.KubernetesAPIServerRunUser,
+				gid:          constants.KubernetesAPIServerRunGroup,
 				secrets: []secret{
 					{
 						getter:       func() *x509.PEMEncodedCertificateAndKey { return rootEtcdSecrets.EtcdCA },
@@ -230,10 +233,11 @@ func (ctrl *RenderSecretsStaticPodController) Run(ctx context.Context, r control
 				},
 			},
 			{
-				name:      "kube-controller-manager",
-				directory: constants.KubernetesControllerManagerSecretsDir,
-				uid:       constants.KubernetesControllerManagerRunUser,
-				gid:       constants.KubernetesControllerManagerRunGroup,
+				name:         "kube-controller-manager",
+				directory:    constants.KubernetesControllerManagerSecretsDir,
+				selinuxLabel: constants.KubernetesControllerManagerSecretsDirSELinuxLabel,
+				uid:          constants.KubernetesControllerManagerRunUser,
+				gid:          constants.KubernetesControllerManagerRunGroup,
 				secrets: []secret{
 					{
 						getter:       func() *x509.PEMEncodedCertificateAndKey { return rootK8sSecrets.IssuingCA },
@@ -258,10 +262,11 @@ func (ctrl *RenderSecretsStaticPodController) Run(ctx context.Context, r control
 				},
 			},
 			{
-				name:      "kube-scheduler",
-				directory: constants.KubernetesSchedulerSecretsDir,
-				uid:       constants.KubernetesSchedulerRunUser,
-				gid:       constants.KubernetesSchedulerRunGroup,
+				name:         "kube-scheduler",
+				directory:    constants.KubernetesSchedulerSecretsDir,
+				selinuxLabel: constants.KubernetesSchedulerSecretsDirSELinuxLabel,
+				uid:          constants.KubernetesSchedulerRunUser,
+				gid:          constants.KubernetesSchedulerRunGroup,
 				templates: []template{
 					{
 						filename: "kubeconfig",
@@ -274,6 +279,10 @@ func (ctrl *RenderSecretsStaticPodController) Run(ctx context.Context, r control
 				return fmt.Errorf("error creating secrets directory for %q: %w", pod.name, err)
 			}
 
+			if err = selinux.SetLabel(pod.directory, pod.selinuxLabel); err != nil {
+				return err
+			}
+
 			for _, secret := range pod.secrets {
 				certAndKey := secret.getter()
 
diff --git a/internal/app/machined/pkg/system/services/apid.go b/internal/app/machined/pkg/system/services/apid.go
index fe01a3102c..d4b657a520 100644
--- a/internal/app/machined/pkg/system/services/apid.go
+++ b/internal/app/machined/pkg/system/services/apid.go
@@ -32,6 +32,7 @@ import (
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/runner/containerd"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/runner/restart"
 	"github.com/siderolabs/talos/internal/pkg/environment"
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/conditions"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
@@ -96,6 +97,10 @@ func (o *APID) PreFunc(ctx context.Context, r runtime.Runtime) error {
 		return err
 	}
 
+	if err := selinux.SetLabel(constants.APIRuntimeSocketPath, constants.APIRuntimeSocketLabel); err != nil {
+		return err
+	}
+
 	// chown the socket path to make it accessible to the apid
 	if err := os.Chown(constants.APIRuntimeSocketPath, constants.ApidUserID, constants.ApidUserID); err != nil {
 		return err
diff --git a/internal/app/machined/pkg/system/services/machined.go b/internal/app/machined/pkg/system/services/machined.go
index b6a52219f7..d028d1c439 100644
--- a/internal/app/machined/pkg/system/services/machined.go
+++ b/internal/app/machined/pkg/system/services/machined.go
@@ -23,6 +23,7 @@ import (
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/health"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/runner"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/runner/goroutine"
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/conditions"
 	"github.com/siderolabs/talos/pkg/grpc/factory"
 	"github.com/siderolabs/talos/pkg/grpc/middleware/authz"
@@ -160,6 +161,10 @@ func (s *machinedService) Main(ctx context.Context, r runtime.Runtime, logWriter
 		return err
 	}
 
+	if err := selinux.SetLabel(constants.MachineSocketPath, constants.MachineSocketLabel); err != nil {
+		return err
+	}
+
 	// chown the socket path to make it accessible to the apid
 	if err := os.Chown(constants.MachineSocketPath, constants.ApidUserID, constants.ApidUserID); err != nil {
 		return err
diff --git a/internal/app/machined/pkg/system/services/trustd.go b/internal/app/machined/pkg/system/services/trustd.go
index b21b74e1f6..3eebb34e20 100644
--- a/internal/app/machined/pkg/system/services/trustd.go
+++ b/internal/app/machined/pkg/system/services/trustd.go
@@ -31,6 +31,7 @@ import (
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/runner/containerd"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/runner/restart"
 	"github.com/siderolabs/talos/internal/pkg/environment"
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/conditions"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
@@ -94,6 +95,10 @@ func (t *Trustd) PreFunc(ctx context.Context, r runtime.Runtime) error {
 		return err
 	}
 
+	if err := selinux.SetLabel(constants.TrustdRuntimeSocketPath, constants.TrustdRuntimeSocketLabel); err != nil {
+		return err
+	}
+
 	// chown the socket path to make it accessible to the apid
 	if err := os.Chown(constants.TrustdRuntimeSocketPath, constants.TrustdUserID, constants.TrustdUserID); err != nil {
 		return err
diff --git a/internal/integration/api/selinux.go b/internal/integration/api/selinux.go
index 820234e1d2..63078d2c33 100644
--- a/internal/integration/api/selinux.go
+++ b/internal/integration/api/selinux.go
@@ -18,8 +18,11 @@ import (
 	"github.com/siderolabs/go-pointer"
 	"github.com/siderolabs/go-procfs/procfs"
 
+	"github.com/siderolabs/talos/cmd/talosctl/pkg/talos/helpers"
 	"github.com/siderolabs/talos/internal/integration/base"
+	machineapi "github.com/siderolabs/talos/pkg/machinery/api/machine"
 	"github.com/siderolabs/talos/pkg/machinery/client"
+	"github.com/siderolabs/talos/pkg/machinery/config/machine"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
@@ -64,6 +67,92 @@ func (suite *SELinuxSuite) getLabel(nodeCtx context.Context, pid int32) string {
 	return string(bytes.TrimSpace(value))
 }
 
+// TestRuntimeFileLabels reads labels of runtime-created files from xattrs
+// to ensure SELinux labels for files are set when they are created.
+func (suite *SELinuxSuite) TestRuntimeFileLabels() {
+	workers := suite.DiscoverNodeInternalIPsByType(suite.ctx, machine.TypeWorker)
+	controlplanes := suite.DiscoverNodeInternalIPsByType(suite.ctx, machine.TypeControlPlane)
+
+	expectedLabelsWorker := map[string]string{
+		constants.APIRuntimeSocketPath:  constants.APIRuntimeSocketLabel,
+		constants.APISocketPath:         constants.APISocketLabel,
+		constants.DBusClientSocketPath:  constants.DBusClientSocketLabel,
+		constants.UdevRulesPath:         constants.UdevRulesLabel,
+		constants.DBusServiceSocketPath: constants.DBusServiceSocketLabel,
+		constants.MachineSocketPath:     constants.MachineSocketLabel,
+	}
+
+	expectedLabelsControlPlane := map[string]string{
+		constants.APIRuntimeSocketPath:  constants.APIRuntimeSocketLabel,
+		constants.APISocketPath:         constants.APISocketLabel,
+		constants.DBusClientSocketPath:  constants.DBusClientSocketLabel,
+		constants.UdevRulesPath:         constants.UdevRulesLabel,
+		constants.DBusServiceSocketPath: constants.DBusServiceSocketLabel,
+		constants.MachineSocketPath:     constants.MachineSocketLabel,
+		// Only running on controlplane
+		constants.EtcdPKIPath:                           constants.EtcdPKISELinuxLabel,
+		constants.KubernetesAPIServerConfigDir:          constants.KubernetesAPIServerConfigDirSELinuxLabel,
+		constants.KubernetesAPIServerSecretsDir:         constants.KubernetesAPIServerSecretsDirSELinuxLabel,
+		constants.KubernetesControllerManagerSecretsDir: constants.KubernetesControllerManagerSecretsDirSELinuxLabel,
+		constants.KubernetesSchedulerConfigDir:          constants.KubernetesSchedulerConfigDirSELinuxLabel,
+		constants.KubernetesSchedulerSecretsDir:         constants.KubernetesSchedulerSecretsDirSELinuxLabel,
+		constants.TrustdRuntimeSocketPath:               constants.TrustdRuntimeSocketLabel,
+	}
+
+	suite.checkFileLabels(workers, expectedLabelsWorker)
+	suite.checkFileLabels(controlplanes, expectedLabelsControlPlane)
+}
+
+func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[string]string) {
+	for _, node := range nodes {
+		nodeCtx := client.WithNode(suite.ctx, node)
+		cmdline := suite.ReadCmdline(nodeCtx)
+
+		seLinuxEnabled := pointer.SafeDeref(procfs.NewCmdline(cmdline).Get(constants.KernelParamSELinux).First()) != ""
+		if !seLinuxEnabled {
+			suite.T().Skip("skipping SELinux test since SELinux is disabled")
+		}
+
+		// We should check both folders and their contents for proper labels
+		for _, dir := range []bool{true, false} {
+			for path, label := range expectedLabels {
+				req := &machineapi.ListRequest{
+					Root:         path,
+					ReportXattrs: true,
+				}
+				if dir {
+					req.Types = []machineapi.ListRequest_Type{machineapi.ListRequest_DIRECTORY}
+				}
+
+				stream, err := suite.Client.LS(nodeCtx, req)
+
+				suite.Require().NoError(err)
+
+				suite.Require().NoError(helpers.ReadGRPCStream(stream, func(info *machineapi.FileInfo, node string, multipleNodes bool) error {
+					suite.Require().NotNil(info.Xattrs)
+
+					found := false
+
+					for _, l := range info.Xattrs {
+						if l.Name == "security.selinux" {
+							got := string(bytes.Trim(l.Data, "\x00\n"))
+							suite.Require().Equal(got, label, "expected %s to have label %s, got %s", path, label, got)
+
+							found = true
+
+							break
+						}
+					}
+
+					suite.Require().True(found)
+
+					return nil
+				}))
+			}
+		}
+	}
+}
+
 // TestProcessLabels reads labels of system processes from procfs
 // to ensure SELinux labels for processes are correctly set
 //
@@ -136,7 +225,7 @@ func (suite *SELinuxSuite) TestProcessLabels() {
 	}
 }
 
-// TODO: test for file labels
+// TODO: test for volume labels
 // TODO: test labels for unconfined system extensions, pods
 // TODO: test for no avc denials in dmesg
 // TODO: start a pod and ensure access to restricted resources is denied
diff --git a/internal/pkg/logind/broker.go b/internal/pkg/logind/broker.go
index cdda604800..ed2ce17552 100644
--- a/internal/pkg/logind/broker.go
+++ b/internal/pkg/logind/broker.go
@@ -19,6 +19,9 @@ import (
 	"time"
 
 	"golang.org/x/sync/errgroup"
+
+	"github.com/siderolabs/talos/internal/pkg/selinux"
+	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
 // DBusBroker implements simplified D-Bus broker which allows to connect
@@ -48,11 +51,19 @@ func NewBroker(serviceSocketPath, clientSocketPath string) (*DBusBroker, error)
 		return nil, err
 	}
 
+	if err = selinux.SetLabel(serviceSocketPath, constants.DBusServiceSocketLabel); err != nil {
+		return nil, err
+	}
+
 	broker.listenClient, err = net.Listen("unix", clientSocketPath)
 	if err != nil {
 		return nil, err
 	}
 
+	if err = selinux.SetLabel(clientSocketPath, constants.DBusClientSocketLabel); err != nil {
+		return nil, err
+	}
+
 	return broker, nil
 }
 
diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33
index 913e3f1981c6205742bf8fc5d07ad39a45cfda7a..dc206fbbdc6ffdd935d7e944feacfb66ced4c376 100644
GIT binary patch
literal 25413
zcmbW9Yr7l8k;jjX7jQ@dgamR&=6=hD7%(P~FhHDy#6Tbkxo)&`q|rGO>&9qwZ0Fg1
zaz4Pm*iW->_iOFG*eCn{_4HqANu%R2?We7t>Z<Ch>gwvN{U87MxBtEW;Nalb*Lv5>
z>GIYkmCq>yyQrMS42<+&%};>G;=w<uKz=~^yz)0<9+l&wKbTD>v*~>T-K%_5)OlT3
z6z@?UR7GAF&^@SJ732J{7>}yigytVpzM0p9<No51>aVZ9Z<h6Oe_m9R3j%>UE~htW
z0#1|Ja$3)(G=b3hd|ph4i1$_Hzz-^P8_xze_<cw@wq4Jt{G#$qWUzZwxsgJ$4i{9R
zW4;`gbw3{rip7GKzoNWYEBCNIt74i@3iy3FeC0zB`7Ul1gUKui1*n`2>M;^xxSLg3
z7ue<t%9DH!0(H<V>w?cODSx({)p?`kBl=uUF#+;^O}UXb7y?|l0VXe`b5ZZ_6`I=H
zE7%mx7P4q#DOewt)8We6GRVB<D;O!*p08l;a#0tdUyxYFn$2rEkA7JkFYDp#<`nCo
zcx%^y+?aB3f|Fp2#O~0dF8xHCRLkGg3Q9q|GITJK4IP}OF*Ga&v+1-L)JRNc(}#Uj
zq$L<pK_2Au{IDFC_3g{ioS@V2Bp>u=Cq-42!vbZ38wP(tG{hpye@7Y_STI;|J^~lc
zH}e}sKOg7Sgf@dr$Hm~rd{$2DepM{$Syj*uDlKj=#<L^T#^8t8t-n|<@OfAvFyiFH
zNjZf-+^j)4A0&=IO)@-T*Ej;`2)vw@x72*20U{42N;SI;TSN)<!F{0!N-yMYrA9d9
zNE}B9O(7Y~Y|=o8b3xdPd2Qn;XezqgrKsQx)l^Ph<u|GSj<U?cXE~!)@+e><<~L*Y
zv>XJvg8LQqTx}r>rkvcE&W1z<!VaA2|Nf$=PDDc!-%_TDxdK3qHrU`sIUeHzd=C>B
z0QOzwAXBlJEvrEYdFwE;G8*1Zd!f4!mP|L%uc(2#BU!Nwy-RF@Ye1(u4y>bch(H8P
zst3o_Y*xd&7a?_hTLztu%HTPntAc+DrXC$b{OyQ3udBQ<R2*s}849ro&u~8!Z@wRo
z-*q`DFeDx_IF{MrMq~q7QExdeurcNhrmbfAaF8#;AY~|yi+oXFc<iRAw!GCZCzEBJ
zAC3bU-k2BXQJ>`1;270Ia4YI%IUItZjQX^6MVVSBwMww;>sK>WT~z%hC~kyCBd5Pu
z5Qcb68^exlU_t)*7Mr}DEKUYpg~5Jsd48MAd_LAZG*%c0q5h6q(LFH2nNqE86t}yw
z@Caa7zz&BZO%_L=Z3Y=?i|J>}Vp#-?t-t6<(hJJ;Gnu4urdbPOni|cjn|U?tmtneK
z7*)mK1m6MQwX<c2;ke<(<c@GmVEWlfxGA=HRXMeVU1n4sYADWbEazQKgH_@9<Q|TT
zqH*z#oy9;Sp#*Hnq=gm-n$K?YP2GSAgCSlQx5CJ$;v^rJLq+4hhV*oSy<iu{(R?;8
z2e*kXgf|5kjp{M}9!BwOGS||h-%JPe0<=OZrZV;*%yD75h<JJE3z&^Hw)+ilNEp!~
zld$u=$|nqRdQ3~iz&~~qSU7^gO9fs~X;{=jwW|1RUNtcdk1*<_m>d?B06Pg{Z1Aaa
z+OzrisB2eZEVRHvIEvF)v4o{=vfOo5`U@!`^vBAua8fwE+(*ahVm;k?Nnxb)m&lAN
zSCvy$?4*mqq6|GepH+2N<&X@fM0I@DLpV(8n&yjq(#8r!K#z;2dZzMDf-f0iQ-PaN
z-Ntr@g#h#*>0gy`5624DQT^hinAZ4e@Wc5MWE>+*USZ+H7fP|Nr;Ouy{Q;{m2UCE{
z4fRGbR$(Wx)<72~msFQvr{R&jx~o38Ih=mE#c4jD&u(>PVz*{|&~>O!st2tRiZ<!4
zu&9lFMi)Y=B~P=^Re2}5oj<51Rr|)Ev%U^pxmX~kMP+Hj(jPhKAT4r>BVrjkh3;gb
zGF1PTieL3@L3a}C9&Gu9a%u(-iCd$pRZi3j_84ob3M&dmX|P6s1g8*WC)xRM7RvtC
z8mBHMu*JXhrNudm9@wHwv;NT>k`J**&{xa5Qh}6ci(^J2_0D28E*yg+q2k_Bt8UoQ
zWW>df^|g~g!z}M8r@fZny8K#K53`%%_-SBZb=~S?4hd)a6H6#0V_n?VVU=d@qD{ol
z-DB(uXz@Aa)E0J;8?(c|YTMUehEUShv<P>SEu5()wN5#he178)i%D-O;~`{{yri6#
zhq?A5TE7t8QHa_}KFyD0ujQfC0d+fB&X-h?+Iu+IA1J~wVE3B@iZEF26ewu?d&;To
znwgof<HkD3tiz4|--@br%Ag&TdtJG$w~h+!{mRaZWvl<m7Q1pWoZf9$|8|SVATLK<
zc@Qp0FDkP>B9pY%W;pZNEV4X9u~DIn!A{EJCRiazgnbYAAq+GJPgD?OJgw2%-U#N1
z{(+EE3lH+n7I7!_#3FSn4=GJT!!mDOUw!Uj>~Qq)me|#;N^!K~Dw@`bXBe!f?6h8g
ztxNIX!6@mkz3Nv2rY0<xgOjeJI4nIa9;ppyheUtHKpV51Um4wO<NCQx>7~qXw#6@s
z;_AznfAHF?ZOx?yaM@G)KmeT1ZeGs%+LcU?n8fg4ABwS)7%q%Cn1tgxJa_S#HVb1F
zc9Pxox@uBekH?*R-BSKpENF~OQe5H`_p+s&PUp=IsjSP{6f1!_oh@{>kW@grolpr$
z*&Z+tIxULHdLL|H`fK(6Bw(uEV$xYXoEeWKAg~d)dRto)&JC!J=gIx)tkDSxI2zMB
ztGXRl%=*|#U}2FTDfg6}G+uW0FlUS$x&m2ks}-B$s>@c&%e^;5ms-nXr5aB1uD*-e
zNKCq^SFn7+l)#$vZiL2*Ic(tgS;d`XqZ=1|(rAcl@THv|fbG;1fC-ONv@_$tsH}>c
z`FPx>ALa}*^xZCJeVFu-7^DV094~c%KGSVW$H?jl4LhI;nH0yEC#-nR%n+eD?dq#>
zIVo%E!%=B@q*LxW_6H<%IT$vDFP?i`Gza$KthYRxF2~`}lG$N8%Q<0KR^b#foPi$a
zRXFN}gLut#K1vaD>2o1&;k*=K!^Sxbd}{GgFccmX3J{kd(a2g(k3qq7oJuS!-S>nO
zCp-!n7qw2UpdpJ(LxxUtbaSqX!12&lYk<wUUuP@f%$I!-E#z~=!B6!yS~SS8!e0cU
ziy9zpgk$dVNK%4==M8UbXzSo7Xopz|1B>#Ab89~FP~_H9jZb2jY6r*T5T3(%uq>Si
zTw;Kl1RY$K^ZK-5@j(Q_uqy5(BqG13oVuIFuf|nZU&H!v`GGPmdaTvU))fq<22J;m
zx$YGAo<U*;(!VIPi6fH^n+qCRVddIb+CB+{Wfxsd|I6QxR=Yen1VFV6K12%;>|LAD
z&uI3ca%!KNNu=XQ^bYGO@xT|XhGS%Nf!V^0#u+u!7(~W-*oor~4T#HwK+Rad_l%hj
z=T&(^x9kQXL}>8#YHf)x2{qN)5>H2LrduQy{!YTiNP^q)Yv))TCo?fUMI}cN`q@d;
z(GP!7P9?fEY~9@L&<o(M{OJ~pYPM+I-?s5^*AXZPfSzPzm~zBeM>(CD#H(nkwdmqg
zrJaOA<X<bNO3jaFV%XKbI6k_OaSf+KT|8{9I9!$fLPmO4nO-21@_1vYXlupRlP^eG
zA5M4^;DP7Kn69GF6?U{;<<wgrI|+{^y{w#CvN`Yb4Icp)lWMB&=Zn=<E?|h7ksq|w
z)my8Lu`4$Ip>k?tyYfIwta{ef)*cwI?BP~&;@g!OhQj)X%4x^t)7ez#P+Ile;T)Sd
zif+GGPIWtBWOkLp!;|@&nCYYdclJV=9;Ed@DyOY;&s5c&ukvs%*uXAj(=oa@FkIUr
zzl(D<`Tz-jvBjdShMm{0(35|%#X~oV^X@l^=JK;GF2iDQ7Xbm2kO)?k{f##@r=lzr
z7(ZGH@dgM3&<)9}A85nm$P*qj3XfSB?hOC%>_rUl8ThSk_5d(u9YDf*58!ed-od~C
zj)8#=Qy~Uc6`@+CorHj_w!W{N`sn&>;BrztW4Ghr_RnI3jAYWhC@SjsCXNByPBe@l
zjJkBVhQZb$&^qD`MW43Kg;SqvfQ4>h!bXSMCbX%rlkBc<tA^D9-9%ap>ejgsdBfV^
ztOG=t!pxnfsIRY`gqM&mD`PL)lUEtd)nJVLoKzC}`;(*KUZ_+~bV0P3O?B@HT?pXX
zKG~tdig?t1XZVQl863|jr$NF|d^qiXzs7KY*YCD@jXJOB+y(tD7Lz?)Ahex?q2Po2
zv(aKmkcMTIgnghy=4v81)(?BKaO8;HSW{Jnu5h*Cff@S<#?gsRtJK|~u-was!|<)*
zPO@8LlGLq7<!IJr{a|yxFZ#4=s^OyR6vT8+dQ&+a8ObU8Jf6!^-8}V!U^`(`<Uwc5
zfs2uJrL>;QFgTSO=S6uEToIam4-ps@*yc6mR6o03Jd&Svp73n2cefap^Si!lWXGHC
zx0dazVY)c%1J1fGz;<MOhF{WPT*|TfRi-i->ytd}GnG%3ZD$ohyf4#_ao}gVc(D`s
z2^>-ufB6B|yqcM6w{6#F!aYs!RXjN8ovL}w6}O+@D-3alIeed2wjA^DaIar`d1-xP
zo6XXrKO$<fHaA&aEf@8$ue~ELtD<-JYXa<V6SU>9I1!R2+kVZ0@#jh1@NlVDV2xR0
zGvTNO9&ScA*CUZ4G~@<za047v)HD2K(!4b^%_m7+lsHV%92A&lSR5{oAiy<xNrfzM
z(x-x0^HEZf&pC2MCMII@864?)P-nFG^y>-Sk6@Yx2w<idv6QC)hN11RA{VHD0llhh
ze1;iMk@d(}(`1bse~?r!ry75{iz|j<#>rI@7UPwT#fpgzrTXd>y&3F>ILSeUEA?QP
z2E-w#!FYF-7T_m&g;)fP50jd5sxzhWn8vUaao0qLbblcDMFL%DitKYp)351>UnW&d
zl|gV_CI$q0_=N<4`;>V(FKjkKkz12}bm<j3hLK@Uj>?YcFfVpg#LBuA?^nRd#*grD
zuJsea&0e>hb(D%Z`00%*-+_jET7+Y^qF>E*KGT~cfb71^5@1av{aFGG<03xmTn#J)
zd?`hWJ;+LmsmdIa4U>eR^M94r;<+Acu>5{f=?I4dKbgYAlT37C2r{?1vBcvnZy1tH
z%*N4qVW9)M;OD5%D6>uS>FxgfApzb<2(U@w27w_2CR#7u`y;d`xVp|#1m79qJL#0*
zk%%gIDmzz;8QuldjAv?A{2CWoiPH~<zn+_gc%Y5Fx)8<C!`yT#*BGC^HISgymviY^
zeKRKL9akPNwSO2NA{wFgM@iL<<)L=`^AhDW$ig5$>esY)JwX%a4ZC@6cMIBm!JXcH
zD<KOC%x{#<xWS+%;CU_-^w?7ge56MZx2PZxJd;#tpRNITo2s6`SyB~rz>IpwOQdL?
z256m7XmMXR%KS9J*X!_O#jlmGViOkmmTk)>W&_%fx6#6Zucn~2>F|7x)y=J3Xn7~8
zfwPP>JYUu`TL9LEhxc11z@V;BsF~N1(bWVVPjW)nzLUb~+O>RE0~frKpoJ%M;YBx_
z4L61Wbir>DSeS2{$Vs=omsDXg-Q6~>|7=n*9WCU-43<kNw5V_DsDCv-y_nQ37r{}P
zpMIBswSkq7OQS{rw0JJ5o`y*ciQi42!+ddkIOE}L7?YnSRY92my_P^j7!FR!s9TNH
z<{5lH+{b(`LH9a~!NywH*3%p`nrKg^W2z<uf1Ff?8Gd_hgX9E$bBK>*=?117G7hw=
zZeqtW6O3#)cqG2bnX=RNH~fqr!}AV5;vcCCzXo%SYu<~Ow_7&mRaLyFKVKF9f4u#8
zC|`=@548MvB9#BG(g%9_+2CB1^S-U}!Tp)8K`v`McaAUZY2H%!KX-8J#sASX^1hB)
z&xK{rceRr<4t(AaoVG6N&nK~bUbA0{^Lm6Mo6FzP_Ru)c{&B_UilQ^}FnztR&3(iF
zLoH)|7|TCY>B(6Bwt|59d?E>+iST!{S2FxfY4hCx|9h~B`Fy06qUAxhE0GpHw$D|K
zn)8wfUq|2PA`bGHCwwdqd@KWH+wI!HHJxTOx?I!J`im+boHE5;)K>#XFZ2JJHf@$4
zd3pio?`ri!&4p{5yc)|_gC^psQ1XcWn3i@e19GOi8;%UWh<qr&AItZvY+rgHvF9_=
z(EP!FC*psq@OH1tn(gkz=C4IKdRhMKng`vdUz8Qh2OReWz6YOwfBXL=@kgt^cvhMi
zAK7eYWOz5W1>Ajyt=y-;ZQFN+ZQbc3_ap6oL45G}iy94YsVs}?xx&M%cJYCyLR<g1
z2btX#_~!YBMuq#DzOxM}dpus(Qrfmc29Kk2iJg(twxV78*b^Gbw!>9P;I`o7GWK8F
z^UakE$n3V>O4@?I?TM`{=hIp{yDj9m?_u+gf*l@LTzGJWLx0)k*xxc-ls7ygeC7c7
z80RrbZ2oT~Hi3_QhO+HI+4hIOee6exF39h8DX;tY%@r+n@L0fx?z>NP6dwEKJUV_D
zbp+e}NW1QfYe{^#B&%5$<g{$a;Boq*UhWwOo|f$!+8G#*AAU*g;)l@MR><>wl!x+f
zW0}4)&NYqXDE|d$-Cwlj{=F(4iD}H#;MflIi|vLC4@4QzckSmF!+b%^$Hz>IJRc<T
zSTADuV-XI%eUGwvep#0&)*T=AJVm=6v&d;UIQ9YB{b}TXO<S`xuKpy#v&1(Z)h@$r
zq2qnRk)3<+OnuD##khV`IK%<kdNA^&{8B7qH}^IDZkvPigMjn4^muO7?w8cNmI0hU
zBz$a7bhkX%%3}dL*oM&lI?~d=Zug#K9>)V77S4e<fd6U4$7jqRT9;qY4&JiSu5FHv
zYoEtU#8Yz(eB8fyDmG!A1g-szc7Gq+eMo+1{_ym;>q$Ptk-6d1ldkt2{8_Zb4dB=x
z{`A+{=Ib$w{cRs)uwIni7V>;8%F{%Oa|i#e?Ig4w<8LQEb6q3KGJH#CCTlq_YQ}5k
zVt9TzmY<ZRjDvj~OP|;1H5^^SI!AhAfBPHw?nmrnKSzGs8GQE(?Ou!R{y32tTH66z
znLqfyi}>(#pTg5^F@LS?_Es2E&763p@g=Rz@K5XYxHf3k3%G3v&vhStyc(Oxmdf*9
zln39opMN6Hj$`>8@*7Scxn0ID?LMHT@u$+tagQ~R<)<x|k<B*24nK?S!qahvvh575
z?ToD)W521*iS<Qh+l{`nk0G;p0=FHot#O!lEZa44JTG~0?rS<HiMojQQ>(T<()m!d
ziMZUi!e>oop2*`qMaM^@j>vDnqHNjF*E%AzajwOAQ1YC|4#tP)pCV82)3$yU;a`_l
zwhy|e{$M%b^UH`2j{Emh^`z~8O_AODG6roQX#Wyv-(Anw_X7Vo!tp)#7jY@Xjr)6Q
z>4TN;;SX*Xe76gq>yZyQwhuUK-+Ob#=PNo}w!YZPb04c`!|5aQho^l8eeDC3Q~MAf
zm}kGBKj!n*geQC)V=0@KvfHAsEi<wi&f3ytd|)l}D~hi8VPh-LN5reJPZS({w~MWq
zU%Ur|mNI^5pT|$GMmP>mq6H1x)tP`#q7C<n4Bwfu6EwicuP5b9Whdqe<M_mUn-4p2
z<M^Ov8;3Is<Lu+Z!O5L)INiGwj!z@N+t(JSMCRioC%!XfC!cTu_j&s^4u>P=<2#FO
z9FCZb<FnUo9G{5--zT#VDbK?3b;?;dKCwLu=ix-=ee!T>43D$;_~7U)9FEuT#K#B9
zXYqNo1E0q_;Q0FIthRjja2Ae_-Oj>E$Lh<8Y?;dYlCK#UQ-`(grf7h?Z}3qEaxvBI
zVQ1t@XTV*M8UA|aarrKAU%3n1SG(X679_)~I*9Iqj>x0S-P9uj>YlVKTcLKg#F1_$
zy6~m%{yOT&7<vENjV}Rrto!V$=pqF+=HCqI333;7qVVFgrH;9~34@Z$!?GJP%umWn
z|0JjzK1R{qO&7UA{o9>UnLM#ybM;}y>6DSF)(LE67IwIgGX6_~xtyu&1U^&L>Uzvb
z={%7cTfY`(5?<09JDr`jv9Wh}W?<xWn%YLjD0-}I)I0Ir&~YC!JgEy;$NWpPI~yGm
zjNaUYTbg}g&)8i2-kG=9t`hgMQ0HqhZj4u5btx%lRK$b{)0=2ZxIvsw9hoWhi(<{q
zTPv9_=%~z;op2M#!pq6Kq9h9PQlXV7otQGWrC)k1xkGBDO((vT7L)3VxRoYdl%zCR
zrFmk~N|vrcQZj;7L$->>8=bI^4x0>;AhbbrNtKo&Z7dMYhPmrH5fKiWJMBGA_T-+{
zLLABew!D$VzD_M-llbbVRnm0Lm#RmDeg@M@m@b%7Li&4@*R3>O#88>i5J5+JV8Ork
z++&y*g<_s5X_(dZw#aoGM)3or?e;JV50dmxB|aCOUNw9Uy6}>qmF}rM%Fzi&`B1MV
z?$RoBLNWz!7-e54U=-2JwK!-MavvQYw0^M}-vqUCcv_gQ$W(SBnyubb7-2)^XN2L3
z%w+mSW<6+l<I0tAsSC;mogY3>ktsV7U^W*)8)TPM-PRn_=VURQ-JOA;nhug>U#GU{
z!hM5bpL`4k(X3X_of?WnLo2*N^sG3#B2(EZ5b2GB>o$m<6P7D7Q|LDk?Q`XQ?nM_*
zMfAN_j?8nTv3+z{eV%_F3-Wde>(ksuQ|X>HQ>7DneP2(K__mDc-Zi5lCWbV)CwiC+
z$oTts<EhQFRby_5^nAi1Q`rf!=1o&8S$e9FnMS_^;`OV;R?-)Q;)+aVCrH<i&Wy1k
zY`Ry^Os8MQ|LTEBD`k43kW$jgi-{iSv{GGCtt)n@cy{W_4JjYoLq#vsajitXJw$kK
zd_mPpmmW=I!ga#`mc#Z{)4rgFYw5L;7I%9z+c$?|#qi9jRm6Q%>^@FjZzbue$`zT)
zPI%?X;q2C;U9l%r-A0DxPwsY2fi<>wiyQsCuQj?XzOA+}o#=vcljG#rpc5I!zoq}i
zuiY8<2`Qq3EM}x6`8QLU?C<j`ld_l%$E>6*X2Y=@DT~=~R_mlJX2W~>CS@@j&NnHG
z+3-_+ld_l%x4_%*3+IKXl*MfP3sHd`cvN5q9u?Su_YOkZfdf#=VqUd-Du7ZJ^9mjn
z*o8L=?7|xbcHxZzyYNPVU3l++l*PQ32S^+IbPv2yAd56>J_kX87I;vg1s)V=fd>Uz
z;JpK-7C4|b_~{;aP#}vmiTpu<HaH5j!BL<Mjsk7)-X6Gd`Ay|H)i*G53g@F0etr*J
z3T)#Oh&XuKh6CnpSu4D^2QK7o{PPD&r@L^#Xp`x0@`hdq=Xc;jQM#}Pe*Yf$Lwn%8
zJ@9M?ei{Tj-GTpSBk;LQQjslx))dYIBX7YkY{P{@x<AujWaFzydMMLh<Slq_4?Nog
zKLviO44*9i>L-*>^?RNVrKnec8<q)vs=WG+!T^^`g_P;<Q)S~cQK{jdmQ$S5gijN#
z8vGQ;dS~L@Qzm7~r^;?C#i5RrDW590;Q%LP%BRZ4Np-iujYAuhjZFD;{Ta?~_1WND
zpwyI4_1nrn8YNSGiqnhA0B8J>GUZcc^Vz`ZsX{4JK2>hTp;9SRK2<hOYPV3Kx=i_0
zxfLfGWgBNho=CZkv(eVU1+}o-R_Z6sY4{pvW&dcDZT=g5chH0VN|!Zl7U2I6xSehs

delta 6719
zcmZ`-Yit}>6~41sC+phV_z`<|?X`Dp=bboq8mCSgXFW-5$LnX}#Ic<euN`Ndx^;HV
zdfkUqSgSvHwW?B%ghWNvBL1KhX!%tM3UwsfMgkS_5C|j?6#}FR_3;-d;e2=RnY|(D
ztme*{@1FNL_s;CR{f=|vC(i3{?4`BY8sB;a{eJJYt}6G6tCUJOJn%7O&H!I`^J!qU
zvYOB4(y4qUV}tb5eW9`~OjXc-_ti&gZN6M~VR5y{*Fx?48zTeOY(BTPn!l3DmorvH
z^ZUbtF>7}9sny3*5Z=sSzcn$xvcy7gsoFvpuI939E2;c_j6Fy<_eTy!t=Yx3)wEUy
zKkv6D*a~cHW#|x9v^P7aXm9%tr-RP4N1aZ(*4}V6WU;3gmmZ(bL85}uK5J$vvznh@
zUQXwV4mVg+m#?HBFABI8x_WsjlS)6CUP$E;#|iqdJ?`wGtp^(Cx-7O#I={473>Vqo
z#3v3`xwOC`Ar0+(N@X~neEM1{2OO~qzrk1F_Hp{!fd*$geY?7j-kaExOy$cMMVf_s
zC3_{c0`MrGq8gx1`#uXae&mtUFm-f9x?%Z%#j&uwl+NT+ITWVV#<Q8lrK?EgHb#5t
zTODmq6K!-f)<c7MGM{-WwNk~v5&EPf=J=?(v(ec^?VU|d9ap)QW;+9+2Q0Oj>=kaz
z8b-?K3!N>_L-cZIT@C6haa>;Ed<LnSh5yhQjG~8S>XEgp>HP9#I0c(0Y0tq}0gekp
z{@MyA;bG8%bJ=VjI6Aq_!WY-_=_fIPwC}JcmNHo`>r<ku*`8X>>Q04?Mm`US?fJEQ
zR*ckJ0{PthLRvJH)At_;o$9uxA4}&l>E&Wq9=7n6Y%ZV5`x!ZCq2lamI&i3Ap~sqe
zZ0&M-In5$yl%3W@W^t7p18I!gXgdEyHuspf==NH3YpXiND9RAMdZ;<H%bLvS1&M?m
zqrV(#2qmq#HNBGHK!U2f>Kfp^bjoTvr<cSE61Sh+u26Ht66MvlcrBm0wzSF%4%%zz
z#jcN?HhT7OW8nyQzpq$iH=sJzE~eq#F?F109L3GBxsR9oA*OHl##DfR{f17eq{rXS
zXtTx(d~H@`Orv}Q{A)4%;At~-LM2pKIR&j0OmRI?V3vNhUDLNW!C0RWIHgXhZbLVz
zCeMJQ_IWfMVx?N=Nk$)L8cBMHe_|NHgbYtq@m49G!oWjj0){6H4g5hvA5}-Gth>Dc
zhYuSJ%6A*OPStt(5TRtVR@Hhq>+tL#SmEhay`J+usz+@r+4PcAp(>!Kz*FeNou1My
z?65=#rQ$H0lgtLx16)o>#@V%EdHKdysVeW#BV|Mq#*7otBiSEN9KWO)nK){gAaK8-
zcX3>jS>Wdlj`Z8IU6$;iM|X1k#r`>|PI?)Fo=e~<a3i8D;%QQy_L{YtpN(P|ULP?^
zk#?y&vLz*hLqZ3*s9Tv|1>$VB%v%`9s5CL0D4aG*;e<pFMPdxJH1R-bCHWAIMBmEK
z1aTBu6er-E$o5;ZM_9WFfWCS(SU`_RnPE?Q7eR|pa9n&!D8CmFWW~k~-k!yetsK74
zA+{zo^vDi?M6%sS^eRgzS2FL16Ji*&WDE|8a|l8j9{so<+2($PQfYW_3*Dkx=-{yy
z9jxd;1%^xk5Qwx8<aQby36*|LFt?98AKNK#(Q{Ir5Z^Z=>Eb(f5$P20Gfl^PnhLOc
zQ0wp2-6sh|9My~~jsyI%4na%OAbZ02mSlg-*6J@;<zABORlP?ef3m@#$+&5XTP2L?
z7UjevX_92@9;L*hFC6t2zYCzHwR8MzfD;#t69`z63}dYtFK{}0yhL>C{^G#+;l5iH
zc6;6h`4vD~14=I%rEo~H-p!P>I(W_+9#qNB3U(xUu+$kE?IwD_ul3N+k8dr&LMiV7
z9U7#8OYI>owM1y8v;@?o<*6*VD((%5CeAe!8hWG#h+sx)fP%;b49hkI0m<VreuCQJ
zPZ`6&ZHHzJj(Uhr)Iek#`AtY1>Q#kauQTCM(g;I9c6mfBg$0jmcu)^9+{QgBN?}-5
z#1U&n>`{9>9_Tp*J=l0r5Lt4FhL?vfAaIEu0>hSbVi=AdF*vd)dVov$@D_56dARSi
zEh#rL&Gj!D!;KgNE$Kouk_oIoDGhL0DxJKFC3^74CK^*Q4+p<Eioi^13heVK&j8+?
z<P`(8mk8jHv^d@ZBtzg4M`2h30B)CT)C7sFNKZ7V26iq~ObeWl?uDn_wChAnzm$lY
z?Yv4PMyQtxqdO$&a8qK0DbWb+;(j+jfUtKaxER1?Z$q={cM0BBpoiU*{VBlDxYCmD
zwPF#aaH6CrpdSKQ#9{u4(@-joqMJsH9uz~m2|1MR=u!NPkP2gyMBgheRe;shGL82@
zL@C99BB?xbD9$CA)9lWS2Gq1=*p?Mr$gXx2YXgyq(i&CcMFS>DZ@2Y00>5+(jGZyY
zklx~>(bY~27#soEncHJ<=qYrY8$?q|UFpRW>5_Vb7Q^?c`#eWs7$s8yms@h1hhz7U
z=wVFO6&x~cT;PA*0Z%DPpcUy71oSftHHNS(P()mBoCZB^1t4n!Z%kqsSrl0qmViMw
zs}pFt0(a}3t6Q1{&Pi!t?3^){&?rY-uBfH&u+vRvM;a;9AE)@JznpPoLv_*%Q;p<f
z^pAa&{B`7qGmX~V=O^sD_q#$t{1Yq5GD45`SJI39VS2v5(&-{b9RBXq-$omwetKar
zPXA)O6F4;w7%C|L-HRSTFaDd~sdr<-PtOkojO-6QS@{@MlEue{J7pVAi_L^kLHXuW
zk_+D@cSE@8J)wg5!!Fu8bR18QR+1a=)6T&N{k<<t*OPv_G+6D?U$N+5atpmVSnkd7
zy>p2E+!xnU!DN*;b2M4&(T{j|346=K{Pb3`j6P0Qc>JNEqIGwu#Gf6i@#bH$@LvpV
z^YH%|IYh8$SnvRSZn&s>eYmJ^W5iFd4c9p3x`+P6oIB5k321Pn&Z*RBVx)#{4o7Ku
zq?*1v5~XjBY}NNa<NKS#VRRjRG7{3Z<D>QF8lVfK_iOs;(f#!H6l)#bL2sN1)2E{`
zdUh;KU1P2Kx_;hIxv>bn%h-3uw$tB6i#q?x_t#mjc05L3WV!1zei|E(Y8o<M8jonb
zpnq)We~!1%>oZ~6ai)dmqICI8l>W_nzQOmO^8IgE&n1p<)7dt9?LwF!d-80AqOisK
zpEw)!=+`XzA4~^XS8Sq5%OU3J3FwN_a}!amb7NvJZDP!Ku9ZIEEA+YNqO`(v{#;D^
z`s%r6&HFxIkrU`?JRdf3Y@vzs^@eVu?dRZM8U2XoUpn7JAMq9T+9r$krY4Iz5W@?T
z5!%lBK)*9tMK>nH^dX<XnlHrY*DO29*Vd6RJ$Ipvj&tnq^7VJj<C|)wN5{j|GgZ`=
z<7?jJ=6h2SdYJt{EbnvvK42U^N2bF%uH<x!&c`#;&H9SYd2>3%GEw?yx{+SydhMKv
z=$NNwTKFEi;`(}PCZ?~qXPWi(@WtO2d{~ftxaKss%I5=m4;){W?uBDJyBCh_=w5hS
z!-cyIyL#eoeEl<Uy`|j4QQqcpxaRZ%<NvrgTzwXbI}!jN@Ax=ebCv{(A>56}ne$%!
z?q}fZcjGjBakJyl=*19!y~XI)V?d8pdW`GQ)#EykVdfvx{1|zK@)*!#l^)}IboIE-
zBlyQJh9aB}IEGU~(_aVul%0hJ9w{@sZ?m3sHMq`#EdKQrd&dLap1oMuV0mb9^;pt%
z3$R+h3x7r9%5nLMQ*6J&G#@^f2b_Wz^(g=U<F7CeAMEI_X6yH<Dwl6?irfa%e8gQI
za0-5l8s>J@`53`ry0^$dnYobfmZF8ZR^N3+U!H4quG5XVHr)Jjt~GeQD5II<U~aO-
SU2AroX@?T?F{n$;@BJSMEq~$w

diff --git a/internal/pkg/selinux/policy/selinux/common/classmaps.cil b/internal/pkg/selinux/policy/selinux/common/classmaps.cil
index ee902705c9..fa8a848049 100644
--- a/internal/pkg/selinux/policy/selinux/common/classmaps.cil
+++ b/internal/pkg/selinux/policy/selinux/common/classmaps.cil
@@ -1,3 +1,102 @@
+; Access to all file classes
+(classmap fs_classes (full rw ro))
+(classmapping fs_classes full (filesystem (
+    associate
+    getattr
+    mount
+    quotaget
+    quotamod
+    relabelfrom
+    relabelto
+    remount
+    unmount
+    watch
+)))
+(classmapping fs_classes full (file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+(classmapping fs_classes full (dir (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+    add_name remove_name reparent rmdir search
+)))
+(classmapping fs_classes full (lnk_file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+(classmapping fs_classes full (chr_file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+(classmapping fs_classes full (blk_file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+(classmapping fs_classes full (sock_file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+(classmapping fs_classes full (fifo_file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+; rw is full without SELinux management
+(classmapping fs_classes rw (filesystem (
+    associate
+    getattr
+    mount
+    quotaget
+    quotamod
+    remount
+    unmount
+    watch
+)))
+(classmapping fs_classes rw (file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+(classmapping fs_classes rw (dir (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+    add_name remove_name reparent rmdir search
+)))
+(classmapping fs_classes rw (lnk_file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+(classmapping fs_classes rw (chr_file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+(classmapping fs_classes rw (blk_file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+(classmapping fs_classes rw (sock_file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+(classmapping fs_classes rw (fifo_file (
+    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+)))
+; ro is rw without write and configure
+(classmapping fs_classes ro (filesystem (
+    associate
+    getattr
+    quotaget
+    watch
+)))
+(classmapping fs_classes ro (file (
+    append create execmod execute getattr ioctl lock map mounton open quotaon read rename unlink watch watch_mount watch_reads watch_sb watch_with_perm
+)))
+(classmapping fs_classes ro (dir (
+    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+    search
+)))
+(classmapping fs_classes ro (lnk_file (
+    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+)))
+(classmapping fs_classes ro (chr_file (
+    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+)))
+(classmapping fs_classes ro (blk_file (
+    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+)))
+(classmapping fs_classes ro (sock_file (
+    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+)))
+(classmapping fs_classes ro (fifo_file (
+    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+)))
+
 ; Netlink socket access
 (classmap netlink_classes (full))
 ; Full means any access except relabeling
diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil
index cdbe7b092f..4f4e8ecfe8 100644
--- a/internal/pkg/selinux/policy/selinux/services/cri.cil
+++ b/internal/pkg/selinux/policy/selinux/services/cri.cil
@@ -15,3 +15,30 @@
 (call pod_p (etcd_t))
 ; FIXME: insecure as anyone with access to the pod containerd may obtain this domain (executable in ephemeral)
 
+(type etcd_pki_t)
+(call protected_f (etcd_pki_t))
+(allow etcd_pki_t tmpfs_t (filesystem (associate)))
+(allow etcd_t etcd_pki_t (fs_classes (ro)))
+
+(type kube_apiserver_config_t)
+(call protected_f (kube_apiserver_config_t))
+(allow kube_apiserver_config_t tmpfs_t (filesystem (associate)))
+(type kube_scheduler_config_t)
+(call protected_f (kube_scheduler_config_t))
+(allow kube_scheduler_config_t tmpfs_t (filesystem (associate)))
+(type kube_apiserver_secret_t)
+(call protected_f (kube_apiserver_secret_t))
+(allow kube_apiserver_secret_t tmpfs_t (filesystem (associate)))
+(type kube_controller_manager_secret_t)
+(call protected_f (kube_controller_manager_secret_t))
+(allow kube_controller_manager_secret_t tmpfs_t (filesystem (associate)))
+(type kube_scheduler_secret_t)
+(call protected_f (kube_scheduler_secret_t))
+(allow kube_scheduler_secret_t tmpfs_t (filesystem (associate)))
+
+(typeattribute kube_secret_f)
+(typeattributeset kube_secret_f kube_apiserver_config_t)
+(typeattributeset kube_secret_f kube_scheduler_config_t)
+(typeattributeset kube_secret_f kube_apiserver_secret_t)
+(typeattributeset kube_secret_f kube_controller_manager_secret_t)
+(typeattributeset kube_secret_f kube_scheduler_secret_t)
diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil
index eb7430f967..4d7f7d6b5f 100644
--- a/internal/pkg/selinux/policy/selinux/services/machined.cil
+++ b/internal/pkg/selinux/policy/selinux/services/machined.cil
@@ -11,6 +11,17 @@
 (typetransition kernel_t init_exec_t process init_t)
 (allow init_t init_exec_t (file (execute entrypoint)))
 
+; System daemon sockets
+(type machine_socket_t)
+(call system_socket_f (machine_socket_t))
+(allow init_t machine_socket_t (sock_file (relabelto)))
+(type dbus_service_socket_t)
+(call system_socket_f (dbus_service_socket_t))
+(allow init_t dbus_service_socket_t (sock_file (relabelto)))
+(type dbus_client_socket_t)
+(call system_socket_f (dbus_client_socket_t))
+(allow init_t dbus_client_socket_t (sock_file (relabelto)))
+
 (allow init_t service_p (process (transition)))
 (allow init_t service_exec_f (file (execute)))
 
diff --git a/internal/pkg/selinux/policy/selinux/services/system-containers.cil b/internal/pkg/selinux/policy/selinux/services/system-containers.cil
index 03c388f494..c45640aac8 100644
--- a/internal/pkg/selinux/policy/selinux/services/system-containers.cil
+++ b/internal/pkg/selinux/policy/selinux/services/system-containers.cil
@@ -2,6 +2,18 @@
 (call system_container_p (apid_t))
 (allow apid_t init_exec_t (file (entrypoint execute)))
 
+(type apid_socket_t)
+(call system_socket_f (apid_socket_t))
+(type apid_runtime_socket_t)
+(call system_socket_f (apid_runtime_socket_t))
+(allow apid_t apid_socket_t (sock_file (relabelto)))
+(allow apid_t apid_runtime_socket_t (sock_file (relabelto)))
+
 (type trustd_t)
 (call system_container_p (trustd_t))
 (allow trustd_t init_exec_t (file (entrypoint execute)))
+
+(type trustd_runtime_socket_t)
+(call system_socket_f (trustd_runtime_socket_t))
+(allow trustd_t trustd_runtime_socket_t (sock_file (write)))
+(allow trustd_t trustd_runtime_socket_t (sock_file (relabelto)))
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index bee248a9ab..dbb61e82c5 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -295,18 +295,33 @@ const (
 	// KubernetesAPIServerSecretsDir defines directory with kube-apiserver secrets.
 	KubernetesAPIServerSecretsDir = KubebernetesStaticSecretsDir + "/" + "kube-apiserver"
 
+	// KubernetesAPIServerSecretsDirSELinuxLabel defines SELinux label for the directory with kube-apiserver secrets.
+	KubernetesAPIServerSecretsDirSELinuxLabel = "system_u:object_r:kube_apiserver_secret_t:s0"
+
 	// KubernetesAPIServerConfigDir defines directory with kube-apiserver configs.
 	KubernetesAPIServerConfigDir = KubebernetesStaticConfigDir + "/" + "kube-apiserver"
 
+	// KubernetesAPIServerConfigDirSELinuxLabel defines SELinux label for the directory with kube-apiserver configs.
+	KubernetesAPIServerConfigDirSELinuxLabel = "system_u:object_r:kube_apiserver_config_t:s0"
+
 	// KubernetesControllerManagerSecretsDir defines ephemeral directory with kube-controller-manager secrets.
 	KubernetesControllerManagerSecretsDir = KubebernetesStaticSecretsDir + "/" + "kube-controller-manager"
 
+	// KubernetesControllerManagerSecretsDirSELinuxLabel defines SELinux label for the ephemeral directory with kube-controller-manager secrets.
+	KubernetesControllerManagerSecretsDirSELinuxLabel = "system_u:object_r:kube_controller_manager_secret_t:s0"
+
 	// KubernetesSchedulerSecretsDir defines ephemeral directory with kube-scheduler secrets.
 	KubernetesSchedulerSecretsDir = KubebernetesStaticSecretsDir + "/" + "kube-scheduler"
 
+	// KubernetesSchedulerSecretsDirSELinuxLabel defines SELinux label for the ephemeral directory with kube-scheduler secrets.
+	KubernetesSchedulerSecretsDirSELinuxLabel = "system_u:object_r:kube_scheduler_secret_t:s0"
+
 	// KubernetesSchedulerConfigDir defines ephemeral directory with kube-scheduler configs.
 	KubernetesSchedulerConfigDir = KubebernetesStaticConfigDir + "/" + "kube-scheduler"
 
+	// KubernetesSchedulerConfigDirSELinuxLabel defines SELinux label for the ephemeral directory with kube-scheduler configs.
+	KubernetesSchedulerConfigDirSELinuxLabel = "system_u:object_r:kube_scheduler_config_t:s0"
+
 	// KubernetesAPIServerRunUser defines UID to the API Server.
 	KubernetesAPIServerRunUser = 65534
 
@@ -442,6 +457,9 @@ const (
 	// EtcdPKIPath is the path to the etcd PKI directory.
 	EtcdPKIPath = "/system/secrets/etcd"
 
+	// EtcdPKISELinuxLabel is the SELinux label for the etcd PKI directory.
+	EtcdPKISELinuxLabel = "system_u:object_r:etcd_pki_t:s0"
+
 	// EtcdDataPath is the path where etcd stores its' data.
 	EtcdDataPath = "/var/lib/etcd"
 
@@ -536,15 +554,27 @@ const (
 	// APISocketPath is the path to file socket of apid.
 	APISocketPath = SystemRunPath + "/apid/apid.sock"
 
+	// APISocketLabel is the SELinux label for apid socket file.
+	APISocketLabel = "system_u:object_r:apid_socket_t:s0"
+
 	// APIRuntimeSocketPath is the path to file socket of runtime server for apid.
 	APIRuntimeSocketPath = SystemRunPath + "/apid/runtime.sock"
 
+	// APIRuntimeSocketLabel is the SELinux label for apid runtime socket file.
+	APIRuntimeSocketLabel = "system_u:object_r:apid_runtime_socket_t:s0"
+
 	// TrustdRuntimeSocketPath is the path to file socket of runtime server for trustd.
 	TrustdRuntimeSocketPath = SystemRunPath + "/trustd/runtime.sock"
 
+	// TrustdRuntimeSocketLabel is the SELinux label for trustd runtime socket file.
+	TrustdRuntimeSocketLabel = "system_u:object_r:trustd_runtime_socket_t:s0"
+
 	// MachineSocketPath is the path to file socket of machine API.
 	MachineSocketPath = SystemRunPath + "/machined/machine.sock"
 
+	// MachineSocketLabel is the SELinux label for socket of machine API.
+	MachineSocketLabel = "system_u:object_r:machine_socket_t:s0"
+
 	// NetworkSocketPath is the path to file socket of network API.
 	NetworkSocketPath = SystemRunPath + "/networkd/networkd.sock"
 
@@ -1012,9 +1042,15 @@ const (
 	// DBusServiceSocketPath is the path to the D-Bus socket for the logind mock to connect to.
 	DBusServiceSocketPath = SystemRunPath + "/dbus/service.socket"
 
+	// DBusServiceSocketLabel is the SELinux label for the D-Bus socket for the logind mock to connect to.
+	DBusServiceSocketLabel = "system_u:object_r:dbus_service_socket_t:s0"
+
 	// DBusClientSocketPath is the path to the D-Bus socket for the kubelet to connect to.
 	DBusClientSocketPath = "/run/dbus/system_bus_socket"
 
+	// DBusClientSocketLabel is the SELinux label for the D-Bus socket for the kubelet to connect to.
+	DBusClientSocketLabel = "system_u:object_r:dbus_client_socket_t:s0"
+
 	// GoVersion is the version of Go compiler this release was built with.
 	GoVersion = "go1.23.2"