.gitignore

@@ -1,3 +1,2 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-contrib-aadacd8.tar.gz
-SOURCES/selinux-policy-fa87f85.tar.gz
+SOURCES/selinux-policy-cc59490.tar.gz

.selinux-policy.metadata

@@ -1,3 +1,2 @@
-34a078fbec0190b407d64c1664aaa0887204ba2e SOURCES/container-selinux.tgz
-470eeffd45f8dd003edb6ddbff4104e573b6c08d SOURCES/selinux-policy-contrib-aadacd8.tar.gz
-91c17cd38073aba5562898449fe3b4f2bbffac8e SOURCES/selinux-policy-fa87f85.tar.gz
+a6acf76b8744f1607164ec6d69706cd02d618948 SOURCES/container-selinux.tgz
+b05ddf5a0fa6d702fd1bbb0f041c19ecda799ea2 SOURCES/selinux-policy-cc59490.tar.gz

SOURCES/booleans-automotive.conf

@@ -0,0 +1,15 @@
+gssd_read_tmp = true
+httpd_builtin_scripting = true
+httpd_enable_cgi = true
+kerberos_enabled = true
+mount_anyfile = true
+nfs_export_all_ro = true
+nfs_export_all_rw = true
+pppd_can_insmod = false
+selinuxuser_direct_dri_enabled = true
+selinuxuser_execstack = true
+selinuxuser_rw_noexattrfile=true
+selinuxuser_ping = true
+unconfined_chrome_sandbox_transition=true
+unconfined_mozilla_plugin_transition=true
+use_virtualbox = true

SOURCES/booleans-targeted.conf

@@ -12,7 +12,6 @@ pppd_can_insmod = false
 privoxy_connect_any = true
 selinuxuser_direct_dri_enabled = true
 selinuxuser_execmem = true
-selinuxuser_execmod = true
 selinuxuser_execstack = true
 selinuxuser_rw_noexattrfile=true
 selinuxuser_ping = true
@@ -22,3 +21,4 @@ unconfined_chrome_sandbox_transition=true
 unconfined_mozilla_plugin_transition=true
 xguest_exec_content = true
 mozilla_plugin_can_network_connect = true
+use_virtualbox = true

SOURCES/file_contexts.subs_dist

@@ -2,6 +2,7 @@
 /run/lock /var/lock
 /run/systemd/system /usr/lib/systemd/system
 /run/systemd/generator /usr/lib/systemd/system
+/run/systemd/generator.early /usr/lib/systemd/system
 /run/systemd/generator.late /usr/lib/systemd/system
 /lib /usr/lib
 /lib64 /usr/lib
@@ -12,9 +13,12 @@
 /var/lib/xguest/home /home
 /var/named/chroot/usr/lib64 /usr/lib
 /var/named/chroot/lib64 /usr/lib
+/var/named/chroot/var  /var
 /home-inst            /home
 /home/home-inst            /home
 /var/roothome        /root
 /sbin                /usr/sbin
 /sysroot/tmp         /tmp
 /var/usrlocal        /usr/local
+/var/mnt             /mnt
+/bin                 /usr/bin

SOURCES/modules-automotive-base.conf

@@ -0,0 +1,604 @@
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+#
+anaconda = module
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+#
+apache = module
+
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+#
+application = module
+
+# Layer: role
+# Module: auditadm
+#
+# auditadm account on tty logins
+#
+auditadm = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+#
+bluetooth = module
+
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: services
+# Module: chronyd
+#
+# Daemon for maintaining clock time
+#
+chronyd = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+#
+cpucontrol = module
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+#
+daemontools = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+#
+dbus = module
+
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+#
+dhcp = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = module
+
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: contrib
+# Module: fwupd
+#
+# fwupd is a daemon to allow session software to update device firmware.
+#
+fwupd = module
+
+# Layer: apps
+# Module: games
+#
+# The Open Group Pegasus CIM/WBEM Server.
+#
+games = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: apps
+# Module: gnome
+#
+# gnome session and gconf
+#
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+#
+gpg = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: contrib
+# Module: journalctl
+#
+# journalctl policy
+#
+journalctl = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+#
+kerberos = module
+
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+#
+ldap = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+#
+loadkeys = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: role
+# Module: logadm
+#
+# Minimally prived root role for managing logging system
+#
+logadm = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+#
+lpd = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: contrib
+# Module: mandb
+#
+# Policy for mandb
+#
+mandb = module
+
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+#
+mcs = base
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+#
+mta = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script
+#
+namespace = module
+
+# Layer: system
+# Module: netlabel
+#
+# Basic netlabel types and interfaces.
+#
+netlabel = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+#
+networkmanager = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+#
+nis = module
+
+# Layer: services
+# Module: oddjob
+#
+# policy for oddjob
+#
+oddjob = module
+
+# Layer: contrib
+# Module: pesign
+#
+# policy for pesign
+#
+pesign = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+#
+rdisc = module
+
+# Layer: services
+# Module: rpcbind
+#
+#  universal addresses to RPC program number mapper
+#
+rpc = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+#
+rpm = module
+
+# Layer: role
+# Module: secadm
+#
+# secadm account on tty logins
+#
+secadm = module
+
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Module: setrans
+# Required in base
+#
+# Policy for setrans
+#
+setrans = module
+
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+#
+seunshare = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+#
+sssd = module
+
+# Layer: contrib
+# Module: stalld
+#
+# stalld
+#
+stalld = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = base
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+su = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+#
+sysadm = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+#
+sysadm_secadm = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: systemd
+#
+# Policy for systemd components
+#
+systemd = module
+
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+#
+#
+#
+ubac = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+#
+unconfined = module
+
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+#
+unconfineduser = module
+
+# Layer: kernel
+# Module: unconfined
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
+# Layer: apps
+# Module: userhelper
+#
+# A helper interface to pam.
+#
+userhelper = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = module
+
+# Layer: services
+# Module: virt
+#
+# Virtualization libraries
+#
+virt = module
+
+# Layer: apps
+# Module: vhostmd
+#
+# vlock - Virtual Console lock program
+#
+vlock = module
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+#
+xserver = module
+

SOURCES/modules-mls-contrib.conf

@@ -691,6 +691,13 @@ logwatch = module
 # 
 lpd = module
 
+# Layer: services
+# Module: lsm
+# 
+# lsm policy
+#
+lsm = module
+
 # Layer: services
 # Module: mailman
 #

SOURCES/modules-targeted-base.conf

@@ -391,10 +391,3 @@ udev = module
 # The unconfined domain.
 # 
 unconfined = module
-
-# Layer: system
-# Module: kdbus
-#
-# Policy for kdbus.
-#
-kdbus = module

SOURCES/modules-targeted-contrib.conf

@@ -292,13 +292,6 @@ cfengine = module
 # 
 cgroup = module
 
-# Layer: contrib
-# Module: cgdcbxd
-#
-# cgdcbxd policy
-#
-cgdcbxd = module
-
 # Layer: apps
 # Module: chrome
 #
@@ -349,13 +342,6 @@ cmirrord = module
 # 
 cobbler = module
 
-# Layer: contrib
-# Module: cockpit
-#
-# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
-# 
-cockpit = module
-
 # Layer: services
 # Module: collectd
 #
@@ -2005,7 +1991,7 @@ timidity = off
 tmpreaper = module
 
 # Layer: contrib
-# Module: tomcat
+# Module: glusterd
 #  
 #  policy for tomcat service
 #
@@ -2657,9 +2643,128 @@ rrdcached = module
 #
 stratisd = module
 
+# Layer: contrib
+# Module: ica
+#
+# ica
+#
+ica = module
+
 # Layer: contrib
 # Module: insights_client
 #
 # insights_client
 #
 insights_client = module
+
+# Layer: contrib
+# Module: stalld
+#
+# stalld
+#
+stalld = module
+
+# Layer: contrib
+# Module: rhcd
+#
+# rhcd
+#
+rhcd = module
+
+# Layer: contrib
+# Module: wireguard
+#
+# wireguard
+#
+wireguard = module
+
+# Layer: contrib
+# Module: mptcpd
+#
+# mptcpd
+#
+mptcpd = module
+	
+# Layer: contrib
+# Module: rshim
+#
+# rshim
+#
+rshim = module
+
+# Layer: contrib
+# Module: boothd
+#
+#  boothd - Booth cluster ticket manager
+#
+boothd = module
+
+# Layer: contrib
+# Module: fdo
+#
+#  fdo - fido device onboard protocol for IoT devices
+#
+fdo = module
+
+# Layer: contrib
+# Module: qatlib
+#
+#  qatlib - Intel QuickAssist technology library and resources management
+#
+qatlib = module
+
+# Layer: contrib
+# Module: nvme_stas
+#
+# nvme_stas
+#
+nvme_stas = module
+
+# Layer: contrib
+# Module: coreos_installer
+#
+# coreos_installer
+#
+coreos_installer = module
+
+# Layer: contrib
+# Module: afterburn
+#
+# afterburn
+#
+afterburn = module
+
+# Layer: contrib
+# Module: sap_unconfined
+#
+#  sap_unconfined
+#
+sap = module
+
+# Layer: contrib
+# Module: bootupd
+#
+#  bootupd - bootloader update daemon
+#
+bootupd = module
+
+# Layer: contrib
+# Module: iiosensorproxy
+#
+# Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy
+#
+iiosensorproxy = module
+
+# Layer: system
+# Module: powerprofiles
+#
+# Policy for power-profiles-daemon - power profiles handling over D-Bus
+#
+powerprofiles = module
+
+# Layer: system
+# Module: switcheroo
+#
+# Policy for switcheroo-control: D-Bus service to check dual GPU availability
+#
+switcheroo = module

SOURCES/rpm.macros

@@ -32,7 +32,6 @@
 # %selinux_requires
 %selinux_requires \
 Requires: selinux-policy >= %{_selinux_policy_version} \
-BuildRequires: git \
 BuildRequires: pkgconfig(systemd) \
 BuildRequires: selinux-policy \
 BuildRequires: selinux-policy-devel \
@@ -48,20 +47,24 @@ Requires(post): policycoreutils-python \
 
 # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_install("s:p:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
+  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
   %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
 fi \
 %{nil}
 
 # %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_uninstall("s:p:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
@@ -76,20 +79,26 @@ fi \
 
 # %selinux_relabel_pre [-s <policytype>]
 %selinux_relabel_pre("s:") \
-. /etc/selinux/config \
-_policytype=%{-s*} \
-if [ -z "${_policytype}" ]; then \
+if %{_sbindir}/selinuxenabled; then \
+  if [ -e /etc/selinux/config ]; then \
+    . /etc/selinux/config \
+  fi \
+  _policytype=%{-s*} \
+  if [ -z "${_policytype}" ]; then \
     _policytype="targeted" \
-fi \
-if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+  fi \
+  if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
     [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
+  fi \
 fi \
 %{nil}
 
 
 # %selinux_relabel_post [-s <policytype>]
 %selinux_relabel_post("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
@@ -104,7 +113,9 @@ fi \
 
 # %selinux_set_booleans [-s <policytype>] boolean [boolean]...
 %selinux_set_booleans("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
@@ -143,7 +154,9 @@ fi \
 
 # %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
 %selinux_unset_booleans("s:") \
-. /etc/selinux/config \
+if [ -e /etc/selinux/config ]; then \
+  . /etc/selinux/config \
+fi \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \

SOURCES/securetty_types-automotive

@@ -0,0 +1,4 @@
+console_device_t
+sysadm_tty_device_t
+user_tty_device_t
+staff_tty_device_t

SOURCES/selinux-check-proper-disable.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Check that SELinux is not disabled the unsafe way
+ConditionKernelCommandLine=!selinux=0
+After=sysinit.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=/etc/selinux/config
+ExecCondition=test "$SELINUX" = disabled
+ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
+StandardOutput=journal+console
+SyslogLevel=warning
+
+[Install]
+WantedBy=multi-user.target

SOURCES/setrans-automotive.conf

@@ -0,0 +1,19 @@
+#
+# Multi-Category Security translation table for SELinux
+# 
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023.  Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=SystemLow
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh

SOURCES/users-automotive

@@ -0,0 +1,39 @@
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+# Note: Identities without a prefix will not be listed
+# in the users_extra file used by genhomedircon.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

SOURCES/users-minimum

@@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
@@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

SOURCES/users-mls

@@ -25,7 +25,7 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
@@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)

SOURCES/users-targeted

@@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
@@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)