From 1a8cc5f8b277faec7cf00a3acc8e91a31f99ce85 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Wed, 30 Oct 2024 09:05:23 +0100
Subject: [PATCH] feat: add SELinux labels to volumes

Label mounted filesystems like ephemeral, overlay mounts, as well as data directories (going to become volumes later).

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
---
 api/resource/definitions/block/block.proto    |   1 +
 .../pkg/controllers/block/user_disk_config.go |   1 +
 .../pkg/controllers/block/volume_config.go    |   9 +-
 .../v1alpha1/v1alpha1_sequencer_tasks.go      |  24 +-
 internal/app/machined/pkg/startup/tasks.go    |  16 ++
 .../app/machined/pkg/system/services/etcd.go  |   6 +
 .../machined/pkg/system/services/extension.go |   1 +
 internal/integration/api/selinux.go           |  54 +++-
 internal/integration/k8s/tink.go              |   6 +-
 internal/pkg/mount/system.go                  |   2 +
 internal/pkg/mount/v2/mount.go                |  19 +-
 internal/pkg/mount/v2/overlay.go              |   4 +-
 internal/pkg/mount/v2/pseudo.go               |   4 +-
 internal/pkg/selinux/policy/file_contexts     |   6 +
 internal/pkg/selinux/policy/policy.33         | Bin 25197 -> 26819 bytes
 .../selinux/policy/selinux/common/files.cil   |  26 ++
 .../policy/selinux/common/typeattributes.cil  |   1 +
 .../selinux/policy/selinux/services/cri.cil   |  30 ++-
 .../policy/selinux/services/kubelet.cil       |  14 +-
 .../selinux/services/system-containerd.cil    |   6 +-
 .../selinux/policy/selinux/services/udev.cil  |   6 +-
 .../resource/definitions/block/block.pb.go    | 235 +++++++++---------
 .../definitions/block/block_vtproto.pb.go     |  43 ++++
 pkg/machinery/constants/constants.go          |  52 +++-
 .../resources/block/volume_config.go          |   2 +
 pkg/provision/providers/docker/node.go        |   8 +-
 website/content/v1.9/reference/api.md         |   1 +
 27 files changed, 421 insertions(+), 156 deletions(-)
 create mode 100644 internal/pkg/selinux/policy/selinux/common/files.cil

diff --git a/api/resource/definitions/block/block.proto b/api/resource/definitions/block/block.proto
index cc184cbbf..ce045efe9 100755
--- a/api/resource/definitions/block/block.proto
+++ b/api/resource/definitions/block/block.proto
@@ -112,6 +112,7 @@ message LocatorSpec {
 // MountSpec is the spec for volume mount.
 message MountSpec {
   string target_path = 1;
+  string selinux_label = 2;
 }
 
 // PartitionSpec is the spec for volume partitioning.
diff --git a/internal/app/machined/pkg/controllers/block/user_disk_config.go b/internal/app/machined/pkg/controllers/block/user_disk_config.go
index 00818d534..3c3ac9e03 100644
--- a/internal/app/machined/pkg/controllers/block/user_disk_config.go
+++ b/internal/app/machined/pkg/controllers/block/user_disk_config.go
@@ -123,6 +123,7 @@ func (ctrl *UserDiskConfigController) Run(ctx context.Context, r controller.Runt
 								Match: partitionIdxMatch(resolvedDevicePath, idx+1),
 							}
 
+							// TODO: label user disks
 							vc.TypedSpec().Mount = block.MountSpec{
 								TargetPath: part.MountPoint(),
 							}
diff --git a/internal/app/machined/pkg/controllers/block/volume_config.go b/internal/app/machined/pkg/controllers/block/volume_config.go
index 0884245ee..46709ede5 100644
--- a/internal/app/machined/pkg/controllers/block/volume_config.go
+++ b/internal/app/machined/pkg/controllers/block/volume_config.go
@@ -232,7 +232,8 @@ func (ctrl *VolumeConfigController) manageEphemeral(config cfg.Config) func(vc *
 		}
 
 		vc.TypedSpec().Mount = block.MountSpec{
-			TargetPath: constants.EphemeralMountPoint,
+			TargetPath:   constants.EphemeralMountPoint,
+			SelinuxLabel: constants.EphemeralSelinuxLabel,
 		}
 
 		vc.TypedSpec().Locator = block.LocatorSpec{
@@ -254,7 +255,8 @@ func (ctrl *VolumeConfigController) manageStateConfigPresent(config cfg.Config)
 	return func(vc *block.VolumeConfig) error {
 		vc.TypedSpec().Type = block.VolumeTypePartition
 		vc.TypedSpec().Mount = block.MountSpec{
-			TargetPath: constants.StateMountPoint,
+			TargetPath:   constants.StateMountPoint,
+			SelinuxLabel: constants.StateSelinuxLabel,
 		}
 
 		vc.TypedSpec().Provisioning = block.ProvisioningSpec{
@@ -293,7 +295,8 @@ func (ctrl *VolumeConfigController) manageStateNoConfig(encryptionMeta *runtime.
 	return func(vc *block.VolumeConfig) error {
 		vc.TypedSpec().Type = block.VolumeTypePartition
 		vc.TypedSpec().Mount = block.MountSpec{
-			TargetPath: constants.StateMountPoint,
+			TargetPath:   constants.StateMountPoint,
+			SelinuxLabel: constants.StateSelinuxLabel,
 		}
 
 		match := labelVolumeMatchAndNonEmpty(constants.StatePartitionLabel)
diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
index e4473889d..2b922a8e3 100644
--- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -362,7 +362,7 @@ func StartDashboard(_ runtime.Sequence, _ any) (runtime.TaskExecutionFunc, strin
 // StartUdevd represents the task to start udevd.
 func StartUdevd(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
-		mp := mountv2.NewSystemOverlay([]string{constants.UdevDir}, constants.UdevDir, mountv2.WithShared(), mountv2.WithFlags(unix.MS_I_VERSION))
+		mp := mountv2.NewSystemOverlay([]string{constants.UdevDir}, constants.UdevDir, mountv2.WithShared(), mountv2.WithFlags(unix.MS_I_VERSION), mountv2.WithSelinuxLabel(constants.UdevRulesLabel))
 
 		if _, err = mp.Mount(); err != nil {
 			return err
@@ -531,9 +531,10 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string
 		}
 
 		for _, dir := range []struct {
-			Path     string
-			Mode     os.FileMode
-			UID, GID int
+			Path         string
+			Mode         os.FileMode
+			UID, GID     int
+			SELinuxLabel string
 		}{
 			{
 				Path: "/var/log",
@@ -552,8 +553,14 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string
 				Mode: 0o755,
 			},
 			{
-				Path: "/var/lib/kubelet",
-				Mode: 0o700,
+				Path:         "/var/lib/containerd",
+				Mode:         0o000,
+				SELinuxLabel: "system_u:object_r:containerd_state_t:s0",
+			},
+			{
+				Path:         "/var/lib/kubelet",
+				Mode:         0o700,
+				SELinuxLabel: "system_u:object_r:kubelet_state_t:s0",
 			},
 			{
 				Path: "/var/run/lock",
@@ -578,6 +585,10 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string
 				return err
 			}
 
+			if err := selinux.SetLabel(dir.Path, dir.SELinuxLabel); err != nil {
+				return err
+			}
+
 			if dir.UID != 0 || dir.GID != 0 {
 				if err := os.Chown(dir.Path, dir.UID, dir.GID); err != nil {
 					return err
@@ -661,6 +672,7 @@ func MountUserDisks(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 				volumeStatus.TypedSpec().MountLocation,
 				volumeConfig.TypedSpec().Mount.TargetPath,
 				volumeStatus.TypedSpec().Filesystem.String(),
+				mountv2.WithSelinuxLabel(volumeConfig.TypedSpec().Mount.SelinuxLabel),
 			))
 		}
 
diff --git a/internal/app/machined/pkg/startup/tasks.go b/internal/app/machined/pkg/startup/tasks.go
index 204734426..cd4744e78 100644
--- a/internal/app/machined/pkg/startup/tasks.go
+++ b/internal/app/machined/pkg/startup/tasks.go
@@ -17,6 +17,7 @@ import (
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
 	"github.com/siderolabs/talos/internal/pkg/environment"
 	"github.com/siderolabs/talos/internal/pkg/mount/v2"
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/block"
 )
@@ -34,6 +35,21 @@ func SetupSystemDirectories(ctx context.Context, log *zap.Logger, rt runtime.Run
 		if err := os.MkdirAll(path, 0o700); err != nil {
 			return fmt.Errorf("setupSystemDirectories: %w", err)
 		}
+
+		var label string
+
+		switch path {
+		case constants.SystemEtcPath:
+			label = constants.SystemEtcSelinuxLabel
+		case constants.SystemVarPath:
+			label = constants.SystemVarSelinuxLabel
+		default: // /system/state is another mount
+			label = ""
+		}
+
+		if err := selinux.SetLabel(path, label); err != nil {
+			return err
+		}
 	}
 
 	for _, path := range []string{constants.SystemRunPath} {
diff --git a/internal/app/machined/pkg/system/services/etcd.go b/internal/app/machined/pkg/system/services/etcd.go
index a7b7cd11d..0eaeb849a 100644
--- a/internal/app/machined/pkg/system/services/etcd.go
+++ b/internal/app/machined/pkg/system/services/etcd.go
@@ -40,6 +40,7 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/containers/image"
 	"github.com/siderolabs/talos/internal/pkg/environment"
 	"github.com/siderolabs/talos/internal/pkg/etcd"
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/argsbuilder"
 	"github.com/siderolabs/talos/pkg/conditions"
 	"github.com/siderolabs/talos/pkg/filetree"
@@ -93,6 +94,11 @@ func (e *Etcd) PreFunc(ctx context.Context, r runtime.Runtime) error {
 		return err
 	}
 
+	// Relabel in case of upgrade from older version or SELinux being disabled and then enabled.
+	if err := selinux.SetLabel(constants.EtcdDataPath, constants.EtcdDataSELinuxLabel); err != nil {
+		return err
+	}
+
 	// Make sure etcd user can access files in the data directory.
 	if err := filetree.ChownRecursive(constants.EtcdDataPath, constants.EtcdUserID, constants.EtcdUserID); err != nil {
 		return err
diff --git a/internal/app/machined/pkg/system/services/extension.go b/internal/app/machined/pkg/system/services/extension.go
index ab09ee43e..4e3ac0827 100644
--- a/internal/app/machined/pkg/system/services/extension.go
+++ b/internal/app/machined/pkg/system/services/extension.go
@@ -52,6 +52,7 @@ func (svc *Extension) PreFunc(ctx context.Context, r runtime.Runtime) error {
 	// re-mount service rootfs as overlay rw mount to allow containerd to mount there /dev, /proc, etc.
 	rootfsPath := filepath.Join(constants.ExtensionServiceRootfsPath, svc.Spec.Name)
 
+	// TODO: label system extensions
 	overlay := mount.NewSystemOverlay(
 		[]string{rootfsPath},
 		rootfsPath,
diff --git a/internal/integration/api/selinux.go b/internal/integration/api/selinux.go
index 63078d2c3..1527d337e 100644
--- a/internal/integration/api/selinux.go
+++ b/internal/integration/api/selinux.go
@@ -10,6 +10,7 @@ import (
 	"bytes"
 	"context"
 	"io"
+	"maps"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -17,6 +18,7 @@ import (
 
 	"github.com/siderolabs/go-pointer"
 	"github.com/siderolabs/go-procfs/procfs"
+	"golang.org/x/exp/slices"
 
 	"github.com/siderolabs/talos/cmd/talosctl/pkg/talos/helpers"
 	"github.com/siderolabs/talos/internal/integration/base"
@@ -67,30 +69,45 @@ func (suite *SELinuxSuite) getLabel(nodeCtx context.Context, pid int32) string {
 	return string(bytes.TrimSpace(value))
 }
 
-// TestRuntimeFileLabels reads labels of runtime-created files from xattrs
-// to ensure SELinux labels for files are set when they are created.
-func (suite *SELinuxSuite) TestRuntimeFileLabels() {
+// TestFileMountLabels reads labels of runtime-created files and mounts from xattrs
+// to ensure SELinux labels for files are set when they are created and FS's are mounted with correct labels.
+// FIXME: cancel the test in case system was upgraded.
+func (suite *SELinuxSuite) TestFileMountLabels() {
 	workers := suite.DiscoverNodeInternalIPsByType(suite.ctx, machine.TypeWorker)
 	controlplanes := suite.DiscoverNodeInternalIPsByType(suite.ctx, machine.TypeControlPlane)
 
 	expectedLabelsWorker := map[string]string{
+		// Mounts
+		constants.SystemPath:          constants.SystemSelinuxLabel,
+		constants.EphemeralMountPoint: constants.EphemeralSelinuxLabel,
+		constants.StateMountPoint:     constants.StateSelinuxLabel,
+		constants.SystemEtcPath:       constants.SystemEtcSelinuxLabel,
+		constants.SystemVarPath:       constants.SystemVarSelinuxLabel,
+		constants.RunPath:             constants.RunSelinuxLabel,
+		"/var/run":                    constants.RunSelinuxLabel,
+		// Runtime files
 		constants.APIRuntimeSocketPath:  constants.APIRuntimeSocketLabel,
 		constants.APISocketPath:         constants.APISocketLabel,
 		constants.DBusClientSocketPath:  constants.DBusClientSocketLabel,
 		constants.UdevRulesPath:         constants.UdevRulesLabel,
 		constants.DBusServiceSocketPath: constants.DBusServiceSocketLabel,
 		constants.MachineSocketPath:     constants.MachineSocketLabel,
+		// Overlays
+		"/etc/cni":                        constants.CNISELinuxLabel,
+		constants.KubernetesConfigBaseDir: constants.KubernetesConfigSELinuxLabel,
+		"/usr/libexec/kubernetes":         constants.KubeletPluginsSELinuxLabel,
+		"/opt":                            constants.OptSELinuxLabel,
+		"/opt/cni":                        "system_u:object_r:cni_plugin_t:s0",
+		"/opt/containerd":                 "system_u:object_r:containerd_plugin_t:s0",
+		// Directories
+		"/var/lib/containerd": "system_u:object_r:containerd_state_t:s0",
+		"/var/lib/kubelet":    "system_u:object_r:kubelet_state_t:s0",
 	}
 
+	// Only running on controlplane
 	expectedLabelsControlPlane := map[string]string{
-		constants.APIRuntimeSocketPath:  constants.APIRuntimeSocketLabel,
-		constants.APISocketPath:         constants.APISocketLabel,
-		constants.DBusClientSocketPath:  constants.DBusClientSocketLabel,
-		constants.UdevRulesPath:         constants.UdevRulesLabel,
-		constants.DBusServiceSocketPath: constants.DBusServiceSocketLabel,
-		constants.MachineSocketPath:     constants.MachineSocketLabel,
-		// Only running on controlplane
 		constants.EtcdPKIPath:                           constants.EtcdPKISELinuxLabel,
+		constants.EtcdDataPath:                          constants.EtcdDataSELinuxLabel,
 		constants.KubernetesAPIServerConfigDir:          constants.KubernetesAPIServerConfigDirSELinuxLabel,
 		constants.KubernetesAPIServerSecretsDir:         constants.KubernetesAPIServerSecretsDirSELinuxLabel,
 		constants.KubernetesControllerManagerSecretsDir: constants.KubernetesControllerManagerSecretsDirSELinuxLabel,
@@ -98,12 +115,19 @@ func (suite *SELinuxSuite) TestRuntimeFileLabels() {
 		constants.KubernetesSchedulerSecretsDir:         constants.KubernetesSchedulerSecretsDirSELinuxLabel,
 		constants.TrustdRuntimeSocketPath:               constants.TrustdRuntimeSocketLabel,
 	}
+	maps.Copy(expectedLabelsControlPlane, expectedLabelsWorker)
 
 	suite.checkFileLabels(workers, expectedLabelsWorker)
 	suite.checkFileLabels(controlplanes, expectedLabelsControlPlane)
 }
 
+//nolint:gocyclo
 func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[string]string) {
+	paths := make([]string, 0, len(expectedLabels))
+	for k := range expectedLabels {
+		paths = append(paths, k)
+	}
+
 	for _, node := range nodes {
 		nodeCtx := client.WithNode(suite.ctx, node)
 		cmdline := suite.ReadCmdline(nodeCtx)
@@ -129,6 +153,11 @@ func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[st
 				suite.Require().NoError(err)
 
 				suite.Require().NoError(helpers.ReadGRPCStream(stream, func(info *machineapi.FileInfo, node string, multipleNodes bool) error {
+					// E.g. /var/lib should inherit /var label, while /var/run is a new mountpoint
+					if slices.Contains(paths, info.Name) && info.Name != path {
+						return nil
+					}
+
 					suite.Require().NotNil(info.Xattrs)
 
 					found := false
@@ -136,7 +165,7 @@ func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[st
 					for _, l := range info.Xattrs {
 						if l.Name == "security.selinux" {
 							got := string(bytes.Trim(l.Data, "\x00\n"))
-							suite.Require().Equal(got, label, "expected %s to have label %s, got %s", path, label, got)
+							suite.Require().Contains(got, label, "expected %s to have label %s, got %s", path, label, got)
 
 							found = true
 
@@ -225,7 +254,8 @@ func (suite *SELinuxSuite) TestProcessLabels() {
 	}
 }
 
-// TODO: test for volume labels
+// TODO: test for all machined-created files
+// TODO: test for system and CRI container labels
 // TODO: test labels for unconfined system extensions, pods
 // TODO: test for no avc denials in dmesg
 // TODO: start a pod and ensure access to restricted resources is denied
diff --git a/internal/integration/k8s/tink.go b/internal/integration/k8s/tink.go
index 84b2ce948..968312f3b 100644
--- a/internal/integration/k8s/tink.go
+++ b/internal/integration/k8s/tink.go
@@ -420,10 +420,10 @@ func (suite *TinkSuite) getTinkManifests(namespace, serviceName, ssName, talosIm
 			},
 		},
 		xslices.Map(
-			xslices.Filter(constants.Overlays, func(overlay string) bool { return overlay != "/opt" }), // /opt/cni/bin contains CNI binaries
-			func(mountPath string) overlayMountSpec {
+			xslices.Filter(constants.Overlays, func(overlay constants.SELinuxLabeledPath) bool { return overlay.Path != "/opt" }), // /opt/cni/bin contains CNI binaries
+			func(mnt constants.SELinuxLabeledPath) overlayMountSpec {
 				return overlayMountSpec{
-					MountPoint: mountPath,
+					MountPoint: mnt.Path,
 					Size:       "100Mi",
 				}
 			},
diff --git a/internal/pkg/mount/system.go b/internal/pkg/mount/system.go
index 6f4b1b268..f0cc88604 100644
--- a/internal/pkg/mount/system.go
+++ b/internal/pkg/mount/system.go
@@ -42,6 +42,8 @@ func SystemPartitionMount(ctx context.Context, r runtime.Runtime, logger *log.Lo
 		return fmt.Errorf("error getting volume config %q: %w", label, err)
 	}
 
+	opts = append(opts, mountv2.WithSelinuxLabel(volumeConfig.TypedSpec().Mount.SelinuxLabel))
+
 	mountpoint := mountv2.NewPoint(
 		volumeStatus.TypedSpec().MountLocation,
 		volumeConfig.TypedSpec().Mount.TargetPath,
diff --git a/internal/pkg/mount/v2/mount.go b/internal/pkg/mount/v2/mount.go
index 96f1a81bf..2d6e1fe2c 100644
--- a/internal/pkg/mount/v2/mount.go
+++ b/internal/pkg/mount/v2/mount.go
@@ -18,6 +18,7 @@ import (
 	"github.com/siderolabs/go-retry/retry"
 	"golang.org/x/sys/unix"
 
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
@@ -29,8 +30,9 @@ type Point struct {
 	flags  uintptr
 	data   string
 
-	shared    bool
-	extraDirs []string
+	shared       bool
+	extraDirs    []string
+	selinuxLabel string
 }
 
 // NewPointOption is a mount point option.
@@ -84,6 +86,13 @@ func WithExtraDirs(dirs ...string) NewPointOption {
 	}
 }
 
+// WithSelinuxLabel sets the mount SELinux label.
+func WithSelinuxLabel(label string) NewPointOption {
+	return func(p *Point) {
+		p.selinuxLabel = label
+	}
+}
+
 // NewPoint creates a new mount point.
 func NewPoint(source, target, fstype string, opts ...NewPointOption) *Point {
 	p := &Point{
@@ -290,7 +299,11 @@ func (p *Point) Move(newTarget string) error {
 }
 
 func (p *Point) mount() error {
-	return unix.Mount(p.source, p.target, p.fstype, p.flags, p.data)
+	if err := unix.Mount(p.source, p.target, p.fstype, p.flags, p.data); err != nil {
+		return err
+	}
+
+	return selinux.SetLabel(p.target, p.selinuxLabel)
 }
 
 func (p *Point) unmount(printer func(string, ...any)) error {
diff --git a/internal/pkg/mount/v2/overlay.go b/internal/pkg/mount/v2/overlay.go
index 053998c0b..b4fc871d8 100644
--- a/internal/pkg/mount/v2/overlay.go
+++ b/internal/pkg/mount/v2/overlay.go
@@ -14,7 +14,7 @@ import (
 // OverlayMountPoints returns the mountpoints required to boot the system.
 // These mountpoints are used as overlays on top of the read only rootfs.
 func OverlayMountPoints() Points {
-	return xslices.Map(constants.Overlays, func(target string) *Point {
-		return NewVarOverlay([]string{target}, target, WithFlags(unix.MS_I_VERSION))
+	return xslices.Map(constants.Overlays, func(target constants.SELinuxLabeledPath) *Point {
+		return NewVarOverlay([]string{target.Path}, target.Path, WithFlags(unix.MS_I_VERSION), WithSelinuxLabel(target.Label))
 	})
 }
diff --git a/internal/pkg/mount/v2/pseudo.go b/internal/pkg/mount/v2/pseudo.go
index e75ef888c..ce8bbde2b 100644
--- a/internal/pkg/mount/v2/pseudo.go
+++ b/internal/pkg/mount/v2/pseudo.go
@@ -24,8 +24,8 @@ func Pseudo() Points {
 // PseudoLate returns the mountpoints mounted later in the boot cycle.
 func PseudoLate() Points {
 	return Points{
-		NewPoint("tmpfs", "/run", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME), WithData("mode=0755")),
-		NewPoint("tmpfs", "/system", "tmpfs", WithData("mode=0755")),
+		NewPoint("tmpfs", "/run", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME), WithData("mode=0755"), WithSelinuxLabel(constants.RunSelinuxLabel)),
+		NewPoint("tmpfs", "/system", "tmpfs", WithData("mode=0755"), WithSelinuxLabel(constants.SystemSelinuxLabel)),
 		NewPoint("tmpfs", "/tmp", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV), WithData("size=64M"), WithData("mode=0755")),
 	}
 }
diff --git a/internal/pkg/selinux/policy/file_contexts b/internal/pkg/selinux/policy/file_contexts
index f1d6b05c2..47dd3491c 100644
--- a/internal/pkg/selinux/policy/file_contexts
+++ b/internal/pkg/selinux/policy/file_contexts
@@ -1,7 +1,13 @@
+/opt(/.*)?	system_u:object_r:opt_t:s0
 /sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
+/etc/cni(/.*)?	system_u:object_r:cni_conf_t:s0
+/opt/cni(/.*)?	system_u:object_r:cni_plugin_t:s0
 /usr/sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
 /usr/lib/udev(/.*)?	system_u:object_r:udev_exec_t:s0
+/etc/kubernetes(/.*)?	system_u:object_r:k8s_conf_t:s0
+/opt/containerd(/.*)?	system_u:object_r:containerd_plugin_t:s0
 /usr/lib/udev/rules.d(/.*)?	system_u:object_r:udev_rules_t:s0
+/usr/libexec/kubernetes(/.*)?	system_u:object_r:k8s_plugin_t:s0
 /	system_u:object_r:rootfs_t:s0
 /bin/runc	system_u:object_r:containerd_exec_t:s0
 /sbin/init	--	system_u:object_r:init_exec_t:s0
diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33
index 8abf7cf236969c685e18bf3ab0cf36de34d80cdd..9c2fd604ce053d1d69489fa4e6f0c7d99b651d66 100644
GIT binary patch
literal 26819
zcmbW9>y{kFk;hwuEHK74GRDSNn)}^=BoN?>3W<x&9gMKCS+{Dst7pp7H>#^glF#mO
zKfr$2H`uq>uj|*@H`x8)!~TC!8Qt04RihHgNp)6aL}c7DGAk>GfB))V|L?9&r}O(a
zyYJ<b#f^v5KBWrmo2p5uz$pJ!{TMtnJKs=)`YqKx)gOgA%tu+TKOK*!lRE`Eqk52)
zX;~ID?@;X*Sz2b$eOI-}M(KVw8Wz(r!~anAdRq1md-Hv|A6PwK&&$K!EGx#R1p;-H
zPmUM@PUGofQcfoffzat}mQ4nT_kC642Nk-Fru`#+?^O+Bms2|LQJsnmc0W+9q>!wG
zIbG<OE(UqoOZ)w7K4;|bsm|BRoz-KJP111&zwg*nIslR9>_*lfPfaL5`Lth-kPyRN
zFY+?OHg~Iz(-{c#L9-|`9>1;n<ziZ<m6rGEaWTOJ$a}wPC9fF*T(|+I&ZTo!HhYDk
z8oh!|(QGb@R+fVGem)tjtSy7gN}kL}W_zB@-1)rB%r8hRV@+oz&ciSB!$momUY}qc
z6t8s+$dxJk#{>zsi0lq6>f$HHq+9W(QBVrvm7&c@ZfFad%FwXrPbZVCUm`Ki#)myr
zWF#2TLG7orbUz>E<;`=!oS-xCIPLeQ$5~P2gA8RX3@u&|4Y8<--=Ss(7Bnl)hTy{a
zdU}-g(otHB8PjAs%=$;OX+9}?MK&*|MaDR&G`~3?O%G5TgYRRv-h449=3#}vh?5S+
z`2_xOa}DxYKMDkTqUi~{DiA<N;Kd}rq2VhH5P2X`is?<*B8v4}_(EYy&lPUDW;o<X
z9A*eZAsNivq((?^LD&s-ZQ~$lEV{xaE8q;(L_uAo*XjS6s?5S;K4nzu(6ABn$Dw<Y
z_f0MfzpR{TEM&oy<D<!RKvp2_z#0Gd=2>wp8ix3ZDnrba07|sM21og5L<sOah(Z9^
z&s9yPY(8BSeM@=kG_o=p(am_~E`+7xCj5#Ts5_JubMr2_39g1tcbHfQ`2c}Pm~{6K
zi|Mq4cQ-)F@}>+r8Rix_<|>O%!Q{~q#6JzFv$9AlLxrg}l%Wud^bGfX@#gu#@LcBO
z3_}tj{X>}@Ze%u)mGu^*3>#x!Gi@<V2mN$zla#4A%F=m;;jx>t+TunpACDJhx<4{7
zyfH7qBcG&2{}9zJxn<=d9}GZHMSVtkS(RQd8kJ<()2~*jGAnvjQrt+5jvW7DK^PJ-
zbqrgwfd%!qTWr#DJU{NY6$bmk<*98hv)M@N&`4>(QvEHp!aXn|m}0GtvYTyL_zYlL
zz>a{TjOPbmZYCLev&ol>Y>^qp);~Cs^0X>`rcyM|v}!@jP{V0)JuL>k+?ETbQIYkJ
zi5>90ce=0~P8e=1?g+;Mrk|Zcm|}|ys<ACRWQO^^rsDKyF>7lYtP00R8aU3gD#Tkl
zi-|@-3D{C8b8QZ^p55e`zCH^EQ@qS>*vzNnI348!W#gWv^kj~`U}y7aHXY^tn`9T#
zn-Yv>^@w=4Sv(!jwDss!%K=`1R!G@I#_ro1XUj#vOU)NB8)<I$D&CMVqeUiRXK9g+
zndEp(TSVg@+yoYZ;NXQ4FQ^PGYE!MqzMK_RP9q{5b)1d&vqFHK0x>rDOf~jwIyz|U
zN{odTScpLJGEy#Ks~c^1y(|8Oloa|KRakgYIz87z$H{!X-1(Nmk>X!6Gpf9z8mr<#
zI`7YO^YCn1lx>wmGMJLpiCLe*wy0~F&(d)nD-;1eY?{ic+B*flRD_KMu4Z)|+Z`4H
z;6chYRl>t_1^cL8cAQO0V%6eswg8#Hu*J(ZPCTI$`+C|0p6@?kWos}ExE#qF*+`9@
z!d?SiSX^RV%ua&?MRi+!2y-~SyTxfXn@w-DW#VDY{J?dnPbvGg8HzD+mu+f;&u}56
z+VWHzUA1?LkMp^DVzrO@t@ZWPm5K#ox~Obz*!m*}4$>w!J0O>#lev?P%0T|jmA}fH
zg6<UdJ=pSL)z}O^C2kChS~*e6>@m_(WjhLHsaeAy78HW)6c0Xvg|<Iyk5gu2*b-lQ
z(&n5^4{Xt;+W%+`Ne9@&^wst*S0W|b5}1KV-kDEFndjg@sJyq(t{Zj?8E}bXJ?#|G
zFw5(zvDeZY=U!?XVIHOgew-NCUDw8#r-T#Zi7gb8u`jN3SfSNBs}u2SdyKaNMto8=
zwuOht(RBZ>dhP2iES1y^EyA7R7EaU?TPN?2zrJzE#gt#E5+PKIq9mW>`>EbVw0|MH
zqY%C0bdny(UW<LH1L}5hIiFQWZ0|w8IZ@a&;O#d`6gF9Il_(heIn`Kpt;{Ug;l<iy
z*5O9)Z&^{hWH1iOT~w{})<LFszr6Kk+13AKi(Nh+Om5fJSGRcd(|p*L2kC<Hj4Jyh
zDn)y3rZbP#Cd*eSUQ}pfu;V<t4wfYed+!0?(m-|aL<dR6mo-Lf%wV3;-xpGB;eOiM
zBJQNFSj0i)Q%Z}_AWv)eS6_P?dpi1fOYGuCp*-4h7tQG8GYr;M^|Ic7ty|&X!BOI0
zkE)LZj7^v?`p0cW@wD`qc*HiG?vwqM1KpVU?B(J0I<8;al)jbubX)u^%U*fm+>0+=
zs2eUefVX{V?+ZZCd6?(Zp596(2P|Slupf%?CNY>hW`AtQbwuv`OT8?N)YvH=uJ5TQ
zw)JS#+UqXm7h=I+REqKvr?}@_%E@F_y&>ggKAm7CFelTw&K9B$NVf|rAt|p1tb<<W
z*?9dP?7;Zf)%&x6v3m1yYxM|bB9er_i@2+|^=iVo0o~y|xi^_sIw1i^W7=mGH*LqP
zhn)fz7WuVmSJjK=%g#H@2{Q**AgkMI#pbYR^D5=ry;nsSTg&H4F&L+9V;8egSajp4
zVEck8fmP?-2u&1o*ue3#nmfgf?zrGnh66%_C%x$b*e+cGSnxPSJ24Lo^CG*Rjz)F*
zVNP42Z+AQEhe;obL2S_d(Lx94Q+;h|nOS{7!w#rIrGz==3syL1W{NPJ-s+1{KF&+}
z?Wi<A&?)x}`vVfX0t}nNm&iTLssnpF>&*`)i;*2#vN}wrDJKkz!cHOW4D>K9?5GzG
z;x*IxC{4_z$GN!Kc`3r$i?dC9dWlgmlpd4{5SJuT$(m0NLBVvKN-PR}@39jnA_^Jj
zrB1D&p^8gIhE6!TI#)&DaA>PNz~<VovlTn@<voZI(i!3qr+OOBD`Z#^F9PAB3dk6C
z%$*-dN>GTr!A(tV9sHPfn3Xgz&ks1a=8*_RZf(_gB!{WDe>k%AZ0EtUbZWTd01XK`
zxNPV3=!PW*5eUPoxl@pcdPOx3H_czotG2O*_2KfODkJ(_D;Kpp7)%YCzCWh=rr3A}
zi5V#WqRLAgm9k%bpkWktu9c-dCV{Z+!qxa+@qVy+%Y%afiiO1xBS6r&H^a|p_JL|_
zpOQtS<xKQ9tVhLzSa3BwM^+y&YnU-Ovt|;K$SAcpal)Yj@$tZ@nG3|8W2S>ykssrh
z-6Vtv6<(v(F7ZP`jkR`(CqrJQYa|x_PQk`VLfG=_!7)FKR$@FwCr1$a*(vnlhrg)C
z65SZozTEB53*fGNYl}rOo!7qK*70!Hktj%jzR1Wh`H;Deayl~!pQ7p3ri(|lb_xnn
zf3F%VH9MS&VO#qW_~=F@G`#HV!^75&!@J^N$S6;!;sq)t4POkEZC$bT;tP`Yhhy#p
z_{8(Y7+2wQr5(Mla_X&zokGM?UQmrKS)KR!7d{d$Ce>2iOXsUkxqu<6X1-~uPj9t0
z#;(}-HPzV09?E@fvC3&%Tl>T~-@q;B#J4Ro42AXgRb$7clj%g~P}=p};vAbiif(^Y
zjdeR_X10~Wrzh(-In#?0+{qhdJjm#OQjJIFJ5y1%{**^>!3K6Qo0i$d6T_QZ<hOCI
zh7XY7oh=r5F=)Mag`WDx77u+%oVEXw=v?03;xfqkw~-Jq358@u+n<T1>Qt1C0`o^(
zA?^TS0NfDW`hnIKN3QTVBfHGPbZ7e8wHGlUX5hE_vIl@U>j}j6djJ;`y9WaUI2r>T
zra}y?$gEqfoq~Yuww_mwV|0Bsa4u?|@V4X0?H6K%j8w`j%L@8<CXWHzE)0wy%({5G
z+GJ~yXg%W%L?4gM2d5sN0p|J&V=p@NR;f*mo#NqoNj>Zia1&+TFKgFA<h8xQNe759
zg_%1|Szk{(g(#t%Q^j6xPi|#Yp9Vwb=cJO<-y0uTc%f20)(4{bbfWK`&{+c4>yrnR
z?TCl<-wf{)K9l2d)i_Cb79UL7e_vxd!0Qj&yoRlJbnb%Q7K?F%3xu{)Fcf?Ue_phh
z5|lw+L}?!=nYkDXj`i)G%#Iwf8+)oE(<fZL@W71s2<FkTPOIc@P}uIJgMmG(xl=r>
zF-aWO!+bbxvwv`N{!a9<Yl^|V?GnUtPWh#3JTszG_E|WWrMtT72f=p1rpSZNn1c|b
z=#$cVEyLh+YMy8Lv4tWuO&1ZE71-t_)mT3dy>KKyZN1>R!7gtx%xAa#t&un0_<d_p
zzZ=HI_8xH3=K^d+C1$WPC47h}5__utiQC}1jjNTVXSm=v5AO%IRP|>yRl5I3^zWH}
z-1|Ro=r<1)zPw91kC|Px>y-oweXEpb-}pk9^@e1*K}1#-i+MTd>0OVTP>xoT5Qh=k
zVvrpRNsD8zWP`_c%10jTFLY~blxu#i=#hdgyW<=!bXAu9x)xL2=pepe<K6lYJrrl;
zX1Y3<a~R-A^K=A19#>Zfz3;84uRqCqv(Z9F2^GJ7)EAVs^_Y3=;|#L>#R1HSf+wR6
zIqbMc2WjP6)RE3OT}58zk@M*v=u4oEV+r5iL~y_FQVsA})H7t)&Hz{h-#9Cc3>Z85
zlvk5GXm;yZ_ldP4mP9PCdrq~OXsYS6TQ;!8B~?pUOwEfC7UxerIaJpJdzKPki8^&R
zmut=9U}|)uF736C(*m)`4J39SH=oF{qY;B)sYjx&eImyQ*aSPlT&rP^^O&CPoY3C8
zbOW|ma$@u62*^@t+UR4VQ4tcXuujGIlvzH@kPh>|8TAno*riuuVNOb%N>*MQO84{h
zPM{#Qcw_!VX!=gxlkydd*Q37KG_v)Y1u}dbp&h+qBS{9laTxX3)bf!r#IK@G`CH%X
zEYOHegrWrJ4Y2~rVoOlHRaP{>xB86N%e(M`U?y4m7$I5NG2W*UzCP-f!3k_Rp4;g1
zPrmk98egzD6U5FHbJ@++%Ml&Gl7-_B5zx{~xW&5i3_@OrkwO%+aeOF(NAHIc0+Xk4
zFSFN8j)Zv2B}^wbdv>|`nTW!sm8A&M*5^@AH04}ai=W3M9G#73I*hc5j?LbV`l878
zw1q@WfLNj#u1Qqgom+8dV=^tBX#FPB8)6+o#rs@Pn@Sc$Y?++1XDi&tY<?~3vuhG1
z?-}r1@vGLDl`1_u3%?T4DI(=!6l1U8Bk7Q`at_-!2a@!A3O@anL6tWM4DUQ#=yhte
zk7&&0ccLzqn4a=7$|(_59;-O8m39u<>@XW=MJnc)^oyu#D;ro&#$8UT_f$_Wti%pB
z-DXF5l{Y?#dYJU?R3bOthj7UmZcOWEBbuSElH8yJBmXYySXo!0TdktF`xg<0&O?+f
zZbIA@`2DEMi~|SVmnKbDS1`06%k&bZjE5;ci|};||4@s^YLZ~=_oDtSV>=rhOvt!t
zw5_Nd^=<?-T03pmeq!w?4D>{Vmd~}fmMXv>jo|5`oVwxo2I6Dc<vAz7c;2C8IV%Gr
zUI-l?j?pZTK8WE2(po;(4ZVIHq1k;!yH5XV1VsR*2A1%FLMDy8mPNgm|EoofSokRF
z!cy#-Y#KfvbxekHO(&-GQ!z9vuj?z!YCmy4>RZfh(vXVt2&}UO%{S>=34o3-MBNkH
zgb-&RM$kbzKir>kr`ZHMh`LM}gI<lGwq#hOlZjVZqxuVlo_#8NDMI%xHOLP~aP1j}
zW4$ix1hHB!_M=YQk!^2dk(~Fvl_#qE%Q%Uy-$q?Fi*?^P?Ui6tiM$nMmEsnOU{r_i
zsZDX3#Ga~ufW^<=<+x5ef1wHUGj;Uz-y`Dx)ujjZ3F?aW&Fl6<p?y~C#pj{@hCb1K
zLv45he=5RxFKWMN?Mt0&`tL%3_d9+40Yb$e_{Grvx!$Rr=e^?TIM3_2$>GmwE8uP9
zbXxEqH9lY6@iV=suW{bci~Xt2jc5M1%eYU5u`YKmuV_E%e6qqvmp=!bk2FnOhO0VV
zJtMeM*lFNh!}+^1`*&1NS-AaFuN6KnIBvtMovX?@r)-CERlARS)b1>G=%-2IJg+EB
z?iT!?m%cg${sU^`3-tQAwf}B@c`d+^^G~6T?_76exkps&Ke3O?{}=7x9S3~(1vrlf
zKD1p<<U!6#o_kzQy?Echp`-KsLRR=;;Dc>n3hmQ6nR1(8e;@a(7W}iq>By4AfXjJb
z6j#@DAn&%iq*on_Hf1ktdp_|0P&vb8#wH&I_@&OJl?}mn9g)FlfxDb%Bi}tPY?m2Z
zIW7GE5ct#nZfNgCG6VlCz@haR0RB#ZKOu>oKmPUkg&ka%^ODkWpnW&cVq3?-UmhFK
zx}5Ozaq+vi6G^-$J}OC~oZ)=n|GU8dok*8EHFIJaUJp3L#+_;_HZEaL&l`;Ou;Kh&
z9A7j0keiV6)j*5QJ+{%s+YgH}9_#l3|EyNSd(|dQ!pCC_8NMkv@p&ea89TVXSM(9!
z+rrV@SKj)3r7v=Nygk-=Y&Gsx9XNQrJ*(}K%X78!sl~tSw)aCx;Bfrwv2<0l8QD6D
z=l3Fc&gw<$KEdx$53%a{Vh8sf{&Ks)(_``>MTU=soiB<HIpG=o=Wu*?Il!^`CAB+}
z0Xw`B;6KuFqT|Eg`5=RjdsR{Ex?@}HhHb%#<K&NlCphr@Pbqd)*n4WLB*^oAz(EGr
z1^5plxW_!c@VKSzc@_No13of%{D9*;(Z%yQ_#Xv);I3CsmOmr7${FI#V*`6S&Rd<g
zR`xlNA6?%MgWr|&&m`hPUVUARpmjdz=sqProhPx!xc_$PpBA^CCz12FK~Cgx9}(x4
z4;AO==&=Eg>wY%m!2j01^9TCReag5l1N`AboR9-umlw3-a(w23<G-mh42MIRM6$Ur
zkjG`9eIej{LzGT?No(1j?87z<KFnEUp#4c`W2@L-R|5P=L7fl2^Rez$%i+X;(|!=m
zFXVCf)o6`iPPzOq>Il>Me4*7Hzu;43`!vXK5d3>+^1q^4Ypad$&aU_~mgl-_>)6->
z$Kf9-lX|>8t>Z)=7aY$O*umTI^!bQ99|U=5GnXqHzNTzM40i=RE00xhXvsO?U?2BO
zS9m@yam6~-xvOh&7|$J#J?8Sagu{F%wmtUxk&f_pIf)-1_b1x<`dI8+9FC42^UMYK
zlZS~($HCV=);XQCIUn@$xP3&Hb@-{s@5qdukr{lq=Tq8=IzIe829V#!#j}pXzQyN4
zBHt0im%|))T5OK}u`~90JhYjcp2yIU{E3d>xNQ^7DCdtnt`|6NA8h3@{|miqyKLaN
z%(T~IU0L}WxYMGe?+?Ez4CixJ()?1gDGDr}Jq8}sRYb?Z4lWxpQ^i}NL!`G?IPiBF
z(B0=9`NwTV{&bnK342;>f{$FbE9*J3$C_p9yEuHT|6CsC%SF**b7*~BZ0P)vA-18z
zS!cZsj>pC|9naw-_TE>ce0522j^BBi1mEW}e(`*cUa=ot9_;UW{aDBJE`ML&Kf+k2
zu#ek{Sb96?bw&}q#_vb=KP$^sx<4un9S1wO4EVxh44HlIUtZhx4CAhKzqXPSxa)|W
zJ)Y6U`9GkRj|+d-5&5qM+3<zKv6atde41cq`4s%W1bq1TzKhs^|F`z4m|V+$dBx|B
zXudO#+^6qGaAMoz7Mr+U>~;OU4B6K4nOWW-|MTv)CmB={baCCkrz;MwdlIb|*ebTU
z+YKGx3Oe4kA=_DvQ27yBpQqT_=iv9Xlkl<Lk7%)##~yx<$8|d(v)dCLU3YBD-k5oZ
zY##?1nAf&HyeqLh;JzasoIl2hi=S&?CAmuU9dWB_qF*ocIov-=@tin<e(z9q9RC=!
zjdMD}@e{9Y96$8}-o(ex2T#JeGa9RjkDtz*#7D2BE4}>eZd+!~{(({b)5|svheeL#
zpX0W1IE`~0KQiCO;Y7=En)KrI@K!h+<J}5J^XQg1d}X*5A3sV3uSsS<B|izrzxSSm
zbAJnY{1E*lJ{(ume-h3EEpYrJ@kxCA1Mo>W@m#$ajhm?5RQ!_+b85fTXIEFKY4Xtz
zayHRN^VZ0P4%6EpGyQd0>D+DLp1%#;3vF;o3zFf2PW0QLBl7TEJN3wb`o7netx#KA
z;y_=G+VI79e;u}DjJ$ts$CrdV(k+i7Ya<0V<}crLk-iN&S$O{CLSF>h34@Z0{k$DA
z%#ZUzf7sRzAEW5oSsS@Q{oAckSv;{{^$p1x$0;#UuNSb9S=jci(DD6?HP4Bv7w}o4
zR$n!pAkKq{W9!$&8Qb53ICh+Ux3RIe-L7%uI1O(jV-)?#fur7v?}m;|$na$Ov>O5Z
zz2vQp4hcrD?sK>_O=-`u`JR7k-eS8daD+Ntlkt&lwQ@WawG%o*VWp2R7`TKR#19F{
zJCZ=i4~kWvFuiw!>``@lN20bD!UQtA|LX{?D9M6c!l@;CM4jG|sO<%hMW5RoWn;jH
zh2tHG6Y3X}>dU@&ZP3JvZcKw!s@qewWbqmslaZ_{vQ;+T7_Ny9oAje3v_aJ5b|ab&
z(pm|dh)4(3RfL8hdqxP(F;Ux#<&pGni=!y_wGtDXgbQuXcY`k8(<DBcei_hjc-0bi
zh2R~D+FtPYFkO8$-5Bg~_0`d^=^pCp41crSV3_j_q_}}=bIx{SyvG`dFbYKagP*TO
zr^_f`gU)Vp)Y3iMASX^ZNC&#)a+_Ac3DFX~VU#8(U=-2lhRSNmY(>Xg!}{KFxaw7_
z=5xaIjzn!QWV6+66-U?@+wZl|nK+q#ky$rGUVZsx`)E%02Hg_^IKxD3FC>`FP0$8e
z)AVKe9M1>S+cOYUlYX@AYc&=wY?=&B@-Z1iv)Vnk8YmDA+)f)rJa|W<wihGPbrA2{
zAbLSq-jO(kevPOpluruFiHM#%f8abf25X|j>a+CgSdc4cSfAlGhVskEbR?=?(Cc|!
z>*3jD^gC?ZxJ+qqk9EC1#&6<Hq*j-?o%4oBFGfQq@Cya9>P}fLS^U<VIE{Wu#Ou4W
zwWQ~S;vI?FULalH6?BXZVf`JJ&cx~T%lr@jFTsY0ir<)HN}N0&>n>C6cumv9sJKyG
zOBJ6M#AD%Q99K*9q&mGLCL%$Ft7zW6VG_TxMrTY%{4ECcyQZe3Mri3`mo|3|nl-JV
z*u!pw)r#0ewI{0Mi?t+8)*vd6_op}J^@=^MZs(V%?FGvp-|n6QYiz$QZkWDlG+Y+`
zq`-w~MQ6&552Is)R%96ehW=-i^}*OAq=+nD68$12MfWSLB>I=?@I5@Gl7#B;(+%*u
z8u;AX0Pi-ylLq)wa!`^`T^<*B2i_p3ttWMSaD5$|GtfGC*TB2-Bn|Lo13V}I8Fi)C
znM#3OIDuVbhclG|yZDs?yYQ~K)bU9g;L8ShB{Edhwfr4ZpayOV)WA)F8n`J?1MhZJ
zYT$tC;L8TM$(#h5NPbhG4vqqKa1^M6qd*<J+W>c5eq(u-dIm;~;XKsB_Zr|*pcY>W
z)WW4eExg+R7jiBBvH>myYVkXJ4e-;ua5Au7KzH~6)(5eAcy|}hA}Z(({vPn<F1*TD
zr*`l`*J)d#f2b>esjYH4(LdBJ_+1U~dmG^09r)5XCOh!|F!&PqQgu(2vJ8zxZI^}i
zQq^%fN!0_~VYHXgbBuFZa7v=ORCO9}0I#xD4NjE*tITyWPFK7riRw~yHCDujK1!mx
zR9)eOhQrl$B90r#@$2|F^AmA`flkB;209TZ80bWtZpX?FP8AQPZ}m@&?vdZkaN@MX
zC$h6g(8)NJ)pl?ya1f<3&<@Vs9V@^+f@m*Q1Gyg7vC6!sB&thQ$61C3@J^>||0eo(
zsalUi@2&VOYjHZUor8fAVS?>rc>}nLffF^B{-9rb%hFFmJNzF35;c~pD?XcJSp;q4
zECVud6*Ewx#!_{~ryJX_GSDq>=r-Aw`fcDt*AC7yASZOHFmj^0RCPYvIKUItrK;m}
zHf8RdR$rpJRCSzXXaJ{RphR`4>Ns0=HUsV8Z1L%eeg|jM7uLUxvn|iEj?dOu80h~2
DTnQ#f

delta 7183
zcmZ`-YfM|`8UBtj#3Wn;_yPvokkB-cgj>j^v@r<{NdSW(kc6c1j5(xk5<`ti6HS%L
ze(cgVUDsEW`lFK?P17`WmvovmX_~TB?S53M)K&deP2C!4n$|6oR%zNQRbBT!-}zp1
zs;0IM-|P4KyqE7ghx5j})<560ZvA^_IC`fnu9SLqsGk2SHD@j#uMbjPSHQApM^~FQ
zO`~0%)=A2BwOFI{OjqRbO{`JHm&F%8`Sj(b)l>n7jeH4vCBK{jAFAyx{*}uMmzFaZ
zQ(}{J$qM<k)xu(`P|3V{8t)Dsi@Kz%*H*7+vkGP=T!QpUmW=>ltBaetkY8R~NfkCT
zZ;*c49cpfMNtf1EZS4%{)Y6~3{Z>Eyr@PG>r>0%otv&S6uJB-w%U~^cDZOA{vN;kw
z23;b1DSIWIM?zbeJ3%*gH3wQ;@`XkFiX%Htw|Du=QSlS>ai4#Sebvr5CE7`~y946@
zGvKn!*@f(qlbVOwWqjeo{<0Z{kCb=wB{k;?73|BYJor9J?+JvDxTM)!wvcinHZXfT
z-K=k-pX{mbLR4|Rvb>mDDQCt3mnE2mCT1L^yL+~Ux?LgzrBK7X5ViHRT9Y)?6D&uK
zIw;o@vX0TWdpi2sTsBL~c{_U{r^}B}Xt%^q=dPtz>X@<r#omZjM$z6D%S%JOt(KqW
zds_m1E<d^DMLShM&nxJ;-dOiRm&`6?7&E-XnG|SYg{xW3j3#=&Hyj2fqQ}=R*o8|A
z=wg7`LsZ|_J_p+|ml78^m08Xe(%GDyXaA@idM-{1msj8b$v@;`YcMMpvrZ>#=uTf?
z?>3iwX{}&imHFv(39`9m9)N2QMVWnwcK7eG9;NgB5$h2K*j&A8XYzKzf&4K2roYpQ
z(B1w(DC}~QUMnoa1Iiqr`hj3C@CjsY;7Wm|n3;Vp{zW^VvoATG<1|0eY3-%!15L$V
zmyST5aq-qL?9P-S;9-~O;u<y(qs0b(z$M5nt#UDOQpDU`yYSR<-Z?2y=q|{pfA3an
zj*jka3+!;~t_qf6`ug7H;;c)i5$TvCF0S4Ux+WMB8NXFKuea6;%CXC(zP#{+ohhX9
z7@1}le<7P&x?D(I&aU!C#uk}^kQxW0P1s~o<yHGqHn+w-rp3YM4(w-krP`|wLGFvI
z3I4V-{rRDyruS<)qQ?2V*G0$Z$$bq)Xdf`#O7=5tXpibv<xC?cboLp3t7<Lrp+9f<
z2|h#*8ak<x+!0IFvh891itU&>p(>cq8=>MLYj-HC$S@;nguek}99H2{fLS$La+FX<
z#Mm>dW`wRlu&A~zvi2;WrAXaLS5iN~DRMB)A7jgNOruFjRZOZKMgT{G6d4O2nYC%1
zBIi4x8jSHVb*uy$l{jYnATzP8RDCMWe8mu<FI8z$O-_<UQzB^$g7q6mBkCyM8`*dr
zcc=u1b~0#S2+|s4<}SN59)M05ebC1Z4SlJWkNL$$BiO=6k2vjAoh2H^!$t?0i7}>0
zN;<+fd=GaO`viPxL7D0;`5EJ*Pg-2XX_;6>E_zZ8x&lZG5<L8p{R3P$0f$+U0LY-z
z*dnl00-z5YK6GRbP(_Ia{ti`iN(vA$V}Oa3J^{7R^{T!E0`sv=>wjK`sz`uJ)x&4C
zvujXl$#{e<J<R7%+;Ua=aFK&aHgGB>ZRag48Si&(oBbS0oFcGn-4X7v*;?KqR{;2w
z3gM9G)*#{v*(2d1w#s(?N-&gek_F(`@>lpMowO#v5QL8`rKAbAl$N2QGO(a!z(=$;
zSAx%T_E{_m&_CHW54$n|QV9%4QZ4XhTcQ%udsIkTwvW#Y3?`0h0F_}!k_jith&B}g
z_NW9v#vOEhsG*2Zl1mrgIV5)k6$l{}D)FH&H9@EcO+7)+8XBnx<PmeUF-i{_CbkE8
zmNwyxyxR3i6i(%2Kw#-A>L&1^BTg~K!bd6_BU-6%6=*O3O&CB3EXmZUno=?eRZNr`
zg8*{GAb{KHQR4`JBm)E(G5olzsj!vN^(%iV7@8#e5ZP~L+pEQ{PdKZG^n5>k=rfJF
z);L7~%rvrrQ#qc%@74T6JUxKpjNC9EX3}6B&ibawR`8FuZs8~69sHFRSF37OlpjDR
zqlf@!bbtu+_LZE%(H7=&%P`+1KKd=~*w0;+(*PBfO2Frg@rf3jb{93eYU32UxQ=Pw
z!kUi_hhPXG^8rV5#u54|8N;d2JJrromPkyFGte?yunou=iGx=*7J^CdLCdj)-b)MM
zNH#P8oi>2#7`{|A%GyFhUj`691yE%>8#fta1dtXS+88M68V(gvR=Kky;7MZxy2j8W
zYP57jp>2{-2d5xF5JQ5a0y2;f@<tY&;f<#e{U|e_tj&4|VbD*p!wp3gTlNYdJZd03
zvH_a|jekMsl+i){0YhVCg@#XohI+~5fRb3CxyjCx6-H3-_qcAy2rR{ps7NU<Oc(Z+
z@<sLd%E%(H9N|djhyjQ3m4;*gZ8W^UM-8zOyV5viG)I(IZd5veWB{k5bn{39KanL%
zd0~s{Vdo%lFJ1t%Uc+>rFx~UFq0>`pZ!<q;OX~nxYKU&h2!Q4kow}ijBETI*cFi_6
z6-TI{=p^~U+1&ap1Q0+-%WrCh#AIiosbY&*vY9x=!=-x-P7(<QM`w*A7`U4;MW2mC
zCcxz}EKQ-ibrK3*#*7YXi=$I<ZIQdQ5ovW&^3jGOo_-|pSw2uISeu{Sy(2u!CRx^~
zD4k{KkPH<foi9bI<kTHx7$mtnAgUn7pb7%$@WeZv031<*({bYn1~T$6kSX8F?`<}U
z)>xw9N461cWdxjCwWWT?|N0{V=@35~SL)frtz|QR#c3m-<3huc7~nW@2auY>sQ`t(
z=p;9e5D#>OzfYc~@xK9@qzBzJN$&2b1o!}lxstNu_EX7x+!3G?H#(Tfjgjed_BcyX
z71@Fu?h7BP8m*%@PXu3_^j2Cd!8J(3qaF0psW7dN`l#$okX{+B;@?55f^MAZpt@-<
z-D3%JsOp%OP|vX{{&#<PG~mUn0{TTFN>^EQZzf1D^SZ`P?l`JejdtQY?ihBPb;?<-
zty=n$;r`aF9~!A&OLv@bY{$*I;;dG)mR2#?3`4s;=%Wu$_~_n=kWS+Egs<Gr@he99
z^mLT;uROoz(7)ap+hX+zML!>_)E4iIHR?4r;oD?iEe!CB3ZvumF7+AHx$y?0?4$3D
zR|)OCz%O=6k)BvuT6O$aOgQSj6Mo}6px5Uof_l9@(PV!6d{?shLRKKQBpkz|&idk{
zkFF(Ztj#DocaMIUXr#AJqLK7oqRFau_<n1PQP_&N7W&nz^tnn*Q<JqNHF{>UUjJyJ
zUr##F{yOPEZJcse6gKYjQerAfuTBN&n^W6qgd6?FRD@Pe2YD8}^uMV#ro*&98KS>)
z^Rvlq)H5BVA0@+99pcja$q0Qb5#(u#>h;zsFO5%!v`5g_4gJgM7$uWI`UkIwhUwce
z6SnHLmvb{QdYz@;p9#|~j`P+`2ffE};K6q?L@zTQSUh|(T%y-p^v{?Mv;EzZF>Tj8
z>-d4qw4tYtd+C|kPC9ea$?fggHu~<I<F{fiOmEBw>EK*MqkCo4OKWq@8Vl%GnFi_)
zSP$#1Q|096;S_p|>Ho4l`0GqRtLav44-6miE<|4N6+7+tLT;x{hv>+pljn1%>*#M>
z$zO4<;Qi%vgre-H<xGS(8)`j$ri1=)Hb^&kJ;>hBp|{Vpk)O5Uxnkb&40>q3*{Y@9
z=@!b*hv;eUD{%aHK1_4$^N+kD-`cZIy<jnZwi&g<<bC68K%2aFHbOVJtbls&Y)Gfj
zdM>7Ua5sN0tm)^^IeKvO);Zq4Z1d^4CQDKMV*&lw@9`=cF8!!e^knHrT+z+Pj?$sW
zf*!AzEm+s*EOpKjb(XlZtYhJK!!Mi<G<*4mhELpF*c140u-DJ~S&Y|t_Z5Gv#nG=4
z$5OCf|0;1(i=E(cR>I|qecci3;P(-~=7^(gbU);G9r5~Ci0i)wX#D@@{jG<M7{TM_
zazT62h@<xx-!$U&`-|T-Vg!#H6_;}>?caoVyj*trQ`%1h=|=ij+S?TUvbIN2Ivvo`
z^)E}gf8W#6a?8V>0`&WI1M8O42kFC}b&FyP{^l2S;Po%zh+C9g@Oya4E<8o+3l&zJ
zmKOpI>v0Cgu@qz1pBF5u&$O4tc|Zp<u`(_g&1Yh8|8%C^!`z#h_G-y4&L&ZcX95s>
z#B#Q-UToeBIb_PB;f%k=nK#4ofCa^Ci|wAMML%$s*B9GsqQ<W_jY6-CIkef1>2<dq
ugF({PIM(d;)-O2b`Njvv>wH;s$BuM6^)R9F@W-DxU+a98P^u{ZQtJN!-{%4V

diff --git a/internal/pkg/selinux/policy/selinux/common/files.cil b/internal/pkg/selinux/policy/selinux/common/files.cil
new file mode 100644
index 000000000..e50448106
--- /dev/null
+++ b/internal/pkg/selinux/policy/selinux/common/files.cil
@@ -0,0 +1,26 @@
+; Runtime and mounted filesystems
+(type system_t)
+(call filesystem_f (system_t))
+(allow system_t tmpfs_t (filesystem (associate)))
+
+(type system_etc_t)
+(call system_f (system_etc_t))
+(allow system_etc_t fs_t (filesystem (associate)))
+(allow system_etc_t tmpfs_t (filesystem (associate)))
+(type system_var_t)
+(call system_f (system_var_t))
+(allow system_var_t fs_t (filesystem (associate)))
+(allow system_var_t tmpfs_t (filesystem (associate)))
+
+(type ephemeral_t)
+(call filesystem_f (ephemeral_t))
+(type system_state_t)
+(call filesystem_f (system_state_t))
+
+(type run_t)
+(call filesystem_f (run_t))
+(allow run_t tmpfs_t (filesystem (associate)))
+
+(type opt_t)
+(call filesystem_f (opt_t))
+(filecon "/opt(/.*)?" any (system_u object_r opt_t (systemLow systemLow)))
diff --git a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil
index 55a5af322..9288c081a 100644
--- a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil
+++ b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil
@@ -61,6 +61,7 @@
 )
 
 (allow filesystem_f self (filesystem (associate)))
+(allow any_f fs_t (filesystem (associate)))
 (allow filesystem_f fs_t (filesystem (associate)))
 
 (typeattribute service_exec_f)
diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil
index 1c1029904..58440404a 100644
--- a/internal/pkg/selinux/policy/selinux/services/cri.cil
+++ b/internal/pkg/selinux/policy/selinux/services/cri.cil
@@ -2,24 +2,48 @@
 (type pod_containerd_t)
 (call service_p (pod_containerd_t containerd_exec_t))
 
-; TODO: label /run
+(type pod_containerd_socket_t)
+(call system_socket_f (pod_containerd_socket_t))
+(typetransition pod_containerd_t run_t sock_file pod_containerd_socket_t)
 
 (allow pod_containerd_t pod_p (process2 (nnp_transition nosuid_transition)))
 (allow pod_containerd_t pod_p (process (transition)))
 
 (type pod_t)
 (call pod_p (pod_t))
-; TODO: label ephemeral
+; TODO: What if container is started not from containerd_state_t?
+(typetransition pod_containerd_t containerd_state_t process pod_t)
+(allow pod_t containerd_state_t (file (entrypoint execute_no_trans)))
 
 (type etcd_t)
 (call pod_p (etcd_t))
-; FIXME: insecure as anyone with access to the pod containerd may obtain this domain (executable in ephemeral)
+; FIXME: insecure as anyone with access to the pod containerd may obtain this domain
+(allow etcd_t containerd_state_t (file (entrypoint)))
 
 (type etcd_pki_t)
 (call protected_f (etcd_pki_t))
 (allow etcd_pki_t tmpfs_t (filesystem (associate)))
 (allow etcd_t etcd_pki_t (fs_classes (ro)))
 
+(type cni_conf_t)
+(call filesystem_f (cni_conf_t))
+(filecon "/etc/cni(/.*)?" any (system_u object_r cni_conf_t (systemLow systemLow)))
+
+(type cni_plugin_t)
+(call filesystem_f (cni_plugin_t))
+(filecon "/opt/cni(/.*)?" any (system_u object_r cni_plugin_t (systemLow systemLow)))
+
+(type containerd_plugin_t)
+(call filesystem_f (containerd_plugin_t))
+(filecon "/opt/containerd(/.*)?" any (system_u object_r containerd_plugin_t (systemLow systemLow)))
+
+(type etcd_data_t)
+(call protected_f (etcd_data_t))
+(allow etcd_t etcd_data_t (fs_classes (rw)))
+
+(type containerd_state_t)
+(call common_f (containerd_state_t))
+
 (type kube_apiserver_config_t)
 (call protected_f (kube_apiserver_config_t))
 (allow kube_apiserver_config_t tmpfs_t (filesystem (associate)))
diff --git a/internal/pkg/selinux/policy/selinux/services/kubelet.cil b/internal/pkg/selinux/policy/selinux/services/kubelet.cil
index 041775eaa..d451bf6e6 100644
--- a/internal/pkg/selinux/policy/selinux/services/kubelet.cil
+++ b/internal/pkg/selinux/policy/selinux/services/kubelet.cil
@@ -1,3 +1,15 @@
 (type kubelet_t)
 (call pod_p (kubelet_t))
-; FIXME: insecure as anyone with access to the pod containerd may obtain this domain (executable in ephemeral)
+; FIXME: insecure as anyone with access to the pod containerd may obtain this domain
+(allow kubelet_t containerd_state_t (file (entrypoint execute_no_trans)))
+
+(type k8s_conf_t)
+(call filesystem_f (k8s_conf_t))
+(filecon "/etc/kubernetes(/.*)?" any (system_u object_r k8s_conf_t (systemLow systemLow)))
+
+(type k8s_plugin_t)
+(call filesystem_f (k8s_plugin_t))
+(filecon "/usr/libexec/kubernetes(/.*)?" any (system_u object_r k8s_plugin_t (systemLow systemLow)))
+
+(type kubelet_state_t)
+(call system_f (kubelet_state_t))
diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil
index 9744bc57b..2b515625f 100644
--- a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil
+++ b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil
@@ -9,7 +9,9 @@
 (type sys_containerd_t)
 (call service_p (sys_containerd_t containerd_exec_t))
 
-; TODO: label /system
+(type sys_containerd_socket_t)
+(call system_socket_f (sys_containerd_socket_t))
+(typetransition sys_containerd_t system_t sock_file sys_containerd_socket_t)
 
 (allow sys_containerd_t system_container_p (process2 (nnp_transition nosuid_transition)))
 (allow sys_containerd_t system_container_p (process (transition)))
@@ -22,4 +24,4 @@
 ; Talos installer
 (type installer_t)
 (call system_container_p (installer_t))
-; TODO: label /system/var where it's stored
+(allow installer_t system_var_t (file (entrypoint execute_no_trans)))
diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil
index 37d81fba2..c47fc7e56 100644
--- a/internal/pkg/selinux/policy/selinux/services/udev.cil
+++ b/internal/pkg/selinux/policy/selinux/services/udev.cil
@@ -14,7 +14,11 @@
 (type udev_t)
 (call service_p (udev_t udev_exec_t))
 
-; TODO: label /run
+(type udev_socket_t)
+(call system_socket_f (udev_socket_t))
+(typetransition udev_t run_t sock_file udev_socket_t)
+; udevadm called by machined in its context
+(allow init_t udev_t (unix_stream_socket (connectto)))
 
 (type modprobe_exec_t)
 (call system_f (modprobe_exec_t))
diff --git a/pkg/machinery/api/resource/definitions/block/block.pb.go b/pkg/machinery/api/resource/definitions/block/block.pb.go
index acede9f76..ff9f172b1 100644
--- a/pkg/machinery/api/resource/definitions/block/block.pb.go
+++ b/pkg/machinery/api/resource/definitions/block/block.pb.go
@@ -898,7 +898,8 @@ type MountSpec struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	TargetPath string `protobuf:"bytes,1,opt,name=target_path,json=targetPath,proto3" json:"target_path,omitempty"`
+	TargetPath   string `protobuf:"bytes,1,opt,name=target_path,json=targetPath,proto3" json:"target_path,omitempty"`
+	SelinuxLabel string `protobuf:"bytes,2,opt,name=selinux_label,json=selinuxLabel,proto3" json:"selinux_label,omitempty"`
 }
 
 func (x *MountSpec) Reset() {
@@ -938,6 +939,13 @@ func (x *MountSpec) GetTargetPath() string {
 	return ""
 }
 
+func (x *MountSpec) GetSelinuxLabel() string {
+	if x != nil {
+		return x.SelinuxLabel
+	}
+	return ""
+}
+
 // PartitionSpec is the spec for volume partitioning.
 type PartitionSpec struct {
 	state         protoimpl.MessageState
@@ -1571,122 +1579,125 @@ var file_resource_definitions_block_block_proto_rawDesc = []byte{
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70,
 	0x69, 0x2e, 0x65, 0x78, 0x70, 0x72, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
 	0x43, 0x68, 0x65, 0x63, 0x6b, 0x65, 0x64, 0x45, 0x78, 0x70, 0x72, 0x52, 0x05, 0x6d, 0x61, 0x74,
-	0x63, 0x68, 0x22, 0x2c, 0x0a, 0x09, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12,
+	0x63, 0x68, 0x22, 0x51, 0x0a, 0x09, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12,
 	0x1f, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74, 0x68,
-	0x22, 0x8c, 0x01, 0x0a, 0x0d, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70,
-	0x65, 0x63, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x69, 0x6e, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x69, 0x6e, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x19, 0x0a,
-	0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52,
-	0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x67, 0x72, 0x6f, 0x77,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x67, 0x72, 0x6f, 0x77, 0x12, 0x14, 0x0a, 0x05,
-	0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62,
-	0x65, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x79, 0x70, 0x65, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18,
-	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x79, 0x70, 0x65, 0x55, 0x75, 0x69, 0x64, 0x22,
-	0xae, 0x02, 0x0a, 0x10, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67,
-	0x53, 0x70, 0x65, 0x63, 0x12, 0x53, 0x0a, 0x0d, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x73, 0x65, 0x6c,
-	0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x74, 0x61,
-	0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66,
-	0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x44,
-	0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x0c, 0x64, 0x69, 0x73,
-	0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x56, 0x0a, 0x0e, 0x70, 0x61, 0x72,
-	0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
-	0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62,
-	0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70,
-	0x65, 0x63, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65,
-	0x63, 0x12, 0x12, 0x0a, 0x04, 0x77, 0x61, 0x76, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52,
-	0x04, 0x77, 0x61, 0x76, 0x65, 0x12, 0x59, 0x0a, 0x0f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73,
-	0x74, 0x65, 0x6d, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30,
-	0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e,
-	0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63,
-	0x6b, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x70, 0x65, 0x63,
-	0x52, 0x0e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x70, 0x65, 0x63,
-	0x22, 0x44, 0x0a, 0x0e, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x44, 0x69, 0x73, 0x6b, 0x53, 0x70,
-	0x65, 0x63, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x73, 0x6b, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x64,
-	0x65, 0x76, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x64,
-	0x65, 0x76, 0x50, 0x61, 0x74, 0x68, 0x22, 0x30, 0x0a, 0x18, 0x55, 0x73, 0x65, 0x72, 0x44, 0x69,
-	0x73, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70,
-	0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x08, 0x52, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x22, 0xac, 0x03, 0x0a, 0x10, 0x56, 0x6f, 0x6c,
-	0x75, 0x6d, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1b, 0x0a,
-	0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x45, 0x0a, 0x04, 0x74, 0x79,
-	0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73,
-	0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63,
-	0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70,
-	0x65, 0x12, 0x56, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e,
-	0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e,
-	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74,
-	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69,
-	0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0c, 0x70, 0x72, 0x6f,
-	0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x12, 0x47, 0x0a, 0x07, 0x6c, 0x6f, 0x63,
-	0x61, 0x74, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x61, 0x6c,
-	0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69,
-	0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4c, 0x6f,
-	0x63, 0x61, 0x74, 0x6f, 0x72, 0x53, 0x70, 0x65, 0x63, 0x52, 0x07, 0x6c, 0x6f, 0x63, 0x61, 0x74,
-	0x6f, 0x72, 0x12, 0x41, 0x0a, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
-	0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62,
-	0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x52, 0x05,
-	0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x50, 0x0a, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
-	0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x61, 0x6c, 0x6f,
-	0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x45, 0x6e, 0x63,
-	0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0a, 0x65, 0x6e, 0x63,
-	0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xa7, 0x05, 0x0a, 0x10, 0x56, 0x6f, 0x6c, 0x75,
-	0x6d, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x48, 0x0a, 0x05,
-	0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x74, 0x61,
-	0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66,
-	0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42,
-	0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52,
-	0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73,
-	0x61, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72,
-	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69, 0x64, 0x18,
-	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, 0x12, 0x25, 0x0a, 0x0e, 0x70,
-	0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x75,
-	0x69, 0x64, 0x12, 0x58, 0x0a, 0x0e, 0x70, 0x72, 0x65, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x5f, 0x70,
-	0x68, 0x61, 0x73, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c,
-	0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69,
-	0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c,
-	0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52, 0x0c,
-	0x70, 0x72, 0x65, 0x46, 0x61, 0x69, 0x6c, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12, 0x27, 0x0a, 0x0f,
-	0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18,
-	0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x4c, 0x6f, 0x63,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e,
-	0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12, 0x12,
-	0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x04, 0x52, 0x04, 0x73, 0x69,
-	0x7a, 0x65, 0x12, 0x55, 0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d,
-	0x18, 0x0a, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x35, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72,
+	0x12, 0x23, 0x0a, 0x0d, 0x73, 0x65, 0x6c, 0x69, 0x6e, 0x75, 0x78, 0x5f, 0x6c, 0x61, 0x62, 0x65,
+	0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x65, 0x6c, 0x69, 0x6e, 0x75, 0x78,
+	0x4c, 0x61, 0x62, 0x65, 0x6c, 0x22, 0x8c, 0x01, 0x0a, 0x0d, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74,
+	0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x69, 0x6e, 0x5f, 0x73,
+	0x69, 0x7a, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x69, 0x6e, 0x53, 0x69,
+	0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x12, 0x0a,
+	0x04, 0x67, 0x72, 0x6f, 0x77, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x67, 0x72, 0x6f,
+	0x77, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x79, 0x70, 0x65, 0x5f,
+	0x75, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x79, 0x70, 0x65,
+	0x55, 0x75, 0x69, 0x64, 0x22, 0xae, 0x02, 0x0a, 0x10, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69,
+	0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x53, 0x0a, 0x0d, 0x64, 0x69, 0x73,
+	0x6b, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x2e, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c,
+	0x6f, 0x63, 0x6b, 0x2e, 0x44, 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
+	0x52, 0x0c, 0x64, 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x56,
+	0x0a, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x70, 0x65, 0x63,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72,
 	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x46,
-	0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x66,
-	0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x25, 0x0a, 0x0e, 0x6d, 0x6f, 0x75,
-	0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0d, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x12, 0x6e, 0x0a, 0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70,
-	0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x3d, 0x2e,
+	0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74,
+	0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69,
+	0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x12, 0x0a, 0x04, 0x77, 0x61, 0x76, 0x65, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x77, 0x61, 0x76, 0x65, 0x12, 0x59, 0x0a, 0x0f, 0x66, 0x69,
+	0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73,
+	0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65,
+	0x6d, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65,
+	0x6d, 0x53, 0x70, 0x65, 0x63, 0x22, 0x44, 0x0a, 0x0e, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x44,
+	0x69, 0x73, 0x6b, 0x53, 0x70, 0x65, 0x63, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x6b, 0x5f,
+	0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x73, 0x6b, 0x49, 0x64,
+	0x12, 0x19, 0x0a, 0x08, 0x64, 0x65, 0x76, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x07, 0x64, 0x65, 0x76, 0x50, 0x61, 0x74, 0x68, 0x22, 0x30, 0x0a, 0x18, 0x55,
+	0x73, 0x65, 0x72, 0x44, 0x69, 0x73, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61,
+	0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x22, 0xac, 0x03,
+	0x0a, 0x10, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70,
+	0x65, 0x63, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12,
+	0x45, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e,
 	0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64,
 	0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73,
-	0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e,
-	0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x52, 0x12, 0x65, 0x6e,
-	0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72,
-	0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18,
-	0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x53, 0x69, 0x7a,
-	0x65, 0x42, 0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x61,
-	0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69,
-	0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x5a, 0x48, 0x67,
-	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f,
-	0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d,
-	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73,
-	0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e,
-	0x73, 0x2f, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65,
+	0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x56, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73,
+	0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x74,
+	0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65,
+	0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e,
+	0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63,
+	0x52, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x12, 0x47,
+	0x0a, 0x07, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x2d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f,
+	0x63, 0x6b, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x53, 0x70, 0x65, 0x63, 0x52, 0x07,
+	0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x41, 0x0a, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74,
+	0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
+	0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53,
+	0x70, 0x65, 0x63, 0x52, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x50, 0x0a, 0x0a, 0x65, 0x6e,
+	0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30,
+	0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e,
+	0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63,
+	0x6b, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63,
+	0x52, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xa7, 0x05, 0x0a,
+	0x10, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65,
+	0x63, 0x12, 0x48, 0x0a, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e,
+	0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50,
+	0x68, 0x61, 0x73, 0x65, 0x52, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x6c,
+	0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6c,
+	0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f, 0x72,
+	0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
+	0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x12, 0x0a, 0x04,
+	0x75, 0x75, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64,
+	0x12, 0x25, 0x0a, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x75, 0x75,
+	0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74,
+	0x69, 0x6f, 0x6e, 0x55, 0x75, 0x69, 0x64, 0x12, 0x58, 0x0a, 0x0e, 0x70, 0x72, 0x65, 0x5f, 0x66,
+	0x61, 0x69, 0x6c, 0x5f, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, 0x32,
+	0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75,
+	0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50, 0x68,
+	0x61, 0x73, 0x65, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x46, 0x61, 0x69, 0x6c, 0x50, 0x68, 0x61, 0x73,
+	0x65, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x65,
+	0x6e, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61,
+	0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x08, 0x20,
+	0x01, 0x28, 0x03, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e,
+	0x64, 0x65, 0x78, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28,
+	0x04, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x12, 0x55, 0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73,
+	0x79, 0x73, 0x74, 0x65, 0x6d, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x35, 0x2e, 0x74, 0x61,
+	0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66,
+	0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42,
+	0x6c, 0x6f, 0x63, 0x6b, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x54, 0x79,
+	0x70, 0x65, 0x52, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x25,
+	0x0a, 0x0e, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x4c, 0x6f, 0x63,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x6e, 0x0a, 0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
+	0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x0c, 0x20, 0x01,
+	0x28, 0x0e, 0x32, 0x3d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e,
+	0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x63, 0x72, 0x79,
+	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70,
+	0x65, 0x52, 0x12, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f,
+	0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x5f,
+	0x73, 0x69, 0x7a, 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x65, 0x74,
+	0x74, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x42, 0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x61,
+	0x6c, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f,
+	0x63, 0x6b, 0x5a, 0x48, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73,
+	0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f,
+	0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70,
+	0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e,
+	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
diff --git a/pkg/machinery/api/resource/definitions/block/block_vtproto.pb.go b/pkg/machinery/api/resource/definitions/block/block_vtproto.pb.go
index 640a88e21..4132d9661 100644
--- a/pkg/machinery/api/resource/definitions/block/block_vtproto.pb.go
+++ b/pkg/machinery/api/resource/definitions/block/block_vtproto.pb.go
@@ -829,6 +829,13 @@ func (m *MountSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 		i -= len(m.unknownFields)
 		copy(dAtA[i:], m.unknownFields)
 	}
+	if len(m.SelinuxLabel) > 0 {
+		i -= len(m.SelinuxLabel)
+		copy(dAtA[i:], m.SelinuxLabel)
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(len(m.SelinuxLabel)))
+		i--
+		dAtA[i] = 0x12
+	}
 	if len(m.TargetPath) > 0 {
 		i -= len(m.TargetPath)
 		copy(dAtA[i:], m.TargetPath)
@@ -1609,6 +1616,10 @@ func (m *MountSpec) SizeVT() (n int) {
 	if l > 0 {
 		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
 	}
+	l = len(m.SelinuxLabel)
+	if l > 0 {
+		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
 	n += len(m.unknownFields)
 	return n
 }
@@ -4002,6 +4013,38 @@ func (m *MountSpec) UnmarshalVT(dAtA []byte) error {
 			}
 			m.TargetPath = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SelinuxLabel", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SelinuxLabel = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := protohelpers.Skip(dAtA[iNdEx:])
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index f7f5228ce..d678e5ff9 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -193,6 +193,9 @@ const (
 	// the state path.
 	StateMountPoint = "/system/state"
 
+	// StateSelinuxLabel is the label to be assigned to the state mount.
+	StateSelinuxLabel = "system_u:object_r:system_state_t:s0"
+
 	// BootPartitionLabel is the label of the partition to use for mounting at
 	// the boot path.
 	BootPartitionLabel = "BOOT"
@@ -209,6 +212,12 @@ const (
 	// the data path.
 	EphemeralMountPoint = "/var"
 
+	// EphemeralSelinuxLabel is the label to be assigned to the ephemeral mount.
+	EphemeralSelinuxLabel = "system_u:object_r:ephemeral_t:s0"
+
+	// OptSELinuxLabel is the SELinux label to be set for /opt overlay mount.
+	OptSELinuxLabel = "system_u:object_r:opt_t:s0"
+
 	// RootMountPoint is the label of the partition to use for mounting at
 	// the root path.
 	RootMountPoint = "/"
@@ -226,6 +235,12 @@ const (
 	// KubernetesConfigBaseDir is the path to the base Kubernetes configuration directory.
 	KubernetesConfigBaseDir = "/etc/kubernetes"
 
+	// KubernetesConfigSELinuxLabel is the SELinux label to be set for the Kubernetes configuration directory overlay mount.
+	KubernetesConfigSELinuxLabel = "system_u:object_r:k8s_conf_t:s0"
+
+	// KubeletPluginsSELinuxLabel is the SELinux label to be set for the Kubernetes plugin directory overlay mount.
+	KubeletPluginsSELinuxLabel = "system_u:object_r:k8s_plugin_t:s0"
+
 	// DefaultCertificatesDir is the path the Kubernetes PKI directory.
 	DefaultCertificatesDir = KubernetesConfigBaseDir + "/" + "pki"
 
@@ -463,6 +478,9 @@ const (
 	// EtcdDataPath is the path where etcd stores its' data.
 	EtcdDataPath = "/var/lib/etcd"
 
+	// EtcdDataSELinuxLabel is the SELinux label for the etcd data directory.
+	EtcdDataSELinuxLabel = "system_u:object_r:etcd_data_t:s0"
+
 	// EtcdRecoverySnapshotPath is the path where etcd snapshot is uploaded for recovery.
 	EtcdRecoverySnapshotPath = "/var/lib/etcd.snapshot"
 
@@ -681,6 +699,15 @@ const (
 	// and directories.
 	SystemPath = "/system"
 
+	// SystemSelinuxLabel is the SELinux label for runtime system related files and directories.
+	SystemSelinuxLabel = "system_u:object_r:system_t:s0"
+
+	// RunPath is the path to the system run directory.
+	RunPath = "/run"
+
+	// RunSelinuxLabel is the SELinux label for the run directory.
+	RunSelinuxLabel = "system_u:object_r:run_t:s0"
+
 	// VarSystemOverlaysPath is the path where overlay mounts are created.
 	VarSystemOverlaysPath = "/var/system/overlays"
 
@@ -690,9 +717,15 @@ const (
 	// SystemVarPath is the path to the system var directory.
 	SystemVarPath = SystemPath + "/var"
 
+	// SystemVarSelinuxLabel is the SELinux label for the system var directory.
+	SystemVarSelinuxLabel = "system_u:object_r:system_var_t:s0"
+
 	// SystemEtcPath is the path to the system etc directory.
 	SystemEtcPath = SystemPath + "/etc"
 
+	// SystemEtcSelinuxLabel is the SELinux label for the system etc directory.
+	SystemEtcSelinuxLabel = "system_u:object_r:system_etc_t:s0"
+
 	// SystemLibexecPath is the path to the system libexec directory.
 	SystemLibexecPath = SystemPath + "/libexec"
 
@@ -855,6 +888,9 @@ const (
 	// NoneCNI is the string to indicate that CNI will not be managed by Talos.
 	NoneCNI = "none"
 
+	// CNISELinuxLabel is the SELinux label to be set for CNI configuration overlay mount.
+	CNISELinuxLabel = "system_u:object_r:cni_conf_t:s0"
+
 	// DefaultIPv4PodNet is the IPv4 network to be used for kubernetes Pods.
 	DefaultIPv4PodNet = "10.244.0.0/16"
 
@@ -1202,12 +1238,18 @@ const (
 	CodeKey         = "code"
 )
 
+// SELinuxLabeledPath is an object used to describe overlay mounts with SELinux labels applied on creation.
+type SELinuxLabeledPath struct {
+	Path  string
+	Label string
+}
+
 // Overlays is the set of paths to create overlay mounts for.
-var Overlays = []string{
-	"/etc/cni",
-	KubernetesConfigBaseDir,
-	"/usr/libexec/kubernetes",
-	"/opt",
+var Overlays = []SELinuxLabeledPath{
+	{"/etc/cni", CNISELinuxLabel},
+	{KubernetesConfigBaseDir, KubernetesConfigSELinuxLabel},
+	{"/usr/libexec/kubernetes", KubeletPluginsSELinuxLabel},
+	{"/opt", OptSELinuxLabel},
 }
 
 // DefaultDroppedCapabilities is the default set of capabilities to drop.
diff --git a/pkg/machinery/resources/block/volume_config.go b/pkg/machinery/resources/block/volume_config.go
index f444cb5a9..a068f3a35 100644
--- a/pkg/machinery/resources/block/volume_config.go
+++ b/pkg/machinery/resources/block/volume_config.go
@@ -147,6 +147,8 @@ type EncryptionKey struct {
 type MountSpec struct {
 	// Mount path for the volume.
 	TargetPath string `yaml:"targetPath" protobuf:"1"`
+	// SELinux label for the volume.
+	SelinuxLabel string `yaml:"selinuxLabel" protobuf:"2"`
 }
 
 // NewVolumeConfig initializes a BlockVolumeConfig resource.
diff --git a/pkg/provision/providers/docker/node.go b/pkg/provision/providers/docker/node.go
index 240bea7e3..8b216a2fb 100644
--- a/pkg/provision/providers/docker/node.go
+++ b/pkg/provision/providers/docker/node.go
@@ -21,6 +21,7 @@ import (
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/go-connections/nat"
 	"github.com/hashicorp/go-multierror"
+	"github.com/siderolabs/gen/xslices"
 
 	"github.com/siderolabs/talos/pkg/machinery/config/machine"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
@@ -125,7 +126,12 @@ func (p *provisioner) createNode(ctx context.Context, clusterReq provision.Clust
 		})
 	}
 
-	for _, path := range append([]string{constants.EphemeralMountPoint, constants.StateMountPoint}, constants.Overlays...) {
+	for _, path := range append(
+		[]string{constants.EphemeralMountPoint, constants.StateMountPoint},
+		xslices.Map(constants.Overlays, func(overlay constants.SELinuxLabeledPath) string {
+			return overlay.Path
+		})...,
+	) {
 		mounts = append(mounts, mount.Mount{
 			Type:   mount.TypeVolume,
 			Target: path,
diff --git a/website/content/v1.9/reference/api.md b/website/content/v1.9/reference/api.md
index 717cf3c26..149a0f102 100644
--- a/website/content/v1.9/reference/api.md
+++ b/website/content/v1.9/reference/api.md
@@ -1004,6 +1004,7 @@ MountSpec is the spec for volume mount.
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
 | target_path | [string](#string) |  |  |
+| selinux_label | [string](#string) |  |  |