Confine power-profiles-daemon

dist/targeted/modules.conf

@@ -3063,3 +3063,10 @@ systemd-homed = module
 # Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy
 #
 iiosensorproxy = module
+
+# Layer: system
+# Module: powerprofiles
+#
+# Policy for power-profiles-daemon - power profiles handling over D-Bus
+#
+powerprofiles = module

policy/modules/contrib/powerprofiles.fc

@@ -0,0 +1,3 @@
+/usr/libexec/power-profiles-daemon	--	gen_context(system_u:object_r:powerprofiles_exec_t,s0)
+
+/var/lib/power-profiles-daemon(/.*)?		gen_context(system_u:object_r:powerprofiles_var_lib_t,s0)

policy/modules/contrib/powerprofiles.if

@@ -0,0 +1 @@
+##<summary>Power profiles handling over D-Bus</summary>

policy/modules/contrib/powerprofiles.te

@@ -0,0 +1,36 @@
+policy_module(powerprofiles, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type powerprofiles_t;
+type powerprofiles_exec_t;
+init_daemon_domain(powerprofiles_t, powerprofiles_exec_t)
+init_nnp_daemon_domain(powerprofiles_t)
+
+type powerprofiles_var_lib_t;
+files_type(powerprofiles_var_lib_t);
+
+permissive powerprofiles_t;
+
+allow powerprofiles_t powerprofiles_var_lib_t:dir search_dir_perms;
+allow powerprofiles_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_proc_files(powerprofiles_t)
+
+dev_list_sysfs(powerprofiles_t)
+
+optional_policy(`
+	dbus_connect_system_bus(powerprofiles_t)
+	dbus_system_bus_client(powerprofiles_t)
+
+	optional_policy(`
+		policykit_dbus_chat(powerprofiles_t)
+	')
+')
+
+optional_policy(`
+	udev_search_pids(powerprofiles_t)
+')