From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1768874-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id A8B5415808A
	for <garchives@archives.gentoo.org>; Tue, 15 Jul 2025 07:54:51 +0000 (UTC)
Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(No client certificate requested)
	(Authenticated sender: relay-lists.gentoo.org@gentoo.org)
	by smtp.gentoo.org (Postfix) with ESMTPSA id 93624340F20
	for <garchives@archives.gentoo.org>; Tue, 15 Jul 2025 07:54:51 +0000 (UTC)
Received: from bobolink.gentoo.org (localhost [127.0.0.1])
	by bobolink.gentoo.org (Postfix) with ESMTP id 5A8F111056E;
	Tue, 15 Jul 2025 07:54:18 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(No client certificate requested)
	by bobolink.gentoo.org (Postfix) with ESMTPS id 49D0211056C
	for <gentoo-commits@lists.gentoo.org>; Tue, 15 Jul 2025 07:54:18 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id DE65C340E65
	for <gentoo-commits@lists.gentoo.org>; Tue, 15 Jul 2025 07:54:17 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id CBCE831A9
	for <gentoo-commits@lists.gentoo.org>; Tue, 15 Jul 2025 07:54:14 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1752565943.7d1bb57cfd2ab2fd16afd5a8187ba8dc173af23f.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: testing/, policy/modules/system/, policy/modules/services/, ...
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/kernel/devices.if policy/modules/kernel/kernel.if policy/modules/kernel/selinux.if policy/modules/roles/sysadm.te policy/modules/services/dbus.if policy/modules/system/fwupd.fc policy/modules/system/fwupd.if policy/modules/system/fwupd.te policy/modules/system/unconfined.te policy/modules/system/userdomain.if testing/sechecker.ini
X-VCS-Directories: policy/modules/services/ policy/modules/system/ testing/ policy/modules/roles/ policy/modules/kernel/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 7d1bb57cfd2ab2fd16afd5a8187ba8dc173af23f
X-VCS-Branch: master
Date: Tue, 15 Jul 2025 07:54:14 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 25f285f7-8fdc-46c7-85d7-1356509c15f0
X-Archives-Hash: b9dab0e461c23c5212a2ee2df312e05f

commit:     7d1bb57cfd2ab2fd16afd5a8187ba8dc173af23f
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Jun 17 15:20:07 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d1bb57c

fwupd-fixed-more (#928)

* Policy for the firmware update daemon and the utility program that talks to it

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/devices.if    |  72 ++++++++++
 policy/modules/kernel/kernel.if     |  36 +++++
 policy/modules/kernel/selinux.if    |  19 +++
 policy/modules/roles/sysadm.te      |   4 +
 policy/modules/services/dbus.if     |  24 ++++
 policy/modules/system/fwupd.fc      |   9 ++
 policy/modules/system/fwupd.if      |  36 +++++
 policy/modules/system/fwupd.te      | 260 ++++++++++++++++++++++++++++++++++++
 policy/modules/system/unconfined.te |   4 +
 policy/modules/system/userdomain.if |  20 +++
 testing/sechecker.ini               |   1 +
 11 files changed, 485 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 7c20041d1..ddd103c88 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2459,6 +2459,24 @@ interface(`dev_rw_framebuffer',`
 	rw_chr_files_pattern($1, device_t, framebuf_device_t)
 ')
 
+########################################
+## <summary>
+##	Allow read the gpiochip device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_gpiochip',`
+	gen_require(`
+		type device_t, gpiochip_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, gpiochip_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow read/write the hypervkvp device
@@ -2952,6 +2970,24 @@ interface(`dev_dontaudit_rw_mei',`
 	dontaudit $1 mei_device_t:chr_file rw_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write the Intel mei control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_mei',`
+	gen_require(`
+		type device_t, mei_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, mei_device_t)
+')
+
 ########################################
 ## <summary>
 ##	dontaudit getattr raw memory devices (e.g. /dev/mem).
@@ -4829,6 +4865,42 @@ interface(`dev_relabel_sysfs_dirs',`
 	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
 
+########################################
+## <summary>
+##     Allow watching sysfs dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_watch_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:dir watch;
+')
+
+########################################
+## <summary>
+##     Allow mapping sysfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_map_sysfs_files',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:file map;
+')
+
 ########################################
 ## <summary>
 ##	Relabel from/to all sysfs types.

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 2535e7bfb..5eafcc9f2 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1003,6 +1003,24 @@ interface(`kernel_dontaudit_getattr_proc',`
 	dontaudit $1 proc_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Watch proc dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_watch_proc_dirs',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Mount on proc directories.  (Deprecated)
@@ -2220,6 +2238,24 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
 	dontaudit $1 sysctl_kernel_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Allow watching sysctl kernel dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow watching.
+##	</summary>
+## </param>
+#
+interface(`kernel_watch_kernel_sysctl_dirs',`
+	gen_require(`
+		type sysctl_kernel_t;
+	')
+
+	allow $1 sysctl_kernel_t:dir watch;
+')
+
 #######################################
 ## <summary>
 ##	Do not audit attempted reading of kernel sysctls

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 8f3dca6c1..ad07fc937 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -752,6 +752,25 @@ interface(`selinux_use_status_page',`
 	allow $1 security_t:file mmap_read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allows the caller to watch SE Linux status dir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_watch_status_page',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to the SELinux kernel security server.

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4cab19ea7..d5decb69b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -440,6 +440,10 @@ optional_policy(`
 	ftp_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	fwupd_run(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	gatekeeper_admin(sysadm_t, sysadm_r)
 ')

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 2ec41ef54..699c78b25 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -651,6 +651,30 @@ interface(`dbus_use_system_bus_pidfds',`
 	allow $1 system_dbusd_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Allow DBUS system bus to receive file handles
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to receive fds from
+##	</summary>
+## </param>
+## <param name="file type">
+##	<summary>
+##	Type of file to receive
+##	</summary>
+## </param>
+#
+interface(`dbus_system_bus_receive_file_handle',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow system_dbusd_t $1:fd use;
+	allow system_dbusd_t $2:file rw_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and

diff --git a/policy/modules/system/fwupd.fc b/policy/modules/system/fwupd.fc
new file mode 100644
index 000000000..4931c4bae
--- /dev/null
+++ b/policy/modules/system/fwupd.fc
@@ -0,0 +1,9 @@
+/etc/fwupd(/.*)?		gen_context(system_u:object_r:fwupd_conf_t,s0)
+
+/usr/bin/fwupdmgr	--	gen_context(system_u:object_r:fwupdmgr_exec_t,s0)
+
+/usr/libexec/fwupd/fwupd --	gen_context(system_u:object_r:fwupd_exec_t,s0)
+
+/var/lib/fwupd(/.*)?		gen_context(system_u:object_r:fwupd_var_lib_t,s0)
+
+/var/cache/fwupd(/.*)?		gen_context(system_u:object_r:fwupd_cache_t,s0)

diff --git a/policy/modules/system/fwupd.if b/policy/modules/system/fwupd.if
new file mode 100644
index 000000000..be3d0bd10
--- /dev/null
+++ b/policy/modules/system/fwupd.if
@@ -0,0 +1,36 @@
+## <summary>Policy for firmwate update daemon and utility.</summary>
+##
+## <desc>
+## You can either use a GUI software manager like GNOME Software to view and
+## apply updates, the command-line tool or the system D-Bus interface directly.
+## Firmware updates are supported for a variety of technologies.
+## See https://github.com/fwupd/fwupd for details
+## </desc>
+
+########################################
+## <summary>
+##      Execute fwupd in the user role
+##      the kmod domain, and use the caller's terminal.
+##      Has a sigchld backchannel.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fwupd_run',`
+	gen_require(`
+		attribute_role fwupdmgr_roles;
+		type fwupdmgr_exec_t, fwupdmgr_t;
+	')
+
+	domtrans_pattern($1, fwupdmgr_exec_t, fwupdmgr_t)
+	roleattribute $2 fwupdmgr_roles;
+')

diff --git a/policy/modules/system/fwupd.te b/policy/modules/system/fwupd.te
new file mode 100644
index 000000000..34ad6bc21
--- /dev/null
+++ b/policy/modules/system/fwupd.te
@@ -0,0 +1,260 @@
+policy_module(fwupd)
+
+gen_require(`
+	class dbus all_dbus_perms;
+')
+
+########################################
+#
+# Policy for firmwate update daemon and utility
+# Debian package fwupd
+#
+
+########################################
+#
+# Declarations
+#
+
+type fwupd_t;
+type fwupd_exec_t;
+init_daemon_domain(fwupd_t, fwupd_exec_t)
+
+attribute_role fwupdmgr_roles;
+type fwupdmgr_t;
+type fwupdmgr_exec_t;
+application_domain(fwupdmgr_t, fwupdmgr_exec_t)
+role fwupdmgr_roles types fwupdmgr_t;
+
+type fwupd_cache_t;
+files_type(fwupd_cache_t)
+
+type fwupd_conf_t;
+files_type(fwupd_conf_t)
+
+type fwupd_runtime_t;
+files_runtime_file(fwupd_runtime_t)
+
+type fwupd_var_lib_t;
+files_type(fwupd_var_lib_t)
+
+type fwupdmgr_tmpfs_t;
+files_tmpfs_file(fwupdmgr_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit fwupd_t self:capability net_admin;
+# sys_admin is for "FuPluginUefiCapsule  skipping device that failed coldplug: failed to read fw_class"
+# linux_immutable is for setting /sys/firmware/efi/efivars/* as mutable
+allow fwupd_t self:capability { dac_override dac_read_search linux_immutable sys_admin };
+allow fwupd_t self:fifo_file rw_fifo_file_perms;
+allow fwupd_t self:process getsched;
+allow fwupd_t self:udp_socket { create connect getattr };
+allow fwupd_t self:tcp_socket { create connect };
+allow fwupd_t self:netlink_route_socket { create bind getattr nlmsg_read read write };
+
+allow fwupd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow fwupd_t fwupd_conf_t:dir { watch list_dir_perms };
+allow fwupd_t fwupd_conf_t:file { map read_file_perms };
+
+allow fwupd_t fwupd_var_lib_t:dir { watch manage_dir_perms };
+allow fwupd_t fwupd_var_lib_t:file mmap_manage_file_perms;
+
+allow fwupd_t fwupd_cache_t:dir { watch manage_dir_perms };
+allow fwupd_t fwupd_cache_t:file mmap_manage_file_perms;
+
+auth_use_pam_motd_dynamic(fwupd_t)
+
+allow fwupd_t fwupd_runtime_t:file manage_file_perms;
+allow fwupd_t fwupdmgr_tmpfs_t:file rw_inherited_file_perms;
+
+kernel_read_kernel_sysctls(fwupd_t)
+# for /proc/filesystems etc
+kernel_read_system_state(fwupd_t)
+kernel_read_vm_overcommit_sysctl(fwupd_t)
+kernel_watch_kernel_sysctl_dirs(fwupd_t)
+kernel_watch_proc_dirs(fwupd_t)
+
+dev_getattr_sysfs(fwupd_t)
+dev_map_sysfs_files(fwupd_t)
+dev_read_gpiochip(fwupd_t)
+dev_read_urand(fwupd_t)
+dev_read_sysfs(fwupd_t)
+dev_rw_acpi_bios(fwupd_t)
+dev_rw_cpu_microcode(fwupd_t)
+dev_rw_dri(fwupd_t)
+dev_rw_generic_usb_dev(fwupd_t)
+dev_rw_mei(fwupd_t)
+dev_rw_tpm(fwupd_t)
+dev_rw_xserver_misc(fwupd_t)
+dev_rx_raw_memory(fwupd_t)
+dev_watch_sysfs_dirs(fwupd_t)
+
+corecmd_exec_bin(fwupd_t)
+corecmd_list_bin(fwupd_t)
+corecmd_watch_bin_dirs(fwupd_t)
+
+corenet_tcp_connect_generic_port(fwupd_t)
+
+files_map_usr_files(fwupd_t)
+files_read_etc_files(fwupd_t)
+files_read_etc_runtime_files(fwupd_t)
+files_read_etc_symlinks(fwupd_t)
+files_read_usr_files(fwupd_t)
+files_search_locks(fwupd_t)
+files_search_var_lib(fwupd_t)
+files_search_boot(fwupd_t)
+files_watch_etc_dirs(fwupd_t)
+files_watch_usr_dirs(fwupd_t)
+
+fs_manage_efivarfs_files(fwupd_t)
+fs_getattr_dos_fs(fwupd_t)
+fs_getattr_efivarfs(fwupd_t)
+
+fs_manage_dos_dirs(fwupd_t)
+fs_manage_dos_files(fwupd_t)
+fs_mmap_read_dos_files(fwupd_t)
+
+init_get_generic_units_status(fwupd_t)
+init_get_system_status(fwupd_t)
+
+# for cgroup file of init_t process
+init_read_state(fwupd_t)
+
+miscfiles_read_generic_certs(fwupd_t)
+miscfiles_read_localization(fwupd_t)
+
+mount_read_runtime_files(fwupd_t)
+
+selinux_get_enforce_mode(fwupd_t)
+selinux_get_fs_mount(fwupd_t)
+seutil_search_default_contexts(fwupd_t)
+selinux_watch_status_page(fwupd_t)
+
+storage_raw_read_fixed_disk(fwupd_t)
+storage_raw_write_fixed_disk(fwupd_t)
+
+sysnet_read_config(fwupd_t)
+
+udev_read_runtime_files(fwupd_t)
+
+optional_policy(`
+	bluetooth_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	dbus_read_lib_files(fwupd_t)
+	dbus_system_bus_client(fwupd_t)
+	dbus_connect_system_bus(fwupd_t)
+	dbus_use_system_bus_fds(fwupd_t)
+')
+
+optional_policy(`
+	devicekit_dbus_chat_disk(fwupd_t)
+	devicekit_dbus_chat_power(fwupd_t)
+')
+
+optional_policy(`
+	gpg_exec(fwupd_t)
+')
+
+optional_policy(`
+	init_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	low_mem_mon_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	modemmanager_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	networkmanager_read_runtime_files(fwupd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	systemd_dbus_chat_logind(fwupd_t)
+	systemd_use_logind_fds(fwupd_t)
+	systemd_write_inherited_logind_inhibit_pipes(fwupd_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow fwupdmgr_t self:process signal;
+allow fwupdmgr_t self:fifo_file rw_fifo_file_perms;
+
+fs_tmpfs_filetrans(fwupdmgr_t, fwupdmgr_tmpfs_t, { file })
+allow fwupdmgr_t fwupdmgr_tmpfs_t:file manage_file_perms;
+
+allow fwupdmgr_t fwupd_t:dbus send_msg;
+allow fwupd_t fwupdmgr_t:dbus send_msg;
+allow fwupd_t fwupdmgr_t:fd use;
+
+kernel_read_system_state(fwupdmgr_t)
+kernel_read_vm_overcommit_sysctl(fwupdmgr_t)
+
+corecmd_exec_bin(fwupdmgr_t)
+domain_use_interactive_fds(fwupdmgr_t)
+
+sysnet_dns_name_resolve(fwupdmgr_t)
+sysnet_read_config(fwupdmgr_t)
+corenet_tcp_connect_generic_port(fwupdmgr_t)
+corenet_tcp_connect_http_port(fwupdmgr_t)
+
+files_read_etc_files(fwupdmgr_t)
+files_read_etc_symlinks(fwupdmgr_t)
+files_read_usr_files(fwupdmgr_t)
+files_map_usr_files(fwupdmgr_t)
+
+miscfiles_read_generic_certs(fwupdmgr_t)
+miscfiles_read_localization(fwupdmgr_t)
+
+userdom_use_user_ptys(fwupdmgr_t)
+userdom_use_user_ttys(fwupdmgr_t)
+userdom_search_user_home_dirs(fwupdmgr_t)
+
+# for dconf
+userdom_map_user_tmp_files(fwupdmgr_t)
+userdom_rw_user_tmp_files(fwupdmgr_t)
+userdom_manage_user_runtime_dirs(fwupdmgr_t)
+userdom_mmap_manage_user_runtime_files(fwupdmgr_t)
+xdg_search_config_dirs(fwupdmgr_t)
+
+optional_policy(`
+	dbus_list_system_bus_runtime(fwupdmgr_t)
+	dbus_write_session_runtime_socket(fwupdmgr_t)
+	dbus_system_bus_client(fwupdmgr_t)
+	dbus_system_bus_receive_file_handle(fwupdmgr_t, fwupdmgr_tmpfs_t)
+')
+
+optional_policy(`
+	networkmanager_dbus_chat(fwupdmgr_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(fwupdmgr_t)
+')
+
+optional_policy(`
+	systemd_dbus_chat_logind(fwupdmgr_t)
+	systemd_read_logind_state(fwupdmgr_t)
+	systemd_use_logind_fds(fwupdmgr_t)
+	systemd_write_inherited_logind_inhibit_pipes(fwupdmgr_t)
+')
+
+optional_policy(`
+	unconfined_dbus_send(fwupdmgr_t)
+	unconfined_stream_connect(fwupdmgr_t)
+')

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 759c83776..b9c8173ae 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -118,6 +118,10 @@ optional_policy(`
 	ftp_run_ftpdctl(unconfined_t, unconfined_r)
 ')
 
+optional_policy(`
+	fwupd_run(unconfined_t, unconfined_r)
+')
+
 optional_policy(`
 	hadoop_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cdcc3f36e..6956b9b4e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3762,6 +3762,26 @@ interface(`userdom_watch_user_runtime_dirs',`
 	userdom_search_user_runtime_root($1)
 ')
 
+########################################
+## <summary>
+##	Manage user runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_mmap_manage_user_runtime_files',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir rw_dir_perms;
+	allow $1 user_runtime_t:file mmap_manage_file_perms;
+	userdom_search_user_runtime_root($1)
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on user runtime dir

diff --git a/testing/sechecker.ini b/testing/sechecker.ini
index f5f85ce3e..d6e9e1574 100644
--- a/testing/sechecker.ini
+++ b/testing/sechecker.ini
@@ -199,6 +199,7 @@ exempt_source = abrt_t              # Conditional access (allow_raw_memory_acces
                 dmidecode_t
                 fsadm_t
                 fsdaemon_t
+		fwupd_t             # needs raw access to storage for storage firmware updates
                 hddtemp_t
                 hwclock_t
                 init_t