From ad74dd898f30208eecd0cdee85bcd2c24545b870 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 11 Oct 2024 14:15:27 +0200
Subject: [PATCH] Confine the pcm service

---
 dist/targeted/modules.conf    | 10 +++++++++-
 policy/modules/contrib/pcm.fc |  1 +
 policy/modules/contrib/pcm.if |  1 +
 policy/modules/contrib/pcm.te | 18 ++++++++++++++++++
 4 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 policy/modules/contrib/pcm.fc
 create mode 100644 policy/modules/contrib/pcm.if
 create mode 100644 policy/modules/contrib/pcm.te

diff --git a/dist/targeted/modules.conf b/dist/targeted/modules.conf
index ed23d90f19..186bfd3c25 100644
--- a/dist/targeted/modules.conf
+++ b/dist/targeted/modules.conf
@@ -3022,9 +3022,17 @@ systemd-homed = module
 #
 iiosensorproxy = module
 
-# Layer: system
+# Layer: contrib
 # Module: powerprofiles
 #
 # Policy for power-profiles-daemon - power profiles handling over D-Bus
 #
 powerprofiles = module
+
+# Layer: contrib
+# Module: pcm
+#
+# Policy for pcm - Intel(r) Performance Counter Monitor
+#
+#
+pcm = module
diff --git a/policy/modules/contrib/pcm.fc b/policy/modules/contrib/pcm.fc
new file mode 100644
index 0000000000..3afdb1f352
--- /dev/null
+++ b/policy/modules/contrib/pcm.fc
@@ -0,0 +1 @@
+/usr/sbin/pcm-sensor-server	--	gen_context(system_u:object_r:pcmsensor_exec_t,s0)
diff --git a/policy/modules/contrib/pcm.if b/policy/modules/contrib/pcm.if
new file mode 100644
index 0000000000..2e53978d38
--- /dev/null
+++ b/policy/modules/contrib/pcm.if
@@ -0,0 +1 @@
+## <summary>Intel Performance Counter Monitor (PCM) Sensor Service</summary>
diff --git a/policy/modules/contrib/pcm.te b/policy/modules/contrib/pcm.te
new file mode 100644
index 0000000000..c9dd96e55b
--- /dev/null
+++ b/policy/modules/contrib/pcm.te
@@ -0,0 +1,18 @@
+policy_module(pcmsensor, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type pcmsensor_t;
+type pcmsensor_exec_t;
+init_daemon_domain(pcmsensor_t, pcmsensor_exec_t)
+#init_nnp_daemon_domain(pcmsensor_t)
+
+#type pcmsensor_var_lib_t;
+#files_type(pcmsensor_var_lib_t);
+
+permissive pcmsensor_t;
+
+