From a2c6c8bd58ed34c88ef137e4b3cae42fb2b3f1ce Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 14 Jan 2025 19:52:50 +0100
Subject: [PATCH] Confine the switcheroo-control service

Resolves: RHEL-24268
---
 policy/modules/contrib/switcheroo.fc |  1 +
 policy/modules/contrib/switcheroo.if |  1 +
 policy/modules/contrib/switcheroo.te | 14 ++++++++++++++
 3 files changed, 16 insertions(+)
 create mode 100644 policy/modules/contrib/switcheroo.fc
 create mode 100644 policy/modules/contrib/switcheroo.if
 create mode 100644 policy/modules/contrib/switcheroo.te

diff --git a/policy/modules/contrib/switcheroo.fc b/policy/modules/contrib/switcheroo.fc
new file mode 100644
index 0000000000..1ea7bc9bf1
--- /dev/null
+++ b/policy/modules/contrib/switcheroo.fc
@@ -0,0 +1 @@
+/usr/libexec/switcheroo-control	--	gen_context(system_u:object_r:switcheroo_control_exec_t,s0)
diff --git a/policy/modules/contrib/switcheroo.if b/policy/modules/contrib/switcheroo.if
new file mode 100644
index 0000000000..ea81b23297
--- /dev/null
+++ b/policy/modules/contrib/switcheroo.if
@@ -0,0 +1 @@
+## <summary>switcheroo: D-Bus service to check dual GPU availability</summary>
diff --git a/policy/modules/contrib/switcheroo.te b/policy/modules/contrib/switcheroo.te
new file mode 100644
index 0000000000..68f6c97f2f
--- /dev/null
+++ b/policy/modules/contrib/switcheroo.te
@@ -0,0 +1,14 @@
+policy_module(switcheroo, 1.0)
+
+#################################
+#   
+# Declarations
+#    
+
+type switcheroo_control_t;
+type switcheroo_control_exec_t;
+init_daemon_domain(switcheroo_control_t, switcheroo_control_exec_t)
+permissive switcheroo_control_t;
+
+#type samba_bgqd_var_run_t;
+#files_pid_file(samba_bgqd_var_run_t)