diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index dc33217..673e294 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -4,6 +4,7 @@
can_portmap() to sysnetwork.
- Fix base module compile issues.
- Added policies:
+ cpucontrol
ktalk
portmap
postgresql
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 4953fae..f420bf8 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -883,6 +883,24 @@ interface(`dev_dontaudit_rw_cardmgr',`
########################################
##
+## Get the attributes of the CPU
+## microcode and id interfaces.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_getattr_cpu',`
+ gen_require(`
+ type device_t, cpu_device_t;
+ ')
+
+ allow $1 device_t:dir search;
+ allow $1 cpu_device_t:chr_file getattr;
+')
+
+########################################
+##
## Read the CPU identity.
##
##
diff --git a/refpolicy/policy/modules/services/cpucontrol.fc b/refpolicy/policy/modules/services/cpucontrol.fc
new file mode 100644
index 0000000..7b726ba
--- /dev/null
+++ b/refpolicy/policy/modules/services/cpucontrol.fc
@@ -0,0 +1,7 @@
+
+/etc/firmware/.* -- context_template(system_u:object_r:cpucontrol_conf_t,s0)
+
+/sbin/microcode_ctl -- context_template(system_u:object_r:cpucontrol_exec_t,s0)
+
+/usr/sbin/cpuspeed -- context_template(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/sbin/powernowd -- context_template(system_u:object_r:cpuspeed_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/cpucontrol.if b/refpolicy/policy/modules/services/cpucontrol.if
new file mode 100644
index 0000000..e07e04f
--- /dev/null
+++ b/refpolicy/policy/modules/services/cpucontrol.if
@@ -0,0 +1,15 @@
+## Services for loading CPU microcode and CPU frequency scaling.
+
+########################################
+##
+## CPUcontrol stub interface. No access allowed.
+##
+##
+## N/A
+##
+#
+interface(`cpucontrol_stub',`
+ gen_require(`
+ type cpucontrol_t;
+ ')
+')
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
new file mode 100644
index 0000000..ddb5869
--- /dev/null
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@@ -0,0 +1,132 @@
+
+policy_module(cpucontrol,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpucontrol_t;
+type cpucontrol_exec_t;
+init_daemon_domain(cpucontrol_t,cpucontrol_exec_t)
+
+type cpucontrol_conf_t;
+files_type(cpucontrol_conf_t)
+
+type cpuspeed_t;
+type cpuspeed_exec_t;
+init_daemon_domain(cpuspeed_t,cpuspeed_exec_t)
+
+########################################
+#
+# CPU microcode loader local policy
+#
+
+allow cpucontrol_t self:capability sys_rawio;
+dontaudit cpucontrol_t self:capability sys_tty_config;
+allow cpucontrol_t self:process signal_perms;
+
+allow cpucontrol_t cpucontrol_conf_t:dir r_dir_perms;
+allow cpucontrol_t cpucontrol_conf_t:file r_file_perms;
+allow cpucontrol_t cpucontrol_conf_t:lnk_file { getattr read };
+
+kernel_list_proc(cpucontrol_t)
+kernel_read_proc_symlinks(cpucontrol_t)
+kernel_read_kernel_sysctl(cpucontrol_t)
+
+dev_read_sysfs(cpucontrol_t)
+dev_rw_cpu_microcode(cpucontrol_t)
+
+fs_search_auto_mountpoints(cpucontrol_t)
+
+term_dontaudit_use_console(cpucontrol_t)
+
+domain_use_wide_inherit_fd(cpucontrol_t)
+
+files_list_usr(cpucontrol_t)
+
+init_use_fd(cpucontrol_t)
+init_use_script_pty(cpucontrol_t)
+
+libs_use_ld_so(cpucontrol_t)
+libs_use_shared_libs(cpucontrol_t)
+
+logging_send_syslog_msg(cpucontrol_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cpucontrol_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(cpucontrol_t)
+ term_dontaudit_use_generic_pty(cpucontrol_t)
+ files_dontaudit_read_root_file(cpucontrol_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(cpucontrol_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(cpucontrol_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(cpucontrol_t)
+')
+') dnl end TODO
+
+########################################
+#
+# CPU frequency scaling daemons
+#
+
+dontaudit cpuspeed_t self:capability sys_tty_config;
+allow cpuspeed_t self:process { signal_perms setsched };
+allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(cpuspeed_t)
+kernel_read_kernel_sysctl(cpuspeed_t)
+
+dev_rw_sysfs(cpuspeed_t)
+
+fs_search_auto_mountpoints(cpuspeed_t)
+
+term_dontaudit_use_console(cpuspeed_t)
+
+domain_use_wide_inherit_fd(cpuspeed_t)
+
+files_read_etc_files(cpuspeed_t)
+files_read_etc_runtime_files(cpuspeed_t)
+files_list_usr(cpuspeed_t)
+
+init_use_fd(cpuspeed_t)
+init_use_script_pty(cpuspeed_t)
+
+libs_use_ld_so(cpuspeed_t)
+libs_use_shared_libs(cpuspeed_t)
+
+logging_send_syslog_msg(cpuspeed_t)
+
+miscfiles_read_localization(cpuspeed_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cpuspeed_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(cpuspeed_t)
+ term_dontaudit_use_generic_pty(cpuspeed_t)
+ files_dontaudit_read_root_file(cpuspeed_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(cpuspeed_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(cpuspeed_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(cpuspeed_t)
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ntp.if b/refpolicy/policy/modules/services/ntp.if
index 8527e7e..a77fef5 100644
--- a/refpolicy/policy/modules/services/ntp.if
+++ b/refpolicy/policy/modules/services/ntp.if
@@ -9,7 +9,7 @@
##
#
interface(`ntp_stub',`
- gen_require(`ntp.te',`
+ gen_require(`
type ntpd_t;
')
')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index edf52af..2a3682d 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -414,6 +414,11 @@ optional_policy(`bind.te',`
')
+optional_policy(`cpucontrol.te',`
+ cpucontrol_stub()
+ dev_getattr_cpu(initrc_t)
+')
+
optional_policy(`gpm.te',`
gpm_setattr_gpmctl(initrc_t)
')