Label soft_offline_page with memory_offline_page_t

policy/modules/contrib/rasdaemon.te

@@ -34,6 +34,7 @@ dev_read_raw_memory(rasdaemon_t)
 dev_rw_sysfs(rasdaemon_t)
 dev_read_urand(rasdaemon_t)
 dev_rw_cpu_microcode(rasdaemon_t)
+dev_write_memory_offline_page(rasdaemon_t)
 
 corecmd_exec_bin(rasdaemon_t)
 

policy/modules/kernel/devices.if

@@ -5180,6 +5180,29 @@ interface(`dev_relabel_cpu_online',`
 	allow $1 cpu_online_t:file relabel_file_perms;
 ')
 
+########################################
+## <summary>
+##	Write memory offline page.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain write to /sys/devices/system/memory/soft_offline_page
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_memory_offline_page',`
+	gen_require(`
+		type memory_offline_page_t;
+	')
+
+	dev_search_sysfs($1)
+	allow $1 memory_offline_page_t:file read_file_perms;
+')
 
 ########################################
 ## <summary>

policy/modules/kernel/devices.te

@@ -9,6 +9,7 @@ attribute device_node;
 attribute memory_raw_read;
 attribute memory_raw_write;
 attribute devices_unconfined_type;
+attribute sysfs_type;
 
 #
 # device_t is the type of /dev.
@@ -383,10 +384,15 @@ files_mountpoint(sysfs_t)
 fs_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
-type cpu_online_t;
+type cpu_online_t, sysfs_type;
 files_type(cpu_online_t)
 dev_associate_sysfs(cpu_online_t)
 
+type memory_offline_page_t, sysfs_type;
+files_type(memory_offline_page_t)
+#dev_associate_sysfs(memory_offline_page_t)
+genfscon sysfs /devices/system/memory/soft_offline_page	gen_context(system_u:object_r:memory_offline_page_t,s0)
+
 #
 # Type for /dev/tmc_etb[0-9]+ /dev/tmc_etf[0-9]+ /dev/tmc_etr[0-9]+
 #