From: Openkylin Developers <packaging@lists.openkylin.top>
Date: Tue, 16 Jun 2026 15:28:28 +0800
Subject: feedbackd

===================================================================
---
 policy/modules/apps/feedbackd.fc   |  2 ++
 policy/modules/apps/feedbackd.if   | 66 ++++++++++++++++++++++++++++++++++++++
 policy/modules/apps/feedbackd.te   | 12 +++++++
 policy/modules/roles/staff.te      |  4 +++
 policy/modules/roles/sysadm.te     |  4 +++
 policy/modules/roles/unprivuser.te |  4 +++
 6 files changed, 92 insertions(+)
 create mode 100644 policy/modules/apps/feedbackd.fc
 create mode 100644 policy/modules/apps/feedbackd.if
 create mode 100644 policy/modules/apps/feedbackd.te

diff --git a/policy/modules/apps/feedbackd.fc b/policy/modules/apps/feedbackd.fc
new file mode 100644
index 0000000..4e1187d
--- /dev/null
+++ b/policy/modules/apps/feedbackd.fc
@@ -0,0 +1,2 @@
+/usr/libexec/feedbackd		--	gen_context(system_u:object_r:feedbackd_exec_t,s0)
+/usr/libexec/fbd-ledctrl	--	gen_context(system_u:object_r:feedbackd_exec_t,s0)
diff --git a/policy/modules/apps/feedbackd.if b/policy/modules/apps/feedbackd.if
new file mode 100644
index 0000000..c15b585
--- /dev/null
+++ b/policy/modules/apps/feedbackd.if
@@ -0,0 +1,66 @@
+## <summary>Run feedbackd from systemd</summary>
+
+########################################
+## <summary>
+##	Role access for feedbackd.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+template(`feedbackd_role',`
+	gen_require(`
+		attribute_role feedbackd_roles;
+		type feedbackd_exec_t;
+	')
+
+	type $1_feedbackd_t;
+
+
+	roleattribute $3 feedbackd_roles;
+	role $3 types { $1_feedbackd_t };
+
+	allow $1_feedbackd_t self:netlink_kobject_uevent_socket { create getattr setopt bind };
+	allow $1_feedbackd_t self:process signal;
+	allow $1_feedbackd_t self:unix_dgram_socket { create write };
+
+	kernel_read_system_state($1_feedbackd_t)
+
+	dev_read_sysfs($1_feedbackd_t)
+
+	files_search_home($1_feedbackd_t)
+	files_search_var_lib($1_feedbackd_t)
+	files_read_usr_files($1_feedbackd_t)
+	files_map_usr_files($1_feedbackd_t)
+
+	files_read_etc_symlinks($1_feedbackd_t)
+
+	miscfiles_read_localization($1_feedbackd_t)
+
+	application_domain($1_feedbackd_t, feedbackd_exec_t)
+	domtrans_pattern($2, feedbackd_exec_t, $1_feedbackd_t)
+
+	application_domain($1_feedbackd_t, feedbackd_exec_t)
+
+	dev_rw_input_dev($1_feedbackd_t)
+
+	systemd_user_app_status($1, $1_feedbackd_t)
+	systemd_user_daemon_domain($1, feedbackd_exec_t, $1_feedbackd_t)
+	optional_policy(`
+		udev_search_runtime($1_feedbackd_t)
+	')
+')
+
diff --git a/policy/modules/apps/feedbackd.te b/policy/modules/apps/feedbackd.te
new file mode 100644
index 0000000..3ce103e
--- /dev/null
+++ b/policy/modules/apps/feedbackd.te
@@ -0,0 +1,12 @@
+policy_module(feedbackd)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role feedbackd_roles;
+
+type feedbackd_exec_t;
+application_executable_file(feedbackd_exec_t)
+
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index af069f0..6b06b4d 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -110,6 +110,10 @@ ifndef(`distro_redhat',`
 		evolution_role(staff, staff_t, staff_application_exec_domain, staff_r)
 	')
 
+	optional_policy(`
+		feedbackd_role(staff, staff_t, staff_r)
+	')
+
 	optional_policy(`
 		games_role(staff, staff_t, staff_application_exec_domain, staff_r)
 	')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 59e9bab..37be716 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1308,6 +1308,10 @@ ifndef(`distro_redhat',`
 		evolution_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 	')
 
+	optional_policy(`
+		feedbackd_role(sysadm, sysadm_t, sysadm_r)
+	')
+
 	optional_policy(`
 		games_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 	')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 635b4e8..97ad261 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
 		evolution_role(user, user_t, user_application_exec_domain, user_r)
 	')
 
+	optional_policy(`
+		feedbackd_role(user, user_t, user_r)
+	')
+
 	optional_policy(`
 		games_role(user, user_t, user_application_exec_domain, user_r)
 	')
