From: Openkylin Developers <packaging@lists.openkylin.top>
Date: Tue, 16 Jun 2026 15:28:27 +0800
Subject: thunderbolt

===================================================================
---
 policy/modules/services/thunderbolt.fc | 2 +-
 policy/modules/services/thunderbolt.te | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/thunderbolt.fc b/policy/modules/services/thunderbolt.fc
index 1c50de1..7d473c1 100644
--- a/policy/modules/services/thunderbolt.fc
+++ b/policy/modules/services/thunderbolt.fc
@@ -1,3 +1,3 @@
 /usr/libexec/boltd	--	gen_context(system_u:object_r:thunderboltd_exec_t,s0)
 /var/lib/boltd(/.*)?		gen_context(system_u:object_r:thunderboltd_var_lib_t,s0)
-
+/run/boltd(/.*)?		gen_context(system_u:object_r:thunderboltd_runtime_t,s0)
diff --git a/policy/modules/services/thunderbolt.te b/policy/modules/services/thunderbolt.te
index c65aed3..b54dad1 100644
--- a/policy/modules/services/thunderbolt.te
+++ b/policy/modules/services/thunderbolt.te
@@ -22,6 +22,7 @@ files_runtime_file(thunderboltd_runtime_t)
 # Local policy
 #
 
+dontaudit thunderboltd_t self:capability net_admin;
 allow thunderboltd_t self:unix_dgram_socket { create write };
 allow thunderboltd_t self:netlink_kobject_uevent_socket { create getattr read bind getopt setopt };
 
@@ -34,6 +35,8 @@ allow thunderboltd_t thunderboltd_runtime_t:dir manage_dir_perms;
 kernel_read_system_state(thunderboltd_t)
 
 dev_read_sysfs(thunderboltd_t)
+# for force_power
+dev_write_sysfs(thunderboltd_t)
 
 files_read_etc_files(thunderboltd_t)
 
@@ -41,7 +44,7 @@ logging_send_syslog_msg(thunderboltd_t)
 
 miscfiles_read_localization(thunderboltd_t)
 
-udev_search_runtime(thunderboltd_t)
+udev_read_runtime_files(thunderboltd_t)
 
 ifdef(`init_systemd',`
 	init_stream_connect(thunderboltd_t)
