diff -ur refpolicy/policy/modules/kernel/devices.fc refpolicy_new/policy/modules/kernel/devices.fc
--- refpolicy/policy/modules/kernel/devices.fc	2014-09-13 14:37:22.422112944 +0200
+++ refpolicy_new/policy/modules/kernel/devices.fc	2014-09-13 14:38:52.382278389 +0200
@@ -118,6 +118,9 @@
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
+/dev/vfio/(vfio)?[0-9]* -c      gen_context(system_u:object_r:vfio_device_t,s0)
+/dev/sclp[0-9]*     -c  gen_context(system_u:object_r:vfio_device_t,s0)
+/dev/vmcp[0-9]*     -c  gen_context(system_u:object_r:vfio_device_t,s0)
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
diff -ur refpolicy/policy/modules/kernel/devices.if refpolicy_new/policy/modules/kernel/devices.if
--- refpolicy/policy/modules/kernel/devices.if	2014-09-13 14:37:22.422112944 +0200
+++ refpolicy_new/policy/modules/kernel/devices.if	2014-09-13 14:41:25.572464521 +0200
@@ -4593,6 +4593,170 @@
 
 ########################################
 ## <summary>
+##      Get the attributes of vfio devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_getattr_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to get the attributes
+##      of vfio device nodes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_vfio_dev',`
+	gen_require(`
+		type vfio_device_t;
+	')
+
+	dontaudit $1 vfio_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##      Set the attributes of vfio device nodes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_setattr_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to set the attributes
+##      of vfio device nodes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_vfio_dev',`
+	gen_require(`
+		type vfio_device_t;
+	')
+
+	dontaudit $1 vfio_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##      Read the vfio devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_read_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##      Write the vfio devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_write_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##      Read and write the VFIO devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_rw_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##      Minimal read and write the VFIO devices for devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_rw_vfio_dev_min',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	allow $1 vfio_device_t:chr_file { read write open ioctl };
+')
+
+########################################
+## <summary>
+##      Allow dev file transition to new user and type
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_trans_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	allow $1 vfio_device_t:chr_file { relabelfrom setattr };
+')
+
+############################
+## <summary>
 ##	Allow read/write the vhost net device
 ## </summary>
 ## <param name="domain">
Nur in refpolicy_new/policy/modules/kernel: devices.if.orig.
diff -ur refpolicy/policy/modules/kernel/devices.te refpolicy_new/policy/modules/kernel/devices.te
--- refpolicy/policy/modules/kernel/devices.te	2014-09-13 14:37:22.422112944 +0200
+++ refpolicy_new/policy/modules/kernel/devices.te	2014-09-13 14:38:52.382278389 +0200
@@ -273,6 +273,9 @@
 type userio_device_t;
 dev_node(userio_device_t)
 
+type vfio_device_t;
+dev_node(vfio_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)
 
Nur in refpolicy_new/policy/modules/kernel: devices.te.orig.