diff -ur refpolicy/policy/modules/kernel/devices.fc refpolicy_new/policy/modules/kernel/devices.fc
--- refpolicy/policy/modules/kernel/devices.fc 2014-09-13 14:37:22.422112944 +0200
+++ refpolicy_new/policy/modules/kernel/devices.fc 2014-09-13 14:38:52.382278389 +0200
@@ -118,6 +118,9 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
+/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
+/dev/sclp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
+/dev/vmcp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
diff -ur refpolicy/policy/modules/kernel/devices.if refpolicy_new/policy/modules/kernel/devices.if
--- refpolicy/policy/modules/kernel/devices.if 2014-09-13 14:37:22.422112944 +0200
+++ refpolicy_new/policy/modules/kernel/devices.if 2014-09-13 14:41:25.572464521 +0200
@@ -4593,6 +4593,170 @@
########################################
##
+## Get the attributes of vfio devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_getattr_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of vfio device nodes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_getattr_vfio_dev',`
+ gen_require(`
+ type vfio_device_t;
+ ')
+
+ dontaudit $1 vfio_device_t:chr_file getattr;
+')
+
+########################################
+##
+## Set the attributes of vfio device nodes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
+## Do not audit attempts to set the attributes
+## of vfio device nodes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_setattr_vfio_dev',`
+ gen_require(`
+ type vfio_device_t;
+ ')
+
+ dontaudit $1 vfio_device_t:chr_file setattr;
+')
+
+########################################
+##
+## Read the vfio devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_read_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
+## Write the vfio devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_write_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
+## Read and write the VFIO devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
+## Minimal read and write the VFIO devices for devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_vfio_dev_min',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ allow $1 vfio_device_t:chr_file { read write open ioctl };
+')
+
+########################################
+##
+## Allow dev file transition to new user and type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_trans_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ allow $1 vfio_device_t:chr_file { relabelfrom setattr };
+')
+
+############################
+##
## Allow read/write the vhost net device
##
##
Nur in refpolicy_new/policy/modules/kernel: devices.if.orig.
diff -ur refpolicy/policy/modules/kernel/devices.te refpolicy_new/policy/modules/kernel/devices.te
--- refpolicy/policy/modules/kernel/devices.te 2014-09-13 14:37:22.422112944 +0200
+++ refpolicy_new/policy/modules/kernel/devices.te 2014-09-13 14:38:52.382278389 +0200
@@ -273,6 +273,9 @@
type userio_device_t;
dev_node(userio_device_t)
+type vfio_device_t;
+dev_node(vfio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)