Add sysfs_types attribute.

Collect all types used to label sysfs entries.

policy/modules/kernel/devices.if

@@ -4128,6 +4128,26 @@ interface(`dev_rw_sysfs',`
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
 
+########################################
+## <summary>
+##	Relabel from/to all sysfs types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_all_sysfs',`
+	gen_require(`
+		attribute sysfs_types;
+	')
+
+	allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms };
+	allow $1 sysfs_types:file relabel_file_perms;
+	allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the TPM device.

policy/modules/kernel/devices.te

@@ -9,6 +9,7 @@ attribute device_node;
 attribute memory_raw_read;
 attribute memory_raw_write;
 attribute devices_unconfined_type;
+attribute sysfs_types;
 
 #
 # device_t is the type of /dev.
@@ -62,7 +63,7 @@ dev_node(cpu_device_t)
 #
 # /sys/devices/system/cpu/online device
 #
-type cpu_online_t;
+type cpu_online_t, sysfs_types;
 files_type(cpu_online_t)
 dev_associate_sysfs(cpu_online_t)
 
@@ -229,7 +230,7 @@ dev_node(sound_device_t)
 #
 # sysfs_t is the type for the /sys pseudofs
 #
-type sysfs_t;
+type sysfs_t, sysfs_types;
 files_mountpoint(sysfs_t)
 fs_xattr_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)

policy/modules/system/init.te

@@ -224,6 +224,7 @@ ifdef(`init_systemd',`
 	dev_create_generic_dirs(init_t)
 	dev_manage_input_dev(init_t)
 	dev_relabel_all_dev_nodes(init_t)
+	dev_relabel_all_sysfs(init_t)
 	dev_read_urand(init_t)
 	dev_write_kmsg(init_t)