This works instead of allow exec on user_tmpfs_t!

node=localhost type=AVC msg=audit(1702069242.629:385266): avc:  denied  { execute } for  pid=5860 comm="cockpit-bridge" path=2F6465762F23373833202864656C6574656429 dev="devtmpfs" ino=783 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:device_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>

policy/modules/services/cockpit.if

@@ -10,6 +10,48 @@
 ## to alter system settings the must be allowed sudo access.
 ## </desc>
 
+#######################################
+## <summary>
+##	The role template for the cockpit module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is allowed
+##	to change the linux user id, to run commands as a different
+##	user.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+template(`cockpit_role_template',`
+
+	type $1_cockpit_tmpfs_t;
+	files_runtime_file($1_cockpit_tmpfs_t)
+	dev_filetrans($2, $1_cockpit_tmpfs_t, file)
+
+	allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute };
+')
+
 ########################################
 ## <summary>
 ##	Transition to the cockpit session domain.

policy/modules/system/userdomain.if

@@ -766,6 +766,10 @@ template(`userdom_common_user_template',`
 		canna_stream_connect($1_t)
 	')
 
+	optional_policy(`
+		cockpit_role_template($1, $1_t, $1_r)
+	')
+
 	optional_policy(`
 		dbus_role_template($1, $1_r, $1_t)
 		dbus_system_bus_client($1_t)