Index: refpolicy-2.20221101/policy/modules/system/fwupd.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20221101/policy/modules/system/fwupd.fc
@@ -0,0 +1,5 @@
+/usr/bin/fwupdmgr	--	gen_context(system_u:object_r:fwupd_exec_t,s0)
+/usr/libexec/fwupd/fwupd --	gen_context(system_u:object_r:fwupd_exec_t,s0)
+/var/lib/fwupd(/.*)?		gen_context(system_u:object_r:fwupd_var_lib_t,s0)
+/var/cache/fwupd(/.*)?		gen_context(system_u:object_r:fwupd_cache_t,s0)
+/etc/fwupd(/.*)?		gen_context(system_u:object_r:fwupd_conf_t,s0)
Index: refpolicy-2.20221101/policy/modules/system/fwupd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20221101/policy/modules/system/fwupd.if
@@ -0,0 +1,29 @@
+## <summary>Policy for firmwate update daemon and utility.</summary>
+
+########################################
+## <summary>
+##      Execute fwupd in the user role
+##      the kmod domain, and use the caller's terminal.
+##      Has a sigchld backchannel.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fwupd_run',`
+	gen_require(`
+		attribute_role fwupd_roles;
+		type fwupd_exec_t, fwupd_t;
+	')
+
+	domtrans_pattern($1, fwupd_exec_t, fwupd_t)
+	roleattribute $2 fwupd_roles;
+')
Index: refpolicy-2.20221101/policy/modules/system/fwupd.te
===================================================================
--- /dev/null
+++ refpolicy-2.20221101/policy/modules/system/fwupd.te
@@ -0,0 +1,150 @@
+policy_module(fwupd)
+
+
+attribute_role fwupd_roles;
+type fwupd_t;
+type fwupd_exec_t;
+init_daemon_domain(fwupd_t, fwupd_exec_t)
+role fwupd_roles types fwupd_t;
+
+type fwupd_var_lib_t;
+files_type(fwupd_var_lib_t)
+
+type fwupd_cache_t;
+files_type(fwupd_cache_t)
+
+type fwupd_conf_t;
+files_type(fwupd_conf_t)
+
+type fwupd_tmpfs_t;
+files_tmpfs_file(fwupd_tmpfs_t)
+
+type fwupd_runtime_t;
+files_runtime_file(fwupd_runtime_t)
+
+# sys_admin is for "FuPluginUefiCapsule  skipping device that failed coldplug: failed to read fw_class"
+allow fwupd_t self:capability { dac_override dac_read_search linux_immutable sys_rawio sys_admin };
+
+allow fwupd_t self:process { signal getsched setsched };
+allow fwupd_t self:fifo_file { getattr read write };
+allow fwupd_t self:fd use;
+
+allow fwupd_t self:netlink_kobject_uevent_socket { create getattr setopt bind read };
+sysnet_dns_name_resolve(fwupd_t)
+corenet_tcp_connect_generic_port(fwupd_t)
+corenet_tcp_connect_http_port(fwupd_t)
+
+allow fwupd_t fwupd_conf_t:dir { watch list_dir_perms };
+allow fwupd_t fwupd_conf_t:file read_file_perms;
+
+allow fwupd_t fwupd_var_lib_t:dir { watch manage_dir_perms };
+allow fwupd_t fwupd_var_lib_t:file { manage_file_perms };
+
+allow fwupd_t fwupd_cache_t:dir { watch manage_dir_perms };
+allow fwupd_t fwupd_cache_t:file { map manage_file_perms };
+
+auth_write_pam_motd_files(fwupd_t)
+
+fs_tmpfs_filetrans(fwupd_t, fwupd_tmpfs_t, { file })
+allow fwupd_t fwupd_tmpfs_t:file manage_file_perms;
+
+allow fwupd_t fwupd_runtime_t:file manage_file_perms;
+
+kernel_read_kernel_sysctls(fwupd_t)
+# for /proc/filesystems etc
+kernel_read_system_state(fwupd_t)
+
+dev_getattr_sysfs(fwupd_t)
+dev_read_urand(fwupd_t)
+dev_read_sysfs(fwupd_t)
+dev_rw_cpu_microcode(fwupd_t)
+dev_rw_tpm(fwupd_t)
+dev_rw_xserver_misc(fwupd_t)
+dev_rx_raw_memory(fwupd_t)
+
+corecmd_exec_bin(fwupd_t)
+corecmd_list_bin(fwupd_t)
+corecmd_watch_bin_dirs(fwupd_t)
+
+dbus_system_bus_client(fwupd_t)
+dbus_connect_system_bus(fwupd_t)
+
+files_map_usr_files(fwupd_t)
+files_read_etc_files(fwupd_t)
+files_read_etc_symlinks(fwupd_t)
+files_read_usr_files(fwupd_t)
+files_search_var_lib(fwupd_t)
+files_search_boot(fwupd_t)
+files_watch_etc_dirs(fwupd_t)
+files_watch_usr_dirs(fwupd_t)
+
+fs_manage_efivarfs_files(fwupd_t)
+fs_getattr_dos_fs(fwupd_t)
+fs_getattr_efivarfs(fwupd_t)
+
+fs_manage_dos_dirs(fwupd_t)
+fs_manage_dos_files(fwupd_t)
+fs_mmap_read_dos_files(fwupd_t)
+
+init_get_generic_units_status(fwupd_t)
+init_get_system_status(fwupd_t)
+
+# for cgroup file of init_t process
+init_read_state(fwupd_t)
+
+miscfiles_read_generic_certs(fwupd_t)
+miscfiles_read_localization(fwupd_t)
+
+mount_read_runtime_files(fwupd_t)
+
+selinux_get_enforce_mode(fwupd_t)
+selinux_get_fs_mount(fwupd_t)
+seutil_search_default_contexts(fwupd_t)
+
+storage_raw_read_fixed_disk(fwupd_t)
+
+sysnet_read_config(fwupd_t)
+
+udev_read_runtime_files(fwupd_t)
+userdom_use_user_ptys(fwupd_t)
+# for dconf
+userdom_map_user_tmp_files(fwupd_t)
+userdom_rw_user_tmp_files(fwupd_t)
+userdom_search_user_runtime_root(fwupd_t)
+userdom_search_user_runtime(fwupd_t)
+
+optional_policy(`
+	bluetooth_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	devicekit_dbus_chat_disk(fwupd_t)
+	devicekit_dbus_chat_power(fwupd_t)
+')
+
+optional_policy(`
+	gpg_exec(fwupd_t)
+')
+
+optional_policy(`
+	init_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	networkmanager_read_runtime_files(fwupd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	systemd_dbus_chat_logind(fwupd_t)
+	systemd_use_logind_fds(fwupd_t)
+	systemd_write_inherited_logind_inhibit_pipes(fwupd_t)
+')
+
+optional_policy(`
+	unconfined_dbus_send(fwupd_t)
+')
+
Index: refpolicy-2.20221101/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20221101/policy/modules/roles/sysadm.te
@@ -442,6 +442,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fwupd_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	gatekeeper_admin(sysadm_t, sysadm_r)
 ')
 
Index: refpolicy-2.20221101/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20221101/policy/modules/system/unconfined.te
@@ -107,6 +107,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fwupd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
 	hadoop_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')
 
