Confine the pcm service

Intel(r) Performance Counter Monitor [1] is an application programming
interface (API) and a set of tools based on the API to monitor
performance and energy metrics of Intel(r) Core(tm), Xeon(r), Atom(tm)
and Xeon Phi(tm) processors. PCM works on Linux, Windows, Mac OS X,
FreeBSD and DragonFlyBSD operating systems.

pcm-sensor-server is a service providing performance counter data
over http in JSON or Prometheus.

[1] https://github.com/intel/pcm

dist/targeted/modules.conf

@@ -3022,9 +3022,17 @@ systemd-homed = module
 #
 iiosensorproxy = module
 
-# Layer: system
+# Layer: contrib
 # Module: powerprofiles
 #
 # Policy for power-profiles-daemon - power profiles handling over D-Bus
 #
 powerprofiles = module
+
+# Layer: contrib
+# Module: pcm
+#
+# Policy for pcm - Intel(r) Performance Counter Monitor
+#
+#
+pcm = module

policy/modules/contrib/pcm.fc

@@ -0,0 +1 @@
+/usr/sbin/pcm-sensor-server	--	gen_context(system_u:object_r:pcmsensor_exec_t,s0)

policy/modules/contrib/pcm.if

@@ -0,0 +1 @@
+## <summary>Intel Performance Counter Monitor (PCM) Sensor Service</summary>

policy/modules/contrib/pcm.te

@@ -0,0 +1,23 @@
+policy_module(pcm, 1.0)
+#policy_module(pcmsensor, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type pcmsensor_t;
+type pcmsensor_exec_t;
+init_daemon_domain(pcmsensor_t, pcmsensor_exec_t)
+
+permissive pcmsensor_t;
+
+allow pcmsensor_t self:capability { sys_rawio sys_resource };
+allow pcmsensor_t self:process { ptrace setrlimit };
+
+kernel_read_proc_files(pcmsensor_t)
+kernel_read_debugfs(pcmsensor_t)
+
+dev_rw_cpu_microcode(pcmsensor_t)
+# /sys/module/msr/parameters/allow_writes
+dev_rw_sysfs(pcmsensor_t)