AVC for powertop

[William]

Hi,

Running powertop as a confined staff_t/sysadm_t user on F20, I see the
following denial in permissive mode:

time->Tue May 13 14:34:12 2014
type=SYSCALL msg=audit(1399957452.980:475): arch=c000003e syscall=2
success=yes exit=4 a0=7fffe9c70350 a1=0 a2=7fffe9c7035e a3=0 items=0
ppid=4025 pid=4148 auid=1343600009 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="powertop"
exe="/usr/sbin/powertop" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1399957452.980:475): avc:  denied  { open } for
pid=4148 comm="powertop" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1107
scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file
----
time->Tue May 13 14:34:16 2014
type=SYSCALL msg=audit(1399957456.246:476): arch=c000003e syscall=2
success=yes exit=131 a0=7fffe9c71340 a1=0 a2=7fffe9c7134e a3=0 items=0
ppid=4025 pid=4148 auid=1343600009 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="powertop"
exe="/usr/sbin/powertop" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1399957456.246:476): avc:  denied  { open } for
pid=4148 comm="powertop" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1107
scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file

This works in unconfined_t obviously. What do you advise is the best way
forwards? To allow the read from staff_t/sysadm_t to cpu_device_t, or to
make a minimal policy around powertop (similar in the past to the iotop
policy you helped me create). 

Sincerely,
-- 
William <william at firstyear.id.au>