diff --git a/meta-digi-arm/conf/machine/include/digi-defaults.inc b/meta-digi-arm/conf/machine/include/digi-defaults.inc
index 0c21fa198..8daf9a1f6 100644
--- a/meta-digi-arm/conf/machine/include/digi-defaults.inc
+++ b/meta-digi-arm/conf/machine/include/digi-defaults.inc
@@ -79,3 +79,6 @@ DEFAULT_IMAGE_NAME ??= "dey-image-qt"
 
 # List of graphical images names (for install scripts)
 GRAPHICAL_IMAGES ?= "dey-image-qt dey-image-webkit"
+
+# Include DEY SELinux policy modifications by default
+DEY_SELINUX_POLICY ?= "1"
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0001-Apply-rules-for-DEY-prebuilt-images.patch b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0001-Apply-rules-for-DEY-prebuilt-images.patch
new file mode 100644
index 000000000..ae55f3c4f
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0001-Apply-rules-for-DEY-prebuilt-images.patch
@@ -0,0 +1,881 @@
+From: Gabriel Valcazar <gabriel.valcazar@digi.com>
+Date: Fri, 20 Aug 2021 11:59:27 +0200
+Subject: [PATCH 1/2] Apply rules for DEY prebuilt images
+
+These rules were obtained by putting the system's SELinux in permissive mode,
+extracting all of the AVC denials, and then running them through audit2allow.
+This allows to use most of the features that are expected to work out of the
+box in DEY.
+
+Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
+---
+ policy/modules/admin/alsa.te              | 10 +++++
+ policy/modules/admin/dmesg.te             |  7 ++++
+ policy/modules/admin/netutils.te          |  7 ++++
+ policy/modules/apps/pulseaudio.if         |  9 +++++
+ policy/modules/apps/pulseaudio.te         | 15 +++++++
+ policy/modules/kernel/corecommands.if     |  8 ++++
+ policy/modules/kernel/devices.if          | 48 +++++++++++++++++++++++
+ policy/modules/roles/sysadm.if            | 24 ++++++++++++
+ policy/modules/roles/sysadm.te            | 47 ++++++++++++++++++++++
+ policy/modules/services/acpi.if           |  8 ++++
+ policy/modules/services/acpi.te           | 20 ++++++++++
+ policy/modules/services/apache.if         |  8 ++++
+ policy/modules/services/bluetooth.if      | 10 +++++
+ policy/modules/services/bluetooth.te      | 10 +++++
+ policy/modules/services/consolekit.te     |  7 ++++
+ policy/modules/services/dbus.if           |  8 ++++
+ policy/modules/services/dbus.te           |  7 ++++
+ policy/modules/services/modemmanager.te   | 10 +++++
+ policy/modules/services/networkmanager.if |  8 ++++
+ policy/modules/services/networkmanager.te | 23 +++++++++++
+ policy/modules/system/init.te             |  7 ++++
+ policy/modules/system/libraries.if        |  8 ++++
+ policy/modules/system/locallogin.te       |  9 +++++
+ policy/modules/system/logging.if          |  8 ++++
+ policy/modules/system/logging.te          | 11 ++++++
+ policy/modules/system/modutils.te         |  8 ++++
+ policy/modules/system/mount.te            |  7 ++++
+ policy/modules/system/selinuxutil.te      |  8 ++++
+ policy/modules/system/sysnetwork.te       |  8 ++++
+ policy/modules/system/systemd.if          | 24 ++++++++++++
+ policy/modules/system/systemd.te          | 22 +++++++++++
+ policy/modules/system/udev.if             |  8 ++++
+ policy/modules/system/udev.te             |  7 ++++
+ policy/modules/system/userdomain.if       |  8 ++++
+ policy/modules/system/userdomain.te       |  7 ++++
+ policy/modules/system/xdg.if              | 16 ++++++++
+ 36 files changed, 460 insertions(+)
+
+diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
+index 09d590add..2762fc664 100644
+--- a/policy/modules/admin/alsa.te
++++ b/policy/modules/admin/alsa.te
+@@ -111,3 +111,13 @@ optional_policy(`
+ 	hal_use_fds(alsa_t)
+ 	hal_write_log(alsa_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow alsa_t var_lock_t:file { getattr lock open read write };
++
++allow alsa_t alsa_var_lib_t:lnk_file read;
++xdg_config_dirs_search(alsa_t)
+diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
+index 228baecd8..ccec67c80 100644
+--- a/policy/modules/admin/dmesg.te
++++ b/policy/modules/admin/dmesg.te
+@@ -60,3 +60,10 @@ optional_policy(`
+ optional_policy(`
+ 	udev_read_db(dmesg_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++corecmd_map_exec_bin_files(dmesg_t)
+diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
+index 5cdfe2196..31e9d970c 100644
+--- a/policy/modules/admin/netutils.te
++++ b/policy/modules/admin/netutils.te
+@@ -212,3 +212,10 @@ userdom_use_inherited_user_terminals(traceroute_t)
+ # nmap searches .
+ userdom_dontaudit_search_user_home_dirs(traceroute_t)
+ userdom_dontaudit_search_user_home_content(traceroute_t)
++
++########################################
++#
++# DEY custom rules
++#
++
++allow ping_t bin_t:file { execute map read };
+diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
+index 1b9c6ccde..aeac19008 100644
+--- a/policy/modules/apps/pulseaudio.if
++++ b/policy/modules/apps/pulseaudio.if
+@@ -147,6 +147,15 @@ interface(`pulseaudio_signull',`
+ 	allow $1 pulseaudio_t:process signull;
+ ')
+ 
++interface(`pulseaudio_connectto',`
++	gen_require(`
++		type pulseaudio_t;
++	')
++
++	allow $1 pulseaudio_t:unix_stream_socket connectto;
++	allow $1 pulseaudio_t:fd use;
++')
++
+ ########################################
+ ## <summary>
+ ##	Use file descriptors for
+diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
+index 3a50fc5b2..ce24736f3 100644
+--- a/policy/modules/apps/pulseaudio.te
++++ b/policy/modules/apps/pulseaudio.te
+@@ -311,3 +311,18 @@ optional_policy(`
+ optional_policy(`
+ 	unconfined_signull(pulseaudio_client)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow pulseaudio_t self:capability net_admin;
++systemd_watch_logind_sessions_files(pulseaudio_t)
++allow pulseaudio_t user_runtime_root_t:dir { add_name create read remove_name write };
++allow pulseaudio_t user_runtime_root_t:file { create getattr lock open read unlink write };
++allow pulseaudio_t user_runtime_root_t:sock_file { create setattr };
++allow pulseaudio_t user_home_dir_t:dir create;
++dbus_write_sock_file(pulseaudio_t)
++sysadm_use_fds(pulseaudio_t)
++sysadm_connectto_socket(pulseaudio_t)
+diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
+index c605ca5f7..e7b41c32c 100644
+--- a/policy/modules/kernel/corecommands.if
++++ b/policy/modules/kernel/corecommands.if
+@@ -199,6 +199,14 @@ interface(`corecmd_check_exec_bin_files',`
+ 	allow $1 bin_t:file { execute getattr };
+ ')
+ 
++interface(`corecmd_map_exec_bin_files',`
++	gen_require(`
++		type bin_t;
++	')
++
++	allow $1 bin_t:file { execute map read };
++')
++
+ ########################################
+ ## <summary>
+ ##	Read files in bin directories.
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index 406b29796..e4ad0d3b8 100644
+--- a/policy/modules/kernel/devices.if
++++ b/policy/modules/kernel/devices.if
+@@ -2114,6 +2114,14 @@ interface(`dev_getattr_input_dev',`
+ 	allow $1 event_device_t:chr_file getattr;
+ ')
+ 
++interface(`dev_read_input_dev',`
++	gen_require(`
++		type event_device_t;
++	')
++
++	allow $1 event_device_t:chr_file read;
++')
++
+ ########################################
+ ## <summary>
+ ##	Set the attributes of the event devices.
+@@ -2260,6 +2268,38 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',`
+ 	dontaudit $1 framebuf_device_t:chr_file setattr;
+ ')
+ 
++interface(`dev_read_write_framebuffer_dev',`
++	gen_require(`
++		type framebuf_device_t;
++	')
++
++	allow $1 framebuf_device_t:chr_file { read write };
++')
++
++interface(`dev_use_gpiochip',`
++	gen_require(`
++		type gpiochip_device_t;
++	')
++
++	allow $1 gpiochip_device_t:chr_file { ioctl open read write };
++')
++
++interface(`dev_use_watchdog',`
++	gen_require(`
++		type watchdog_device_t;
++	')
++
++	allow $1 watchdog_device_t:chr_file { ioctl open read write };
++')
++
++interface(`dev_use_wireless',`
++	gen_require(`
++		type wireless_device_t;
++	')
++
++	allow $1 wireless_device_t:chr_file { ioctl open read write };
++')
++
+ ########################################
+ ## <summary>
+ ##	Read the framebuffer.
+@@ -5064,6 +5104,14 @@ interface(`dev_dontaudit_getattr_video_dev',`
+ 	dontaudit $1 v4l_device_t:chr_file getattr;
+ ')
+ 
++interface(`dev_handle_video_dev',`
++	gen_require(`
++		type v4l_device_t;
++	')
++
++	allow $1 v4l_device_t:chr_file { ioctl map open read write };
++')
++
+ ########################################
+ ## <summary>
+ ##	Set the attributes of video4linux device nodes.
+diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
+index 5c2871842..49416d26e 100644
+--- a/policy/modules/roles/sysadm.if
++++ b/policy/modules/roles/sysadm.if
+@@ -211,6 +211,14 @@ interface(`sysadm_sigchld',`
+ 	allow $1 sysadm_t:process sigchld;
+ ')
+ 
++interface(`sysadm_transition',`
++	gen_require(`
++		type sysadm_t;
++	')
++
++	allow $1 sysadm_t:process transition;
++')
++
+ ########################################
+ ## <summary>
+ ##	Inherit and use sysadm file descriptors
+@@ -229,6 +237,22 @@ interface(`sysadm_use_fds',`
+ 	allow $1 sysadm_t:fd use;
+ ')
+ 
++interface(`sysadm_connectto_socket',`
++	gen_require(`
++		type sysadm_t;
++	')
++
++	allow $1 sysadm_t:unix_stream_socket connectto;
++')
++
++interface(`sysadm_sendto_unix_dgram_socket',`
++	gen_require(`
++		type sysadm_t;
++	')
++
++	allow $1 sysadm_t:unix_dgram_socket sendto;
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write sysadm user unnamed pipes.
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 310a4fad2..4a3dc7a58 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -1375,3 +1375,50 @@ ifndef(`distro_redhat',`
+ 	')
+ ')
+ 
++########################################
++#
++# DEY custom rules
++#
++
++allow sysadm_t init_exec_t:file entrypoint;
++allow sysadm_t init_t:unix_stream_socket { ioctl read write };
++allow sysadm_t self:capability audit_write;
++allow sysadm_t self:system reload;
++allow sysadm_t user_runtime_root_t:blk_file create;
++allow sysadm_t user_runtime_root_t:chr_file create;
++allow sysadm_t usr_t:file execute;
++
++allow sysadm_t device_t:chr_file { create ioctl open read write };
++dev_read_write_framebuffer_dev(sysadm_t)
++allow sysadm_t initrc_t:unix_stream_socket connectto;
++pulseaudio_connectto(sysadm_t)
++
++#!!!! This avc can be allowed using the boolean 'allow_execmem'
++allow sysadm_t self:process execmem;
++allow sysadm_t usr_t:file execute_no_trans;
++
++allow sysadm_t user_tmpfs_t:file { execmod execute };
++
++dev_use_gpiochip(sysadm_t)
++allow sysadm_t kernel_t:system module_request;
++allow sysadm_t self:can_socket { bind create getopt read setopt write };
++dev_use_watchdog(sysadm_t)
++
++networkmanager_sendto_unix_dgram_socket(sysadm_t)
++allow sysadm_t initrc_t:fd use;
++xdg_dir_watch(sysadm_t)
++
++allow sysadm_t device_t:chr_file map;
++allow sysadm_t device_t:dir watch;
++allow sysadm_t framebuf_device_t:chr_file { ioctl open };
++apache_execute_runtime_files(sysadm_t)
++dev_handle_video_dev(sysadm_t)
++
++allow sysadm_t self:bluetooth_socket create;
++allow sysadm_t self:process execstack;
++
++allow sysadm_t self:bluetooth_socket ioctl;
++
++dev_manage_dri_dev(sysadm_t)
++allow sysadm_t self:netlink_route_socket nlmsg_write;
++allow sysadm_t semanage_t:process { noatsecure rlimitinh siginh };
+diff --git a/policy/modules/services/acpi.if b/policy/modules/services/acpi.if
+index e6805e1d3..849e3ea15 100644
+--- a/policy/modules/services/acpi.if
++++ b/policy/modules/services/acpi.if
+@@ -119,6 +119,14 @@ interface(`acpi_append_log',`
+ 	allow $1 acpid_log_t:file append_file_perms;
+ ')
+ 
++interface(`acpi_write_lock',`
++	gen_require(`
++		type acpid_lock_t;
++	')
++
++	allow $1 acpid_lock_t:file write;
++')
++
+ ########################################
+ ## <summary>
+ ##	Connect to apmd over an unix
+diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te
+index 26d16a369..c54302289 100644
+--- a/policy/modules/services/acpi.te
++++ b/policy/modules/services/acpi.te
+@@ -235,3 +235,23 @@ optional_policy(`
+ optional_policy(`
+ 	xserver_domtrans(acpid_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++bluetooth_manage_config(acpid_t)
++kernel_search_debugfs(acpid_t)
++init_read_utmp(acpid_t)
++allow acpid_t self:bluetooth_socket { bind create ioctl write };
++allow acpid_t self:capability { net_admin net_raw };
++allow acpid_t self:process { getsched setpgid };
++allow acpid_t var_log_t:file { open write };
++
++dev_use_gpiochip(acpid_t)
++allow acpid_t self:bluetooth_socket listen;
++
++#!!!! This avc can be allowed using the boolean 'allow_ypbind'
++allow acpid_t self:capability net_bind_service;
++dev_use_wireless(acpid_t)
+diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
+index 71696f051..366f5fdeb 100644
+--- a/policy/modules/services/apache.if
++++ b/policy/modules/services/apache.if
+@@ -1319,6 +1319,14 @@ interface(`apache_cgi_domain',`
+ 	allow httpd_t $1:process signal;
+ ')
+ 
++interface(`apache_execute_runtime_files',`
++	gen_require(`
++		type httpd_runtime_t;
++	')
++
++	allow $1 httpd_runtime_t:file execute;
++')
++
+ ########################################
+ ## <summary>
+ ##	All of the rules required to
+diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
+index e35e86312..1580a772c 100644
+--- a/policy/modules/services/bluetooth.if
++++ b/policy/modules/services/bluetooth.if
+@@ -107,6 +107,16 @@ interface(`bluetooth_read_config',`
+ 	allow $1 bluetooth_conf_t:file read_file_perms;
+ ')
+ 
++interface(`bluetooth_manage_config',`
++	gen_require(`
++		type bluetooth_conf_t, bluetooth_t;
++	')
++
++	allow $1 bluetooth_conf_t:dir search;
++	allow $1 bluetooth_conf_t:file { open read };
++	allow $1 bluetooth_t:process signal;
++')
++
+ ########################################
+ ## <summary>
+ ##	Send and receive messages from
+diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
+index 63e50aeda..ec822154f 100644
+--- a/policy/modules/services/bluetooth.te
++++ b/policy/modules/services/bluetooth.te
+@@ -223,3 +223,13 @@ optional_policy(`
+ optional_policy(`
+ 	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++logging_allow_write_generic_logs(bluetooth_t)
++
++allow bluetooth_t self:alg_socket { bind create };
++allow bluetooth_t syslogd_runtime_t:sock_file write;
+diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
+index 105bd45c7..292fd5074 100644
+--- a/policy/modules/services/consolekit.te
++++ b/policy/modules/services/consolekit.te
+@@ -172,3 +172,10 @@ optional_policy(`
+ optional_policy(`
+ 	unconfined_stream_connect(consolekit_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow consolekit_t var_log_t:dir create;
+diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
+index 146262d88..f59642950 100644
+--- a/policy/modules/services/dbus.if
++++ b/policy/modules/services/dbus.if
+@@ -165,6 +165,14 @@ interface(`dbus_connect_all_session_bus',`
+ 	allow $1 session_bus_type:dbus acquire_svc;
+ ')
+ 
++interface(`dbus_write_sock_file',`
++	gen_require(`
++		type session_dbusd_runtime_t;
++	')
++
++	allow $1 session_dbusd_runtime_t:sock_file write;
++')
++
+ #######################################
+ ## <summary>
+ ##	Acquire service on specified
+diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
+index 8ae5c8d93..bcf8b9677 100644
+--- a/policy/modules/services/dbus.te
++++ b/policy/modules/services/dbus.te
+@@ -315,3 +315,10 @@ optional_policy(`
+ 
+ allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
+ allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
++
++########################################
++#
++# DEY custom rules
++#
++
++allow system_dbusd_t syslogd_runtime_t:sock_file write;
+diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
+index 784221a03..1f6f698c2 100644
+--- a/policy/modules/services/modemmanager.te
++++ b/policy/modules/services/modemmanager.te
+@@ -58,3 +58,13 @@ optional_policy(`
+ 	udev_read_db(modemmanager_t)
+ 	udev_manage_runtime_files(modemmanager_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow modemmanager_t self:process setsched;
++allow modemmanager_t syslogd_runtime_t:sock_file write;
++
++allow modemmanager_t self:capability sys_nice;
+diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
+index ef738db1e..7e203a0d2 100644
+--- a/policy/modules/services/networkmanager.if
++++ b/policy/modules/services/networkmanager.if
+@@ -171,6 +171,14 @@ interface(`networkmanager_signal',`
+ 	allow $1 NetworkManager_t:process signal;
+ ')
+ 
++interface(`networkmanager_sendto_unix_dgram_socket',`
++	gen_require(`
++		type NetworkManager_t;
++	')
++
++	allow $1 NetworkManager_t:unix_dgram_socket sendto;
++')
++
+ ########################################
+ ## <summary>
+ ##	Watch networkmanager etc dirs.
+diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
+index ce48909dd..e5f9e5da0 100644
+--- a/policy/modules/services/networkmanager.te
++++ b/policy/modules/services/networkmanager.te
+@@ -397,3 +397,26 @@ init_use_script_ptys(wpa_cli_t)
+ miscfiles_read_localization(wpa_cli_t)
+ 
+ term_dontaudit_use_console(wpa_cli_t)
++
++########################################
++#
++# DEY custom rules
++#
++
++allow NetworkManager_t device_t:chr_file { ioctl open read write };
++libs_watch(NetworkManager_t)
++fs_read_nsfs_files(NetworkManager_t)
++systemd_watch_logind_runtime_files(NetworkManager_t)
++systemd_watch_machines(NetworkManager_t)
++systemd_watch_logind_sessions_files(NetworkManager_t)
++
++sysadm_sendto_unix_dgram_socket(NetworkManager_t)
++
++allow NetworkManager_t etc_t:dir watch;
++
++acpi_use_fds(NetworkManager_t)
++consolekit_watch_runtime_dir(NetworkManager_t)
++
++acpi_write_lock(NetworkManager_t)
++acpi_append_log(NetworkManager_t)
++dev_read_input_dev(NetworkManager_t)
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 6b6b723b8..f43acf976 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1486,3 +1486,10 @@ optional_policy(`
+ 	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+ 	userdom_dontaudit_write_user_tmp_files(systemprocess)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++sysadm_transition(init_t)
+diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
+index d1379fbe6..dc25cb26f 100644
+--- a/policy/modules/system/libraries.if
++++ b/policy/modules/system/libraries.if
+@@ -251,6 +251,14 @@ interface(`libs_manage_lib_dirs',`
+ 	allow $1 lib_t:dir manage_dir_perms;
+ ')
+ 
++interface(`libs_watch',`
++	gen_require(`
++		type lib_t;
++	')
++
++	allow $1 lib_t:dir watch;
++')
++
+ ########################################
+ ## <summary>
+ ##	dontaudit attempts to setattr on library files
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 971ca40e5..da4689d33 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -289,3 +289,12 @@ optional_policy(`
+ optional_policy(`
+ 	nscd_use(sulogin_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow local_login_t init_runtime_t:sock_file write;
++allow local_login_t initrc_t:unix_stream_socket connectto;
++allow local_login_t syslogd_runtime_t:sock_file write;
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index e3cbe4f1a..81a512e7b 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -1261,6 +1261,14 @@ interface(`logging_dontaudit_write_generic_logs',`
+ 	dontaudit $1 var_log_t:file write;
+ ')
+ 
++interface(`logging_allow_write_generic_logs',`
++	gen_require(`
++		type var_log_t;
++	')
++
++	allow $1 var_log_t:file { getattr write };
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write generic log files.
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index c22613c0b..b332aeb21 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -627,3 +627,14 @@ optional_policy(`
+ 	# log to the xconsole
+ 	xserver_rw_console(syslogd_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow klogd_t bin_t:file { execute map read };
++
++allow syslogd_t bin_t:file { execute map read };
++udevadm_signull(syslogd_t)
++userdom_manage_user_runtime_root_dirs(syslogd_t)
+diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
+index 8fd009742..8c9056ead 100644
+--- a/policy/modules/system/modutils.te
++++ b/policy/modules/system/modutils.te
+@@ -195,3 +195,11 @@ optional_policy(`
+ 	xserver_getattr_log(kmod_t)
+ ')
+ 
++########################################
++#
++# DEY custom rules
++#
++
++acpi_write_lock(kmod_t)
++acpi_append_log(kmod_t)
++dev_read_input_dev(kmod_t)
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 5bb4fe631..ddd6ce396 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -230,3 +230,10 @@ optional_policy(`
+ 	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+ 	unconfined_domain(unconfined_mount_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++userdom_append_getattr(mount_t)
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 09fef149b..3fd8b81c5 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -691,3 +691,11 @@ optional_policy(`
+ optional_policy(`
+ 	hotplug_use_fds(setfiles_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow semanage_t load_policy_t:process { noatsecure rlimitinh siginh };
++allow semanage_t setfiles_t:process { noatsecure rlimitinh siginh };
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index a77738924..28d7f42bb 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -424,3 +424,11 @@ optional_policy(`
+ 	xen_append_log(ifconfig_t)
+ 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow ifconfig_t bin_t:file { execute map read };
++userdom_append_getattr(ifconfig_t);
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index b81300835..622682107 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -234,6 +234,14 @@ interface(`systemd_read_logind_runtime_files',`
+ 	allow $1 systemd_logind_runtime_t:file read_file_perms;
+ ')
+ 
++interface(`systemd_watch_logind_runtime_files',`
++	gen_require(`
++		type systemd_logind_runtime_t;
++	')
++
++	allow $1 systemd_logind_runtime_t:dir watch;
++')
++
+ ######################################
+ ## <summary>
+ ##   Manage systemd-logind runtime pipes.
+@@ -313,6 +321,14 @@ interface(`systemd_read_logind_sessions_files',`
+ 	read_files_pattern($1, systemd_sessions_runtime_t, systemd_sessions_runtime_t)
+ ')
+ 
++interface(`systemd_watch_logind_sessions_files',`
++	gen_require(`
++		type systemd_sessions_runtime_t;
++	')
++
++	allow $1 systemd_sessions_runtime_t:dir watch;
++')
++
+ ######################################
+ ## <summary>
+ ##      Write inherited logind sessions pipes.
+@@ -445,6 +461,14 @@ interface(`systemd_read_machines',`
+ 	allow $1 systemd_machined_runtime_t:file read_file_perms;
+ ')
+ 
++interface(`systemd_watch_machines',`
++	gen_require(`
++		type systemd_machined_runtime_t;
++	')
++
++	allow $1 systemd_machined_runtime_t:dir watch;
++')
++
+ ########################################
+ ## <summary>
+ ##   Send and receive messages from
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 7e573645b..4efc91a9b 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1420,3 +1420,25 @@ userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
+ userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
+ 
+ dbus_system_bus_client(systemd_user_runtime_dir_t)
++
++########################################
++#
++# DEY custom rules
++#
++
++allow systemd_backlight_t sysctl_kernel_t:dir search;
++allow systemd_backlight_t sysctl_kernel_t:file { getattr ioctl open read };
++allow systemd_backlight_t sysctl_t:dir search;
++
++allow systemd_generator_t cgroup_t:filesystem getattr;
++allow systemd_generator_t removable_device_t:blk_file { getattr ioctl open read };
++allow systemd_generator_t self:capability dac_override;
++allow systemd_generator_t self:process setfscreate;
++allow systemd_generator_t tmpfs_t:filesystem getattr;
++
++allow systemd_logind_t initrc_runtime_t:file watch;
++allow systemd_logind_t initrc_t:unix_stream_socket connectto;
++
++allow systemd_resolved_t system_dbusd_runtime_t:dir read;
++allow systemd_resolved_t systemd_resolved_runtime_t:lnk_file { create rename };
++allow systemd_resolved_t system_dbusd_runtime_t:sock_file read;
+diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
+index bdfd373da..468f83d2e 100644
+--- a/policy/modules/system/udev.if
++++ b/policy/modules/system/udev.if
+@@ -597,3 +597,11 @@ interface(`udevadm_exec',`
+ 
+ 	can_exec($1, udevadm_exec_t)
+ ')
++
++interface(`udevadm_signull',`
++	gen_require(`
++		type udevadm_t;
++	')
++
++	allow $1 udevadm_t:process signull;
++')
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index e483d63d3..2bd2fcdc7 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -427,3 +427,10 @@ seutil_read_file_contexts(udevadm_t)
+ 
+ init_dontaudit_use_fds(udevadm_t)
+ term_dontaudit_use_console(udevadm_t)
++
++########################################
++#
++# DEY custom rules
++#
++
++allow udev_t init_t:system start;
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 5aab9ada7..eb1d5ffbf 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -4361,6 +4361,14 @@ interface(`userdom_write_user_tmp_files',`
+ 	allow $1 user_tmp_t:file write_file_perms;
+ ')
+ 
++interface(`userdom_append_getattr',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	allow $1 user_tmp_t:file { append getattr };
++')
++
+ ########################################
+ ## <summary>
+ ##      Do not audit attempts to write users
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index ce69ca10b..5cb2f75bc 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -130,3 +130,10 @@ files_poly_member(user_runtime_t)
+ files_poly_parent(user_runtime_t)
+ ubac_constrained(user_runtime_t)
+ userdom_user_runtime_content(user_runtime_t)
++
++########################################
++#
++# DEY custom rules
++#
++
++dev_associate(user_tmpfs_t)
+diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
+index 11fc43069..801c79d40 100644
+--- a/policy/modules/system/xdg.if
++++ b/policy/modules/system/xdg.if
+@@ -215,6 +215,14 @@ interface(`xdg_create_cache_dirs',`
+ 	allow $1 xdg_cache_t:dir create_dir_perms;
+ ')
+ 
++interface(`xdg_dir_watch',`
++	gen_require(`
++		type xdg_cache_t;
++	')
++
++	allow $1 xdg_cache_t:dir watch;
++')
++
+ ########################################
+ ## <summary>
+ ##	Manage the xdg cache home files
+@@ -465,6 +473,14 @@ interface(`xdg_create_config_dirs',`
+ 	allow $1 xdg_config_t:dir create_dir_perms;
+ ')
+ 
++interface(`xdg_config_dirs_search',`
++	gen_require(`
++		type xdg_config_t;
++	')
++
++	allow $1 xdg_config_t:dir search;
++')
++
+ ########################################
+ ## <summary>
+ ##	Manage the xdg config home files
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0002-Make-udevadm_t-executables-run-in-the-udev_t-realm.patch b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0002-Make-udevadm_t-executables-run-in-the-udev_t-realm.patch
new file mode 100644
index 000000000..04d5e0eb5
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0002-Make-udevadm_t-executables-run-in-the-udev_t-realm.patch
@@ -0,0 +1,86 @@
+From: Gabriel Valcazar <gabriel.valcazar@digi.com>
+Date: Fri, 20 Aug 2021 15:06:12 +0200
+Subject: [PATCH 2/2] Make udevadm_t executables run in the udev_t realm
+
+This prevents SELinux from denying udev activity in DEY. This is a partial port
+of the following commit:
+
+https://www.spinics.net/lists/selinux-refpolicy/msg00805.html
+
+Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
+---
+ policy/modules/system/udev.fc | 4 ++--
+ policy/modules/system/udev.if | 4 ++--
+ policy/modules/system/udev.te | 6 +++---
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
+index ceb5b70b3..36d91f3a2 100644
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -10,7 +10,7 @@
+ /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
+ 
+ /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
+-/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
++/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
+@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
+ ')
+ 
+ /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
+-/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
++/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
+diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
+index 468f83d2e..1b37166d2 100644
+--- a/policy/modules/system/udev.if
++++ b/policy/modules/system/udev.if
+@@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',`
+ #
+ interface(`udevadm_domtrans',`
+ 	gen_require(`
+-		type udevadm_t, udevadm_exec_t;
++		type udevadm_t, udev_exec_t;
+ 	')
+ 
+-	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
++	domtrans_pattern($1, udev_exec_t, udevadm_t)
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index 2bd2fcdc7..3bfde5bef 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -8,6 +8,7 @@ attribute_role udevadm_roles;
+ 
+ type udev_t;
+ type udev_exec_t;
++typealias udev_exec_t alias udevadm_exec_t;
+ type udev_helper_exec_t;
+ kernel_domtrans_to(udev_t, udev_exec_t)
+ domain_obj_id_change_exemption(udev_t)
+@@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t)
+ init_named_socket_activation(udev_t, udev_runtime_t)
+ 
+ type udevadm_t;
+-type udevadm_exec_t;
+-init_system_domain(udevadm_t, udevadm_exec_t)
+-application_domain(udevadm_t, udevadm_exec_t)
++application_domain(udevadm_t, udev_exec_t)
+ role udevadm_roles types udevadm_t;
+ 
+ type udev_etc_t alias etc_udev_t;
+@@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+ manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+ manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+ files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev")
++allow udev_t udev_runtime_t:dir watch;
+ 
+ kernel_load_module(udev_t)
+ kernel_read_system_state(udev_t)
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mcs_git.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mcs_git.bbappend
new file mode 100644
index 000000000..8538fe7b8
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mcs_git.bbappend
@@ -0,0 +1 @@
+include refpolicy_dey.inc
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-minimum_git.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-minimum_git.bbappend
new file mode 100644
index 000000000..8538fe7b8
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-minimum_git.bbappend
@@ -0,0 +1 @@
+include refpolicy_dey.inc
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mls_git.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mls_git.bbappend
new file mode 100644
index 000000000..8538fe7b8
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mls_git.bbappend
@@ -0,0 +1 @@
+include refpolicy_dey.inc
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-standard_git.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-standard_git.bbappend
new file mode 100644
index 000000000..8538fe7b8
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-standard_git.bbappend
@@ -0,0 +1 @@
+include refpolicy_dey.inc
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted_git.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted_git.bbappend
new file mode 100644
index 000000000..8538fe7b8
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted_git.bbappend
@@ -0,0 +1 @@
+include refpolicy_dey.inc
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy_dey.inc b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy_dey.inc
new file mode 100644
index 000000000..89fdfe092
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy_dey.inc
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+DEY_POLICY_PATCHES = " \
+    file://0001-Apply-rules-for-DEY-prebuilt-images.patch \
+    file://0002-Make-udevadm_t-executables-run-in-the-udev_t-realm.patch \
+"
+
+SRC_URI += " ${@oe.utils.conditional('DEY_SELINUX_POLICY', '1', '${DEY_POLICY_PATCHES}', '', d)}"