add dmidecode
This commit is contained in:
parent
724a9fa45a
commit
20e306e2de
@ -4,6 +4,7 @@
|
||||
- Fix errors uncovered by sediff.
|
||||
- Added policies:
|
||||
anaconda
|
||||
dmidecode
|
||||
kudzu
|
||||
radvd
|
||||
|
||||
|
4
refpolicy/policy/modules/admin/dmidecode.fc
Normal file
4
refpolicy/policy/modules/admin/dmidecode.fc
Normal file
@ -0,0 +1,4 @@
|
||||
|
||||
/usr/sbin/dmidecode -- context_template(system_u:object_r:dmidecode_exec_t,s0)
|
||||
/usr/sbin/ownership -- context_template(system_u:object_r:dmidecode_exec_t,s0)
|
||||
/usr/sbin/vpddecode -- context_template(system_u:object_r:dmidecode_exec_t,s0)
|
47
refpolicy/policy/modules/admin/dmidecode.if
Normal file
47
refpolicy/policy/modules/admin/dmidecode.if
Normal file
@ -0,0 +1,47 @@
|
||||
## <summary>Decode DMI data for x86/ia64 bioses.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute dmidecode in the dmidecode domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`dmidecode_domtrans',`
|
||||
gen_require(`
|
||||
type dmidecode_t, dmidecode_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,dmidecode_exec_t,dmidecode_t)
|
||||
|
||||
allow $1 dmidecode_t:fd use;
|
||||
allow dmidecode_t $1:fd use;
|
||||
allow dmidecode_t $1:fifo_file rw_file_perms;
|
||||
allow dmidecode_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute dmidecode in the dmidecode domain, and
|
||||
## allow the specified role the dmidecode domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the dmidecode domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the dmidecode domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`dmidecode_run',`
|
||||
gen_require(`
|
||||
type dmidecode_t;
|
||||
')
|
||||
|
||||
dmidecode_domtrans($1)
|
||||
role $2 types dmidecode_t;
|
||||
allow dmidecode_t $3:chr_file rw_term_perms;
|
||||
')
|
31
refpolicy/policy/modules/admin/dmidecode.te
Normal file
31
refpolicy/policy/modules/admin/dmidecode.te
Normal file
@ -0,0 +1,31 @@
|
||||
|
||||
policy_module(dmidecode,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type dmidecode_t;
|
||||
domain_type(dmidecode_t)
|
||||
role system_r types dmidecode_t;
|
||||
|
||||
type dmidecode_exec_t;
|
||||
domain_entry_file(dmidecode_t,dmidecode_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow dmidecode_t self:capability sys_rawio;
|
||||
|
||||
# Allow dmidecode to read /dev/mem
|
||||
dev_read_raw_memory(dmidecode_t)
|
||||
|
||||
term_list_ptys(dmidecode_t)
|
||||
|
||||
files_list_usr(dmidecode_t)
|
||||
|
||||
libs_use_ld_so(dmidecode_t)
|
||||
libs_use_shared_libs(dmidecode_t)
|
@ -123,6 +123,11 @@ optional_policy(`dbus.te',`
|
||||
dbus_connect_system_bus(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`dmidecode.te',`
|
||||
# For /usr/libexec/hald-probe-smbios
|
||||
dmidecode_domtrans(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_read_config(hald_t)
|
||||
')
|
||||
@ -182,9 +187,6 @@ allow hald_t apmd_var_run_t:sock_file write;
|
||||
allow hald_t apmd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# For /usr/libexec/hald-probe-smbios
|
||||
domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
allow unconfined_t hald_t:dbus send_msg;
|
||||
allow hald_t unconfined_t:dbus send_msg;
|
||||
|
@ -132,6 +132,10 @@ ifdef(`targeted_policy',`
|
||||
clock_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`dmidecode.te',`
|
||||
dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`firstboot.te',`
|
||||
firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user