[selinux-policy: 709/3172] add dmidecode

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:06:10 UTC 2010 

commit 20e306e2de6e0cd390895bb032c29d493183afcf
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Sep 27 21:24:01 2005 +0000

    add dmidecode

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/modules/admin/dmidecode.fc   |    4 ++
 refpolicy/policy/modules/admin/dmidecode.if   |   47 +++++++++++++++++++++++++
 refpolicy/policy/modules/admin/dmidecode.te   |   31 ++++++++++++++++
 refpolicy/policy/modules/services/hal.te      |    8 +++--
 refpolicy/policy/modules/system/userdomain.te |    4 ++
 6 files changed, 92 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index ab495be..ee9935c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -4,6 +4,7 @@
 - Fix errors uncovered by sediff.
 - Added policies:
 	anaconda
+	dmidecode
 	kudzu
 	radvd
 
diff --git a/refpolicy/policy/modules/admin/dmidecode.fc b/refpolicy/policy/modules/admin/dmidecode.fc
new file mode 100644
index 0000000..3a98813
--- /dev/null
+++ b/refpolicy/policy/modules/admin/dmidecode.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/dmidecode	--	context_template(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/ownership	--	context_template(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/vpddecode	--	context_template(system_u:object_r:dmidecode_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/dmidecode.if b/refpolicy/policy/modules/admin/dmidecode.if
new file mode 100644
index 0000000..c03e365
--- /dev/null
+++ b/refpolicy/policy/modules/admin/dmidecode.if
@@ -0,0 +1,47 @@
+## <summary>Decode DMI data for x86/ia64 bioses.</summary>
+
+########################################
+## <summary>
+##	Execute dmidecode in the dmidecode domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`dmidecode_domtrans',`
+	gen_require(`
+		type dmidecode_t, dmidecode_exec_t;
+	')
+
+	domain_auto_trans($1,dmidecode_exec_t,dmidecode_t)
+
+	allow $1 dmidecode_t:fd use;
+	allow dmidecode_t $1:fd use;
+	allow dmidecode_t $1:fifo_file rw_file_perms;
+	allow dmidecode_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute dmidecode in the dmidecode domain, and
+##	allow the specified role the dmidecode domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the dmidecode domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the dmidecode domain to use.
+## </param>
+#
+interface(`dmidecode_run',`
+	gen_require(`
+		type dmidecode_t;
+	')
+
+	dmidecode_domtrans($1)
+	role $2 types dmidecode_t;
+	allow dmidecode_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/admin/dmidecode.te b/refpolicy/policy/modules/admin/dmidecode.te
new file mode 100644
index 0000000..5f28f71
--- /dev/null
+++ b/refpolicy/policy/modules/admin/dmidecode.te
@@ -0,0 +1,31 @@
+
+policy_module(dmidecode,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type dmidecode_t;
+domain_type(dmidecode_t)
+role system_r types dmidecode_t;
+
+type dmidecode_exec_t;
+domain_entry_file(dmidecode_t,dmidecode_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dmidecode_t self:capability sys_rawio;
+
+# Allow dmidecode to read /dev/mem
+dev_read_raw_memory(dmidecode_t)
+
+term_list_ptys(dmidecode_t)
+
+files_list_usr(dmidecode_t)
+
+libs_use_ld_so(dmidecode_t)
+libs_use_shared_libs(dmidecode_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 8b9f2d9..b9f1934 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -123,6 +123,11 @@ optional_policy(`dbus.te',`
 	dbus_connect_system_bus(hald_t)
 ')
 
+optional_policy(`dmidecode.te',`
+	# For /usr/libexec/hald-probe-smbios
+	dmidecode_domtrans(hald_t)
+')
+
 optional_policy(`hotplug.te',`
 	hotplug_read_config(hald_t)
 ')
@@ -182,9 +187,6 @@ allow hald_t apmd_var_run_t:sock_file write;
 allow hald_t apmd_t:unix_stream_socket connectto;
 ')
 
-# For /usr/libexec/hald-probe-smbios
-domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
-
 ifdef(`targeted_policy', `
 allow unconfined_t hald_t:dbus send_msg;
 allow hald_t unconfined_t:dbus send_msg;
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 6881cfb..2fc2e94 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -132,6 +132,10 @@ ifdef(`targeted_policy',`
 		clock_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`dmidecode.te',`
+		dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`firstboot.te',`
 		firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
 	')

More information about the scm-commits mailing list