From: guido@trentalancia.com (Guido Trentalancia) Date: Fri, 24 Aug 2012 16:02:00 +0200 Subject: [refpolicy] [PATCH 0/2]: cpucontrol module updates (CPU microcode update modifications) Message-ID: <50378958.7050601@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. I propose the following set of two patches for the cpucontrol module. The first patch mainly reduces the set of permissions granted to the CPU microcode updating application and slighlty extends the corresponding file contexts in order to support different possible locations (the latter in particular, is very widely open to discussion and comments, as for example, the standard location appears to be in /usr/local). The second patch is somewhat optional and not necessarily recommended: it aims to allow running the CPU microcode application not only as a short-lived daemon at system bootup but also as a standalone application that can be executed at any time. I have only tested it with the application from http://www.urbanmyth.org/microcode and without the actual microcode, as I do not have any processor available from the other major vendor. Kind regards, Guido Trentalancia