From: guido@trentalancia.com (Guido Trentalancia)
Date: Fri, 24 Aug 2012 16:02:00 +0200
Subject: [refpolicy] [PATCH 0/2]: cpucontrol module updates (CPU microcode
	update modifications)
Message-ID: <50378958.7050601@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello.

I propose the following set of two patches for the cpucontrol module.

The first patch mainly reduces the set of permissions granted to the CPU 
microcode updating application and slighlty extends the corresponding 
file contexts in order to support different possible locations (the 
latter in particular, is very widely open to discussion and comments, as 
for example, the standard location appears to be in /usr/local).

The second patch is somewhat optional and not necessarily recommended: 
it aims to allow running the CPU microcode application not only as a 
short-lived daemon at system bootup but also as a standalone application 
that can be executed at any time.

I have only tested it with the application from 
http://www.urbanmyth.org/microcode and without the actual microcode, as 
I do not have any processor available from the other major vendor.

Kind regards,

Guido Trentalancia