From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 29 Aug 2012 08:57:28 -0400
Subject: [refpolicy] [PATCH 2/2]: cpucontrol module updates (allow CPU
 microcode update utility as standalone application)
In-Reply-To: <50378988.4050104@trentalancia.com>
References: <50378988.4050104@trentalancia.com>
Message-ID: <503E11B8.1010907@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/24/12 10:02, Guido Trentalancia wrote:
> cpucontrol module modification to also allow execution as a
> standalone application rather than just as an init script or
> from run_init (mutually exclusive tunable policy won't work
> easily due to the presence of typeattributes within the init
> interfaces).
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>   policy/modules/contrib/cpucontrol.te |    2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff -pru refpolicy-08082012-a/policy/modules/contrib/cpucontrol.te 
> refpolicy-08082012-b/policy/modules/contrib/cpucontrol.te
> --- refpolicy-08082012-a/policy/modules/contrib/cpucontrol.te	2012-08-09 
> 02:50:45.253581021 +0200
> +++ refpolicy-08082012-b/policy/modules/contrib/cpucontrol.te	2012-08-09 
> 02:49:56.525140236 +0200
> @@ -15,7 +15,7 @@ gen_tunable(cpucontrol_can_upload_cpu_mi
> 
>   type cpucontrol_t;
>   type cpucontrol_exec_t;
> -init_system_domain(cpucontrol_t, cpucontrol_exec_t)
> +init_daemon_domain(cpucontrol_t, cpucontrol_exec_t)

I don't understand why this is necessary.  From your description, init_system_domain() is appropriate, since its for short running programs started by initrc_t.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com