selinux-refpolicy/policy/modules/admin/dmidecode.te

policy_module(dmidecode, 1.9.0)

########################################
#
# Declarations
#

attribute_role dmidecode_roles;
roleattribute system_r dmidecode_roles;

type dmidecode_t;
type dmidecode_exec_t;
application_domain(dmidecode_t, dmidecode_exec_t)
role dmidecode_roles types dmidecode_t;

########################################
#
# Local policy
#

allow dmidecode_t self:capability sys_rawio;

dev_read_sysfs(dmidecode_t)

domain_use_interactive_fds(dmidecode_t)

files_list_usr(dmidecode_t)

mls_file_read_all_levels(dmidecode_t)

locallogin_use_fds(dmidecode_t)

userdom_use_inherited_user_terminals(dmidecode_t)

ifdef(`init_systemd',`
	# inherits /dev/null and a socket from devicekit_disk_t
	init_use_fds(dmidecode_t)
	init_rw_inherited_stream_socket(dmidecode_t)
')