diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index ab495be..ee9935c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -4,6 +4,7 @@
- Fix errors uncovered by sediff.
- Added policies:
anaconda
+ dmidecode
kudzu
radvd
diff --git a/refpolicy/policy/modules/admin/dmidecode.fc b/refpolicy/policy/modules/admin/dmidecode.fc
new file mode 100644
index 0000000..3a98813
--- /dev/null
+++ b/refpolicy/policy/modules/admin/dmidecode.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/dmidecode -- context_template(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/ownership -- context_template(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/vpddecode -- context_template(system_u:object_r:dmidecode_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/dmidecode.if b/refpolicy/policy/modules/admin/dmidecode.if
new file mode 100644
index 0000000..c03e365
--- /dev/null
+++ b/refpolicy/policy/modules/admin/dmidecode.if
@@ -0,0 +1,47 @@
+## Decode DMI data for x86/ia64 bioses.
+
+########################################
+##
+## Execute dmidecode in the dmidecode domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`dmidecode_domtrans',`
+ gen_require(`
+ type dmidecode_t, dmidecode_exec_t;
+ ')
+
+ domain_auto_trans($1,dmidecode_exec_t,dmidecode_t)
+
+ allow $1 dmidecode_t:fd use;
+ allow dmidecode_t $1:fd use;
+ allow dmidecode_t $1:fifo_file rw_file_perms;
+ allow dmidecode_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute dmidecode in the dmidecode domain, and
+## allow the specified role the dmidecode domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the dmidecode domain.
+##
+##
+## The type of the terminal allow the dmidecode domain to use.
+##
+#
+interface(`dmidecode_run',`
+ gen_require(`
+ type dmidecode_t;
+ ')
+
+ dmidecode_domtrans($1)
+ role $2 types dmidecode_t;
+ allow dmidecode_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/admin/dmidecode.te b/refpolicy/policy/modules/admin/dmidecode.te
new file mode 100644
index 0000000..5f28f71
--- /dev/null
+++ b/refpolicy/policy/modules/admin/dmidecode.te
@@ -0,0 +1,31 @@
+
+policy_module(dmidecode,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type dmidecode_t;
+domain_type(dmidecode_t)
+role system_r types dmidecode_t;
+
+type dmidecode_exec_t;
+domain_entry_file(dmidecode_t,dmidecode_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dmidecode_t self:capability sys_rawio;
+
+# Allow dmidecode to read /dev/mem
+dev_read_raw_memory(dmidecode_t)
+
+term_list_ptys(dmidecode_t)
+
+files_list_usr(dmidecode_t)
+
+libs_use_ld_so(dmidecode_t)
+libs_use_shared_libs(dmidecode_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 8b9f2d9..b9f1934 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -123,6 +123,11 @@ optional_policy(`dbus.te',`
dbus_connect_system_bus(hald_t)
')
+optional_policy(`dmidecode.te',`
+ # For /usr/libexec/hald-probe-smbios
+ dmidecode_domtrans(hald_t)
+')
+
optional_policy(`hotplug.te',`
hotplug_read_config(hald_t)
')
@@ -182,9 +187,6 @@ allow hald_t apmd_var_run_t:sock_file write;
allow hald_t apmd_t:unix_stream_socket connectto;
')
-# For /usr/libexec/hald-probe-smbios
-domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
-
ifdef(`targeted_policy', `
allow unconfined_t hald_t:dbus send_msg;
allow hald_t unconfined_t:dbus send_msg;
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 6881cfb..2fc2e94 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -132,6 +132,10 @@ ifdef(`targeted_policy',`
clock_run(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`dmidecode.te',`
+ dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`firstboot.te',`
firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
')