Allow debugfs access and setsched for mediaserver.

author: Stephen Smalley <sds@tycho.nsa.gov> 2012-08-09 08:36:10 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> 2012-08-09 08:36:10 -0400
commit: fed246510c971d09a170a8de7a73bf24885c49a9 (patch)
tree: 1d2a8412d25e5277d7ceeb08a1e3ccda3e000ea9
parent: 6cce6199c3b949918c53574576f2777ffd598f5e (diff)
download: sepolicy-fed246510c971d09a170a8de7a73bf24885c49a9.tar.gz
2 files changed, 10 insertions, 2 deletions
diff --git a/domain.te b/domain.te
index 9a59c49..6be7ddd 100644
--- a/domain.te
+++ b/domain.te
@@ -96,5 +96,12 @@ r_dir_file(domain, sysfs)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
 
-# Ignore /sys/kernel/debug
-dontaudit domain debugfs:dir search;
+# debugfs access
+bool debugfs true;
+if (debugfs) {
+allow domain debugfs:dir r_dir_perms;
+allow domain debugfs:file rw_file_perms;
+} else {
+dontaudit domain debugfs:dir r_dir_perms;
+dontaudit domain debugfs:file  rw_file_perms;
+}
diff --git a/system.te b/system.te
index c6fd8bd..0740285 100644
--- a/system.te
+++ b/system.te
@@ -83,6 +83,7 @@ allow system appdomain:process { sigkill signal };
 
 # Set scheduling info for apps.
 allow system appdomain:process setsched;
+allow system mediaserver:process setsched;
 
 # Read /proc data for apps.
 allow system appdomain:dir r_dir_perms;
author	Stephen Smalley <sds@tycho.nsa.gov>	2012-08-09 08:36:10 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	2012-08-09 08:36:10 -0400
commit	fed246510c971d09a170a8de7a73bf24885c49a9 (patch)
tree	1d2a8412d25e5277d7ceeb08a1e3ccda3e000ea9
parent	6cce6199c3b949918c53574576f2777ffd598f5e (diff)
download	sepolicy-fed246510c971d09a170a8de7a73bf24885c49a9.tar.gz