1 # CPU governor (root process) 2 type mpdecision, domain, domain_deprecated; 3 type mpdecision_exec, exec_type, file_type; 4 5 # Started by init 6 init_daemon_domain(mpdecision) 7 8 allow mpdecision sysfs_mpdecision:file rw_file_perms; 9 allow mpdecision sysfs_devices_system_cpu:file rw_file_perms; 10 allow mpdecision sysfs_rqstats:file rw_file_perms; 11 allow mpdecision sysfs_rqstats:dir r_dir_perms; 12 allow mpdecision sysfs_cpu_online:file rw_file_perms; 13 allow mpdecision cpuctl_device:file rw_file_perms; 14 allow mpdecision sysfs_cpuboost:dir r_dir_perms; 15 allow mpdecision sysfs_cpuboost:file rw_file_perms; 16 17 #Allow mpdecision set cpu affinity 18 allow mpdecision kernel:process setsched; 19 20 allow mpdecision self:capability { dac_override net_admin fsetid chown }; 21 allow mpdecision self:netlink_kobject_uevent_socket { create read setopt bind }; 22 allow mpdecision self:socket create_socket_perms; 23 allow mpdecision power_control_device:chr_file w_file_perms; 24 allow mpdecision mpdecision_socket:dir rw_dir_perms; 25 allow mpdecision mpdecision_socket:sock_file { create_file_perms unlink }; 26 # Without the following line, the following denial occurs: 27 # <12>[ 39.917299] type=1400 audit(1409704476.019:90): avc: denied { write } for pid=328 comm="mpdecision" name="scaling_min_freq" dev="sysfs" ino=13165 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 28 # even though the file is properly labeled: 29 # root@shamu:/sys/devices/system/cpu/cpu0/cpufreq # ls -Z scaling_min_freq 30 # -rw-rw-r-- system system u:object_r:sysfs_devices_system_cpu:s0 scaling_min_freq 31 # TODO: figure out why this is occurring. 32 allow mpdecision sysfs:file write; 33 allow mpdecision sysfs_usb:file write; 34 35 r_dir_file(mpdecision, system_server) 36 r_dir_file(mpdecision, mediaserver) 37 r_dir_file(mpdecision, audioserver) 38 39 allow mpdecision cameraserver:dir search; 40 allow mpdecision cameraserver:file { read open }; 41 42 allow mpdecision self:capability sys_nice; 43
