From 19b6485f5ed005f1ae9b5ba06b3baca4639a4c83 Mon Sep 17 00:00:00 2001
From: John Stultz <john.stultz@linaro.org>
Date: Tue, 2 Aug 2016 18:14:11 -0700
Subject: [PATCH] sepolicy: Add CAP_WAKE_ALARM to system_server.te

With v4.8+ kernels, CAP_WAKE_ALARM is needed to set
alarmtimers via timerfd (this change is likely to be
backported to stable as well).

However, with selinux enabled, we also need to allow
the capability on the system_server so this enables it.

Change-Id: I7cd64d587906f3fbc8a129d48a4db07373c74c7e
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 system_server.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/system_server.te b/system_server.te
index a84812a39..3bf6e4e78 100644
--- a/system_server.te
+++ b/system_server.te
@@ -59,6 +59,9 @@ dontaudit system_server self:capability sys_ptrace;
 # Trigger module auto-load.
 allow system_server kernel:system module_request;
 
+# Allow alarmtimers to be set
+allow system_server self:capability2 wake_alarm;
+
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
 
-- 
GitLab