From 5329731802c99811f9bf6dbf7065374afa460007 Mon Sep 17 00:00:00 2001
From: Colin Cross <ccross@android.com>
Date: Mon, 14 Jul 2014 17:39:15 -0700
Subject: [PATCH] lmkd: allow removing cgroups and setting self to SCHED_FIFO

Addresses the following selinux denials:
type=1400 audit(1405383429.107:22): avc: denied { remove_name } for pid=137 comm="lmkd" name="uid_10060" dev="cgroup" ino=18368 scontext=u:r:lmkd:s0 tcontext=u:object_r:cgroup:s0 tclass=dir permissive=0
type=1400 audit(1405383794.109:6): avc: denied { sys_nice } for pid=1619 comm="lmkd" capability=23 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability permissive=0

Change-Id: I7b6e5a396bf345c4768defd7b39af2435631a35b
---
 lmkd.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lmkd.te b/lmkd.te
index 8c2b12c7b..b1ffca41a 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -18,3 +18,9 @@ allow lmkd sysfs_lowmemorykiller:file w_file_perms;
 
 # Send kill signals
 allow lmkd appdomain:process sigkill;
+
+# Clean up old cgroups
+allow lmkd cgroup:dir { remove_name rmdir };
+
+# Set self to SCHED_FIFO
+allow lmkd self:capability sys_nice;
-- 
GitLab