Allow debugfs access and setsched for mediaserver.

fed24651 · Stephen Smalley · 6cce6199 · fed24651 · fed24651
Commit fed24651 authored 12 years ago by Stephen Smalley
--- a/domain.te
+++ b/domain.te
@@ -96,5 +96,12 @@ r_dir_file(domain, sysfs)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)

-# Ignore /sys/kernel/debug
-dontaudit domain debugfs:dir search;
+# debugfs access
+bool debugfs true;
+if (debugfs) {
+allow domain debugfs:dir r_dir_perms;
+allow domain debugfs:file rw_file_perms;
+} else {
+dontaudit domain debugfs:dir r_dir_perms;
+dontaudit domain debugfs:file  rw_file_perms;
+}
--- a/system.te
+++ b/system.te
@@ -83,6 +83,7 @@ allow system appdomain:process { sigkill signal };

 # Set scheduling info for apps.
 allow system appdomain:process setsched;
+allow system mediaserver:process setsched;

 # Read /proc data for apps.
 allow system appdomain:dir r_dir_perms;