From fed246510c971d09a170a8de7a73bf24885c49a9 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 9 Aug 2012 08:36:10 -0400
Subject: [PATCH] Allow debugfs access and setsched for mediaserver.

---
 domain.te | 11 +++++++++--
 system.te |  1 +
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index 9a59c49a5..6be7dddf4 100644
--- a/domain.te
+++ b/domain.te
@@ -96,5 +96,12 @@ r_dir_file(domain, sysfs)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
 
-# Ignore /sys/kernel/debug
-dontaudit domain debugfs:dir search;
+# debugfs access
+bool debugfs true;
+if (debugfs) {
+allow domain debugfs:dir r_dir_perms;
+allow domain debugfs:file rw_file_perms;
+} else {
+dontaudit domain debugfs:dir r_dir_perms;
+dontaudit domain debugfs:file  rw_file_perms;
+}
diff --git a/system.te b/system.te
index c6fd8bdc6..074028543 100644
--- a/system.te
+++ b/system.te
@@ -83,6 +83,7 @@ allow system appdomain:process { sigkill signal };
 
 # Set scheduling info for apps.
 allow system appdomain:process setsched;
+allow system mediaserver:process setsched;
 
 # Read /proc data for apps.
 allow system appdomain:dir r_dir_perms;
-- 
GitLab