1# CPU governor (root process) 2type mpdecision, domain; 3type mpdecision_exec, exec_type, file_type; 4 5# DAC overrides 6allow mpdecision self:capability dac_override; 7auditallow mpdecision self:capability dac_override; 8 9# Started by init 10init_daemon_domain(mpdecision) 11 12# CPU hotplug uevent to manage cores 13allow mpdecision self:netlink_kobject_uevent_socket { create setopt bind read }; 14allow mpdecision self:capability net_admin; 15 16# Create under /dev/socket/mpdecision 17allow mpdecision mpdecision_socket:dir w_dir_perms; 18allow mpdecision mpdecision_socket:sock_file create_file_perms; 19 20# Also support mpdecision creating the /dev/socket/pb socket 21type_transition mpdecision socket_device:sock_file mpdecision_socket; 22allow mpdecision self:capability chown; 23allow mpdecision socket_device:dir w_dir_perms; 24 25# By-product of setting owner on sock_file (don't allow) 26dontaudit mpdecision self:capability fsetid; 27 28allow mpdecision sysfs_devices_system_cpu:file rw_file_perms; 29allow mpdecision sysfs_mpdecision:dir r_dir_perms; 30allow mpdecision sysfs_mpdecision:file rw_file_perms; 31 32# Some files in /sys/devices/system/cpu may pop in and out of existance, 33# defeating our attempt to label them. As a result, they could have the 34# sysfs label, not the sysfs_devices_system_cpu label. 35# Allow write access for now until we figure out a better solution. 36# For example, the following files pop in and out of existance: 37# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq 38# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq 39allow mpdecision sysfs:file write; 40 41# This is needed to allow mpdecision to look at system_server's 42# /proc/PID/status file. 43r_dir_file(mpdecision, system_server) 44r_dir_file(mpdecision, mediaserver) 45 46allow mpdecision self:capability sys_nice; 47