1# CPU governor (root process) 2type mpdecision, domain; 3type mpdecision_exec, exec_type, file_type; 4 5# Started by init 6init_daemon_domain(mpdecision) 7 8allow mpdecision sysfs_mpdecision:file rw_file_perms; 9allow mpdecision sysfs_devices_system_cpu:file rw_file_perms; 10allow mpdecision sysfs_rqstats:file rw_file_perms; 11allow mpdecision sysfs_rqstats:dir r_dir_perms; 12allow mpdecision sysfs_cpu_online:file rw_file_perms; 13allow mpdecision cpuctl_device:file rw_file_perms; 14allow mpdecision sysfs_cpuboost:dir r_dir_perms; 15allow mpdecision sysfs_cpuboost:file rw_file_perms; 16 17#Allow mpdecision set cpu affinity 18allow mpdecision kernel:process setsched; 19 20allow mpdecision self:capability { dac_override net_admin fsetid chown }; 21allow mpdecision self:netlink_kobject_uevent_socket { create read setopt bind }; 22allow mpdecision self:socket create_socket_perms; 23allow mpdecision power_control_device:chr_file w_file_perms; 24allow mpdecision mpdecision_socket:dir rw_dir_perms; 25allow mpdecision mpdecision_socket:sock_file { create_file_perms unlink }; 26# Without the following line, the following denial occurs: 27# <12>[ 39.917299] type=1400 audit(1409704476.019:90): avc: denied { write } for pid=328 comm="mpdecision" name="scaling_min_freq" dev="sysfs" ino=13165 scontext=u:r:mpdecision:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 28# even though the file is properly labeled: 29# root@shamu:/sys/devices/system/cpu/cpu0/cpufreq # ls -Z scaling_min_freq 30# -rw-rw-r-- system system u:object_r:sysfs_devices_system_cpu:s0 scaling_min_freq 31# TODO: figure out why this is occurring. 32allow mpdecision sysfs:file write; 33r_dir_file(mpdecision, system_server) 34r_dir_file(mpdecision, mediaserver) 35 36allow mpdecision self:capability sys_nice; 37