lmkd: allow removing cgroups and setting self to SCHED_FIFO
Addresses the following selinux denials:
type=1400 audit(1405383429.107:22): avc: denied { remove_name } for pid=137 comm="lmkd" name="uid_10060" dev="cgroup" ino=18368 scontext=u:r:lmkd:s0 tcontext=u:object_r:cgroup:s0 tclass=dir permissive=0
type=1400 audit(1405383794.109:6): avc: denied { sys_nice } for pid=1619 comm="lmkd" capability=23 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability permissive=0
Change-Id: I7b6e5a396bf345c4768defd7b39af2435631a35b
This commit is contained in:
Colin Cross
parent
213bb45bdd
commit
5329731802
1 changed files with 6 additions and 0 deletions
6
lmkd.te
6
lmkd.te
|
|
@ -18,3 +18,9 @@ allow lmkd sysfs_lowmemorykiller:file w_file_perms;
|
|||
|
||||
# Send kill signals
|
||||
allow lmkd appdomain:process sigkill;
|
||||
|
||||
# Clean up old cgroups
|
||||
allow lmkd cgroup:dir { remove_name rmdir };
|
||||
|
||||
# Set self to SCHED_FIFO
|
||||
allow lmkd self:capability sys_nice;
|
||||
|
|
|
|||
Loading…
Reference in a new issue