From: bigon@debian.org (Laurent Bigonville)
Date: Wed, 23 Jan 2013 21:35:08 +0100
Subject: [refpolicy] [PATCH 09/13] Allow mount_t to set priority of
 kernel threads
In-Reply-To: <50FFD4E4.4080206@tresys.com>
References: <1358026351-12955-1-git-send-email-bigon@debian.org>
	<1358026351-12955-10-git-send-email-bigon@debian.org>
	<50FFD4E4.4080206@tresys.com>
Message-ID: <20130123213508.0731230a@fornost.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Wed, 23 Jan 2013 07:17:40 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :

> On 01/12/13 16:32, Laurent Bigonville wrote:
> > From: Laurent Bigonville <bigon@bigon.be>
> > 
> > ---
> >  policy/modules/system/mount.te |    1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/policy/modules/system/mount.te
> > b/policy/modules/system/mount.te index 8fcd782..7a58d79 100644
> > --- a/policy/modules/system/mount.te
> > +++ b/policy/modules/system/mount.te
> > @@ -64,6 +64,7 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
> >  kernel_dontaudit_write_proc_dirs(mount_t)
> >  # To load binfmt_misc kernel module
> >  kernel_request_load_module(mount_t)
> > +kernel_setsched(mount_t)
> >  
> >  # required for mount.smbfs
> >  corecmd_exec_bin(mount_t)
> 
> Any idea why this is required?
> 

During (early) boot I get this AVC:

[    8.452944] type=1400 audit(1358970896.236:59): avc:  denied  { setsched } for  pid=1327 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process

I'm not too sure why this is require, I see nothing in the code, it's
maybe coming from a dep?

Cheers

Laurent Bigonville