From: bigon@debian.org (Laurent Bigonville) Date: Wed, 23 Jan 2013 21:35:08 +0100 Subject: [refpolicy] [PATCH 09/13] Allow mount_t to set priority of kernel threads In-Reply-To: <50FFD4E4.4080206@tresys.com> References: <1358026351-12955-1-git-send-email-bigon@debian.org> <1358026351-12955-10-git-send-email-bigon@debian.org> <50FFD4E4.4080206@tresys.com> Message-ID: <20130123213508.0731230a@fornost.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le Wed, 23 Jan 2013 07:17:40 -0500, "Christopher J. PeBenito" a ?crit : > On 01/12/13 16:32, Laurent Bigonville wrote: > > From: Laurent Bigonville > > > > --- > > policy/modules/system/mount.te | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/policy/modules/system/mount.te > > b/policy/modules/system/mount.te index 8fcd782..7a58d79 100644 > > --- a/policy/modules/system/mount.te > > +++ b/policy/modules/system/mount.te > > @@ -64,6 +64,7 @@ kernel_dontaudit_write_debugfs_dirs(mount_t) > > kernel_dontaudit_write_proc_dirs(mount_t) > > # To load binfmt_misc kernel module > > kernel_request_load_module(mount_t) > > +kernel_setsched(mount_t) > > > > # required for mount.smbfs > > corecmd_exec_bin(mount_t) > > Any idea why this is required? > During (early) boot I get this AVC: [ 8.452944] type=1400 audit(1358970896.236:59): avc: denied { setsched } for pid=1327 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process I'm not too sure why this is require, I see nothing in the code, it's maybe coming from a dep? Cheers Laurent Bigonville