From ac19f1ac26429ff17daaabcc8f26fbd087e40680 Mon Sep 17 00:00:00 2001 From: Jeremy Solt Date: Fri, 19 Mar 2010 14:28:27 -0400 Subject: [PATCH] rtkit patch from Dan Walsh: rtkit_daemon_system_domain interface allows domains to say rtkit can setsched on their process. Needs sys_nice capability Needs to getsched on all domains. Fix bug in te file Me: changed interface name from rtkit_daemon_system_domain to rtkit_schedule Already had sys_nice capability --- policy/modules/services/rtkit.if | 20 ++++++++++++++++++++ policy/modules/services/rtkit.te | 3 ++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if index d536c01a..fabe97ca 100644 --- a/policy/modules/services/rtkit.if +++ b/policy/modules/services/rtkit.if @@ -38,3 +38,23 @@ interface(`rtkit_daemon_dbus_chat',` allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; ') + +######################################## +## +## Allow rtkit to control scheduling for your process +## +## +## +## Domain allowed access. +## +## +# +interface(`rtkit_schedule',` + gen_require(` + type rtkit_daemon_t; + ') + + ps_process_pattern(rtkit_daemon_t, $1) + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te index 37cd1269..13333c61 100644 --- a/policy/modules/services/rtkit.te +++ b/policy/modules/services/rtkit.te @@ -20,6 +20,7 @@ allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; kernel_read_system_state(rtkit_daemon_t) +domain_getsched_all_domains(rtkit_daemon_t) domain_read_all_domains_state(rtkit_daemon_t) fs_rw_anon_inodefs_files(rtkit_daemon_t) @@ -28,7 +29,7 @@ auth_use_nsswitch(rtkit_daemon_t) logging_send_syslog_msg(rtkit_daemon_t) -miscfiles_read_localization(locale_t) +miscfiles_read_localization(rtkit_daemon_t) optional_policy(` policykit_dbus_chat(rtkit_daemon_t)