I just added an allow for sysadm_t to read these devices.
fabab187768bbb7295b4dee5543bcd41e1d4563a in git.
I think it should be allowed.
On 05/13/2014 01:07 AM, William wrote:
time->Tue May 13 14:34:12 2014 type=SYSCALL msg=audit(1399957452.980:475): arch=c000003e syscall=2 success=yes exit=4 a0=7fffe9c70350 a1=0 a2=7fffe9c7035e a3=0 items=0 ppid=4025 pid=4148 auid=1343600009 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="powertop" exe="/usr/sbin/powertop" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1399957452.980:475): avc: denied { open } for pid=4148 comm="powertop" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1107 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file
time->Tue May 13 14:34:16 2014 type=SYSCALL msg=audit(1399957456.246:476): arch=c000003e syscall=2 success=yes exit=131 a0=7fffe9c71340 a1=0 a2=7fffe9c7134e a3=0 items=0 ppid=4025 pid=4148 auid=1343600009 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="powertop" exe="/usr/sbin/powertop" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1399957456.246:476): avc: denied { open } for pid=4148 comm="powertop" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1107 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file