The kernel checks CAP_WAKE_ALARM before testing whether it is truly needed (i.e. for CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM) in timerfd_create() and do_timerfd_settime(). This generates avc denials of wake_alarm permission when it is not truly required, which in turn will lead to either unnecessarily permissive policy (allowing it) or pervasive dontaudits. Should flip the order of the tests in those conditionals so we only perform capable(CAP_WAKE_ALARM) when needed. That's more efficient too in the common case.
The kernel checks CAP_WAKE_ALARM before testing whether it is truly needed (i.e. for CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM) in timerfd_create() and do_timerfd_settime(). This generates avc denials of wake_alarm permission when it is not truly required, which in turn will lead to either unnecessarily permissive policy (allowing it) or pervasive dontaudits. Should flip the order of the tests in those conditionals so we only perform capable(CAP_WAKE_ALARM) when needed. That's more efficient too in the common case.