From 6261d6d8232ffb9acdb0bb67de8ac5833941acc4 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 12 Jan 2012 08:57:50 -0500
Subject: [PATCH] Allow reading of properties area, which is now created before
 init has switched contexts.  Revisit this later - we should explicitly label
 the properties file.

---
 adbd.te    | 4 ++++
 shell.te   | 4 ++++
 te_macros  | 3 +++
 ueventd.te | 4 +++-
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/adbd.te b/adbd.te
index 3a0aa3b01..4d1e65573 100644
--- a/adbd.te
+++ b/adbd.te
@@ -23,6 +23,10 @@ unix_socket_connect(adbd, vold, vold)
 # Talk to init via the property socket.
 unix_socket_connect(adbd, property, init)
 
+# Read properties.
+allow adbd kernel:fd use;
+allow adbd tmpfs:file read;
+
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?
 binder_use(adbd)
diff --git a/shell.te b/shell.te
index e7e3b3569..a66eaf49f 100644
--- a/shell.te
+++ b/shell.te
@@ -13,6 +13,10 @@ allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 
+# Read properties.
+allow shell kernel:fd use;
+allow shell tmpfs:file read;
+
 r_dir_file(shell, apk_data_file)
 allow shell dalvikcache_data_file:file write;
 
diff --git a/te_macros b/te_macros
index 545ba4e20..4afc777b0 100644
--- a/te_macros
+++ b/te_macros
@@ -97,6 +97,9 @@ allow $1 $1_tmpfs:file { read execute execmod };
 define(`init_daemon_domain', `
 domain_auto_trans(init, $1_exec, $1)
 tmpfs_domain($1)
+# Read properties.
+allow $1 kernel:fd use;
+allow $1 tmpfs:file read;
 ')
 
 #####################################
diff --git a/ueventd.te b/ueventd.te
index 34e07fd0d..89dd9ee93 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -6,7 +6,6 @@ allow ueventd rootfs:file r_file_perms;
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid };
-allow ueventd kernel:fd use;
 allow ueventd device:file create_file_perms;
 allow ueventd device:chr_file rw_file_perms;
 allow ueventd sysfs:file rw_file_perms;
@@ -17,3 +16,6 @@ allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
 allow ueventd dev_type:blk_file { create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket *;
+# Read properties.
+allow ueventd kernel:fd use;
+allow ueventd tmpfs:file read;