Allow reading of properties area, which is now created before init has switched contexts. Revisit this later - we should explicitly label the properties file.

adbd.te

@@ -23,6 +23,10 @@ unix_socket_connect(adbd, vold, vold)
 # Talk to init via the property socket.
 unix_socket_connect(adbd, property, init)
 
+# Read properties.
+allow adbd kernel:fd use;
+allow adbd tmpfs:file read;
+
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?
 binder_use(adbd)

shell.te

@@ -13,6 +13,10 @@ allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 
+# Read properties.
+allow shell kernel:fd use;
+allow shell tmpfs:file read;
+
 r_dir_file(shell, apk_data_file)
 allow shell dalvikcache_data_file:file write;
 

te_macros

@@ -97,6 +97,9 @@ allow $1 $1_tmpfs:file { read execute execmod };
 define(`init_daemon_domain', `
 domain_auto_trans(init, $1_exec, $1)
 tmpfs_domain($1)
+# Read properties.
+allow $1 kernel:fd use;
+allow $1 tmpfs:file read;
 ')
 
 #####################################

ueventd.te

@@ -6,7 +6,6 @@ allow ueventd rootfs:file r_file_perms;
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid };
-allow ueventd kernel:fd use;
 allow ueventd device:file create_file_perms;
 allow ueventd device:chr_file rw_file_perms;
 allow ueventd sysfs:file rw_file_perms;
@@ -17,3 +16,6 @@ allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
 allow ueventd dev_type:blk_file { create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket *;
+# Read properties.
+allow ueventd kernel:fd use;
+allow ueventd tmpfs:file read;