From 91ebcf33326418ed9603e618ad193550646c3b04 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 13 Nov 2013 11:32:13 -0800
Subject: [PATCH] netd: allow tcp_socket name_connect

The patch in 36a5d109e6953c63d2a865eab4c4d021aa52250b wasn't
sufficient to address DNS over TCP. We also need to allow
name_connect.

Fixes the following denial:

<5>[   82.120746] type=1400 audit(1830030.349:5): avc:  denied  { name_connect } for  pid=1457 comm="netd" dest=53 scontext=u:r:netd:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket

Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631

Change-Id: I688d6923b78782e2183a9d69b7e74f95d6e3f893
---
 netd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/netd.te b/netd.te
index a5b6f56a9..db2f480a8 100644
--- a/netd.te
+++ b/netd.te
@@ -11,6 +11,7 @@ allow netd self:rawip_socket *;
 allow netd self:{ tcp_socket udp_socket } *;
 allow netd node:{ tcp_socket udp_socket } node_bind;
 allow netd port:{ tcp_socket udp_socket } name_bind;
+allow netd port:tcp_socket name_connect;
 allow netd self:unix_stream_socket *;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;