kernel: allow rebooting, and writing to /dev/__kmsg__
Addresses the following denials:
avc: denied { write } for pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0
avc: denied { sys_boot } for pid=1 comm="init" capability=22 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0
Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
This commit is contained in:
Nick Kralevich
parent
ccc8608cc6
commit
e550e79c76
1 changed files with 12 additions and 0 deletions
12
kernel.te
12
kernel.te
|
|
@ -24,6 +24,18 @@ dontaudit kernel self:security setenforce;
|
|||
# Write to /proc/1/oom_adj prior to switching to init domain.
|
||||
allow kernel self:capability sys_resource;
|
||||
|
||||
# Init reboot before switching selinux domains under certain error
|
||||
# conditions. Allow it.
|
||||
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
|
||||
# remount filesystems read-only. /data is not mounted at this point,
|
||||
# so we could ignore this. For now, we allow it.
|
||||
allow kernel self:capability sys_boot;
|
||||
allow kernel proc_sysrq:file w_file_perms;
|
||||
|
||||
# Allow writing to /dev/__kmsg__ which was created prior to
|
||||
# loading policy
|
||||
allow kernel tmpfs:chr_file write;
|
||||
|
||||
# Set checkreqprot by init.rc prior to switching to init domain.
|
||||
allow kernel selinuxfs:file write;
|
||||
allow kernel self:security setcheckreqprot;
|
||||
|
|
|
|||
Loading…
Reference in a new issue