kernel: allow rebooting, and writing to /dev/__kmsg__

Addresses the following denials:

  avc:  denied  { write } for  pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0
  avc:  denied  { write } for  pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0
  avc:  denied  { sys_boot } for  pid=1 comm="init" capability=22  scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0

Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
This commit is contained in:
Nick Kralevich 2015-05-05 17:40:07 -07:00
parent ccc8608cc6
commit e550e79c76

View file

@ -24,6 +24,18 @@ dontaudit kernel self:security setenforce;
# Write to /proc/1/oom_adj prior to switching to init domain. # Write to /proc/1/oom_adj prior to switching to init domain.
allow kernel self:capability sys_resource; allow kernel self:capability sys_resource;
# Init reboot before switching selinux domains under certain error
# conditions. Allow it.
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
# remount filesystems read-only. /data is not mounted at this point,
# so we could ignore this. For now, we allow it.
allow kernel self:capability sys_boot;
allow kernel proc_sysrq:file w_file_perms;
# Allow writing to /dev/__kmsg__ which was created prior to
# loading policy
allow kernel tmpfs:chr_file write;
# Set checkreqprot by init.rc prior to switching to init domain. # Set checkreqprot by init.rc prior to switching to init domain.
allow kernel selinuxfs:file write; allow kernel selinuxfs:file write;
allow kernel self:security setcheckreqprot; allow kernel self:security setcheckreqprot;