967f39a6e8
Every device has a CPU. This is not device specific.
Allow every domain to read these files/directories.
For unknown reasons, these files are accessed by A LOT
of processes.
Allow ueventd to write to these files. This addresses
the following denials seen on mako:
<5>[ 4.935602] type=1400 audit(1383167737.512:4): avc: denied { read } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.935785] type=1400 audit(1383167737.512:5): avc: denied { open } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.935937] type=1400 audit(1383167737.512:6): avc: denied { search } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.936120] type=1400 audit(1383167737.512:7): avc: denied { write } for pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
<5>[ 4.936303] type=1400 audit(1383167737.512:8): avc: denied { open } for pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
Change-Id: I4766dc571762d8fae06aa8c26828c070b80f5936
25 lines
1.1 KiB
Text
25 lines
1.1 KiB
Text
# ueventd seclabel is specified in init.rc since
|
|
# it lives in the rootfs and has no unique file type.
|
|
type ueventd, domain;
|
|
permissive ueventd;
|
|
tmpfs_domain(ueventd)
|
|
write_klog(ueventd)
|
|
security_access_policy(ueventd)
|
|
relabelto_domain(ueventd)
|
|
allow ueventd rootfs:file entrypoint;
|
|
allow ueventd init:process sigchld;
|
|
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
|
allow ueventd device:file create_file_perms;
|
|
allow ueventd device:chr_file rw_file_perms;
|
|
allow ueventd sysfs:file rw_file_perms;
|
|
allow ueventd sysfs:file setattr;
|
|
allow ueventd sysfs_type:file { relabelfrom relabelto };
|
|
allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
|
|
allow ueventd tmpfs:chr_file rw_file_perms;
|
|
allow ueventd dev_type:dir create_dir_perms;
|
|
allow ueventd dev_type:lnk_file { create unlink };
|
|
allow ueventd dev_type:chr_file { create setattr unlink };
|
|
allow ueventd dev_type:blk_file { create setattr unlink };
|
|
allow ueventd self:netlink_kobject_uevent_socket *;
|
|
allow ueventd efs_file:dir search;
|
|
allow ueventd efs_file:file r_file_perms;
|