kernel: allow rebooting, and writing to /dev/__kmsg__

Addresses the following denials: avc: denied { write } for pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0 avc: denied { sys_boot } for pid=1 comm="init" capability=22 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0 (cherrypicked from commit e550e79c76) Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
2015-05-05 17:40:07 -07:00 · 2015-05-05 17:40:07 -07:00 · 618efe8cd3
commit 618efe8cd3
parent 86f30cb16a
1 changed files with 12 additions and 0 deletions
--- a/kernel.te
+++ b/kernel.te
@ -24,6 +24,18 @@ dontaudit kernel self:security setenforce;
 # Write to /proc/1/oom_adj prior to switching to init domain.
 allow kernel self:capability sys_resource;

+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:capability sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/__kmsg__ which was created prior to
+# loading policy
+allow kernel tmpfs:chr_file write;
+
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel selinuxfs:file write;
 allow kernel self:security setcheckreqprot;