From 79e084fcc9a44a79646114021539ca7398110cc3 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 27 Aug 2013 09:16:47 -0400
Subject: [PATCH 1/2] Allow access to /data/security/current symbolic link.

Change-Id: Ic500af7b9dac6a9b6401e99c3d162913e9989d9b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 te_macros | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/te_macros b/te_macros
index 310612cd9..283c4a30c 100644
--- a/te_macros
+++ b/te_macros
@@ -239,7 +239,7 @@ allow $1 kernel:security setbool;
 define(`security_access_policy', `
 allow $1 security_file:dir r_dir_perms;
 allow $1 security_file:file r_file_perms;
-allow $1 security_file:lnk_file read;
+allow $1 security_file:lnk_file r_file_perms;
 allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 allow $1 rootfs:dir r_dir_perms;
@@ -259,6 +259,7 @@ security_access_policy($1)
 unix_socket_connect($1, property, init)
 allow $1 security_file:dir create_dir_perms;
 allow $1 security_file:file create_file_perms;
+allow $1 security_file:lnk_file { create rename unlink };
 allow $1 security_prop:property_service set;
 ')
 
@@ -271,6 +272,7 @@ define(`mmac_manage_policy', `
 unix_socket_connect($1, property, init)
 allow $1 security_file:dir create_dir_perms;
 allow $1 security_file:file create_file_perms;
+allow $1 security_file:lnk_file { create rename unlink };
 allow $1 security_prop:property_service set;
 ')
 

From a473e29de0a5a1e88e1ac564d91dabb5437ae4fd Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 30 Jul 2013 09:19:00 -0400
Subject: [PATCH 2/2] write_klog also requires write permission to the
 directory.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 te_macros | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/te_macros b/te_macros
index 283c4a30c..931393824 100644
--- a/te_macros
+++ b/te_macros
@@ -303,7 +303,7 @@ allow $1 kernel:system syslog_read;
 define(`write_klog', `
 type_transition $1 device:chr_file klog_device "__kmsg__";
 allow $1 klog_device:chr_file { create open write unlink };
-allow $1 device:dir { add_name remove_name };
+allow $1 device:dir { write add_name remove_name };
 ')
 
 #####################################