From 841f6d870db50862bb6be2e963149f46768f8aca Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 18 Apr 2016 13:28:04 -0700
Subject: [PATCH] Address emulator specific SELinux denials

Fix the following denials:

  avc: denied { search } for pid=222 comm="system_server"
  name="qemu_trace" dev="sysfs" ino=45 scontext=u:r:system_server:s0
  tcontext=u:object_r:sysfs_writable:s0 tclass=dir permissive=1

  avc: denied { open } for pid=222 comm="system_server"
  name="u:object_r:opengles_prop:s0" dev="tmpfs" ino=1429
  scontext=u:r:system_server:s0 tcontext=u:object_r:opengles_prop:s0
  tclass=file permissive=1

  avc: denied { read } for pid=222 comm="system_server"
  name="u:object_r:radio_noril_prop:s0" dev="tmpfs" ino=1430
  scontext=u:r:system_server:s0 tcontext=u:object_r:radio_noril_prop:s0
  tclass=file permissive=1

  avc: denied { open } for pid=222 comm="system_server"
  name="u:object_r:radio_noril_prop:s0" dev="tmpfs" ino=1430
  scontext=u:r:system_server:s0 tcontext=u:object_r:radio_noril_prop:s0
  tclass=file permissive=1

  avc: denied { getattr } for pid=222 comm="system_server"
  path="/dev/__properties__/u:object_r:radio_noril_prop:s0" dev="tmpfs"
  ino=1430 scontext=u:r:system_server:s0
  tcontext=u:object_r:radio_noril_prop:s0 tclass=file permissive=1

  avc: denied { search } for pid=424 comm="putmethod.latin"
  name="qemu_trace" dev="sysfs" ino=45
  scontext=u:r:untrusted_app:s0:c512,c768
  tcontext=u:object_r:sysfs_writable:s0 tclass=dir permissive=1

Bug: 28221393
Change-Id: I6fce1127d9d9e8bc0119bace3f142d51382401c0
---
 target/board/generic/sepolicy/domain.te        | 1 +
 target/board/generic/sepolicy/system_server.te | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/target/board/generic/sepolicy/domain.te b/target/board/generic/sepolicy/domain.te
index 201fa8640..5d5e4ac36 100644
--- a/target/board/generic/sepolicy/domain.te
+++ b/target/board/generic/sepolicy/domain.te
@@ -1,4 +1,5 @@
 # For /sys/qemu_trace files in the emulator.
+allow domain sysfs_writable:dir search;
 allow domain sysfs_writable:file rw_file_perms;
 allow domain qemu_device:chr_file rw_file_perms;
 
diff --git a/target/board/generic/sepolicy/system_server.te b/target/board/generic/sepolicy/system_server.te
index d0fb79d9b..f9e277b8a 100644
--- a/target/board/generic/sepolicy/system_server.te
+++ b/target/board/generic/sepolicy/system_server.te
@@ -1 +1,3 @@
 unix_socket_connect(system_server, qemud, qemud)
+get_prop(system_server, opengles_prop)
+get_prop(system_server, radio_noril_prop)