From 36a76ec098404241878a0a8026725187524737df Mon Sep 17 00:00:00 2001
From: Miroslav Tisma <miroslav.tisma@imgtec.com>
Date: Thu, 10 Dec 2015 12:23:40 +0100
Subject: sepolicy: Fix 'avc denied' issues for the emulators

This commit fixes the avc denied issues in the emulators:
- goldfish_setup is granted for network access
- netd dontaudit for sys_module
- qemu_prop is granted domain for get_prop

Critical issue was that SELinux denied reading the lcd_density property
by SurfaceFlinger via qemu_prop and this commit fixes it.

Change-Id: I633d96f4d2ee6659f18482a53e21f816abde2a5f
Signed-off-by: Miroslav Tisma <miroslav.tisma@imgtec.com>
---
 target/board/generic/sepolicy/domain.te         | 2 ++
 target/board/generic/sepolicy/goldfish_setup.te | 2 ++
 target/board/generic/sepolicy/netd.te           | 1 +
 3 files changed, 5 insertions(+)
 create mode 100644 target/board/generic/sepolicy/netd.te

diff --git a/target/board/generic/sepolicy/domain.te b/target/board/generic/sepolicy/domain.te
index c28ca74f15..201fa8640c 100644
--- a/target/board/generic/sepolicy/domain.te
+++ b/target/board/generic/sepolicy/domain.te
@@ -1,3 +1,5 @@
 # For /sys/qemu_trace files in the emulator.
 allow domain sysfs_writable:file rw_file_perms;
 allow domain qemu_device:chr_file rw_file_perms;
+
+get_prop(domain, qemu_prop)
diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te
index b472d2aae7..bce196a7d2 100644
--- a/target/board/generic/sepolicy/goldfish_setup.te
+++ b/target/board/generic/sepolicy/goldfish_setup.te
@@ -13,6 +13,8 @@ allow goldfish_setup toolbox_exec:file rx_file_perms;
 allow goldfish_setup self:capability { net_admin net_raw };
 allow goldfish_setup self:udp_socket create_socket_perms;
 
+net_domain(goldfish_setup)
+
 # Set net.eth0.dns*, debug.sf.nobootanimation
 set_prop(goldfish_setup, system_prop)
 set_prop(goldfish_setup, debug_prop)
diff --git a/target/board/generic/sepolicy/netd.te b/target/board/generic/sepolicy/netd.te
new file mode 100644
index 0000000000..2b002ec9c6
--- /dev/null
+++ b/target/board/generic/sepolicy/netd.te
@@ -0,0 +1 @@
+dontaudit netd self:capability sys_module;
-- 
cgit v1.2.3