am 70479ab3: am 85c5fc21: Start confining ueventd

* commit '70479ab3':
  Start confining ueventd

domain.te

@@ -139,8 +139,8 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 # Only init should be able to load SELinux policies
 neverallow { domain -init } kernel:security load_policy;
 
-# Only init and system_server should be able to access HW RNG
-neverallow { domain -init -system_server -unconfineddomain } hw_random_device:chr_file *;
+# Only init, ueventd and system_server should be able to access HW RNG
+neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
 
 # Ensure that all entrypoint executables are in exec_type.
 neverallow domain { file_type -exec_type }:file entrypoint;

ueventd.te

@@ -3,5 +3,22 @@
 type ueventd, domain;
 permissive ueventd;
 tmpfs_domain(ueventd)
-unconfined_domain(ueventd)
+write_klog(ueventd)
+security_access_policy(ueventd)
+relabelto_domain(ueventd)
 allow ueventd rootfs:file entrypoint;
+allow ueventd init:process sigchld;
+allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd device:file create_file_perms;
+allow ueventd device:chr_file rw_file_perms;
+allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs:file setattr;
+allow ueventd sysfs_type:file { relabelfrom relabelto };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { create setattr unlink };
+allow ueventd dev_type:blk_file { create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket *;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file r_file_perms;