From 1c16abd34034fe92cd413d86cc87ee366f00d7bc Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 10 Nov 2014 12:15:33 -0500
Subject: [PATCH] Allow init to chown/chmod character devices.

init.rc files can potentially chown/chmod any character device, so
allow it for everything except for kmem (prohibited by neverallow).
While we could whitelist each of the device types, doing so would also
require device-specific changes for the device-specific types and
may be difficult to maintain.

Resolves (permissive) denials such as:
avc:  denied  { read } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { open } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { setattr } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { read } for  pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { open } for  pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

avc:  denied  { open } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

avc:  denied  { setattr } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

Change-Id: If8d14e9e434fab645d43db12cc1bdbfd3fc5d354
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/init.te b/init.te
index 61ec44e34..b833da8c0 100644
--- a/init.te
+++ b/init.te
@@ -94,7 +94,7 @@ allow init dev_type:lnk_file create;
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:{ dir file } { open read setattr };
 
 # chown/chmod on devices.
-allow init qtaguid_device:chr_file { read open setattr };
+allow init { dev_type -kmem_device }:chr_file { read open setattr };
 
 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };
-- 
GitLab