From 2e8d71c3bec6cbe2baba0bbd4105e76737756339 Mon Sep 17 00:00:00 2001
From: James Hawkins <jhawkins@google.com>
Date: Mon, 25 Jan 2016 16:23:10 -0800
Subject: [PATCH] bootstat: Fix the SELinux policy after removing
 domain_deprecated.

* Allow reading /proc.

type=1400 audit(1453834004.239:7): avc: denied { read } for pid=1305
comm="bootstat" name="uptime" dev="proc" ino=4026536600
scontext=u:r:bootstat:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

* Define domain for the /system/bin/bootstat file.

init: Service exec 4 (/system/bin/bootstat) does not have a SELinux
domain defined.

Bug: 21724738
Change-Id: I4baa2fa7466ac35a1ced79776943c07635ec9804
---
 bootstat.te   | 3 +++
 file_contexts | 1 +
 2 files changed, 4 insertions(+)

diff --git a/bootstat.te b/bootstat.te
index 14b4eceba..44a8c91b8 100644
--- a/bootstat.te
+++ b/bootstat.te
@@ -7,3 +7,6 @@ init_daemon_domain(bootstat)
 # Allow persistent storage in /data/misc/bootstat.
 allow bootstat bootstat_data_file:dir rw_dir_perms;
 allow bootstat bootstat_data_file:file create_file_perms;
+
+# Read access to pseudo filesystems (for /proc/uptime).
+r_dir_file(bootstat, proc)
\ No newline at end of file
diff --git a/file_contexts b/file_contexts
index 78964cbf6..0a7565949 100644
--- a/file_contexts
+++ b/file_contexts
@@ -154,6 +154,7 @@
 /system/bin/sh		--	u:object_r:shell_exec:s0
 /system/bin/run-as	--	u:object_r:runas_exec:s0
 /system/bin/bootanimation u:object_r:bootanim_exec:s0
+/system/bin/bootstat		u:object_r:bootstat_exec:s0
 /system/bin/app_process32	u:object_r:zygote_exec:s0
 /system/bin/app_process64	u:object_r:zygote_exec:s0
 /system/bin/servicemanager	u:object_r:servicemanager_exec:s0
-- 
GitLab