From 403d8fee7b56118804965c5f367ad1c0d3111129 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Mon, 22 Dec 2014 15:22:16 -0800
Subject: [PATCH] Allow shell domain to use system_server_service.

Shell domain needs to be able to access system_server_services, e.g.
when running the pm command. Addresses the following denials:

10-07 00:59:26.901   178   178 E SELinux : avc:  denied  { find } for service=user scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
10-07 00:59:26.903   178   178 E SELinux : avc:  denied  { find } for service=package scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

Change-Id: I4cc2f31809a2615ba781e2ecfe2ca7d6f5226b73
---
 shell.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/shell.te b/shell.te
index 77b21bee0..00e991b56 100644
--- a/shell.te
+++ b/shell.te
@@ -44,6 +44,8 @@ allow shell ctl_dumpstate_prop:property_service set;
 allow shell debug_prop:property_service set;
 allow shell powerctl_prop:property_service set;
 
+allow shell system_server_service:service_manager find;
+
 # systrace support - allow atrace to run
 # debugfs doesn't support labeling individual files, so we have
 # to grant read access to all of /sys/kernel/debug.
-- 
GitLab