From 48d68a6486093e03d4d4915980ac15ec67c8c07b Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 9 Jun 2016 11:33:13 -0700
Subject: [PATCH] Allow kernel to read proc

Remove audit messaged.

Addresses:
avc:  granted  { read } for  pid=1 comm="init" name="cmdline" dev="proc" ino=4026535448 scontext=u:r:kernel:s0 tcontext=u:object_r:proc:s0 tclass=file
avc:  granted  { read open } for  pid=1 comm="init" path="/proc/cmdline" dev="proc" ino=4026535448 scontext=u:r:kernel:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 28760354
Change-Id: I48ea01b35c6d1b255995484984ec92203b6083be
---
 domain_deprecated.te | 4 ++--
 kernel.te            | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/domain_deprecated.te b/domain_deprecated.te
index 2501345e8..ac6583c2b 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -89,8 +89,8 @@ r_dir_file(domain_deprecated, cgroup)
 allow domain_deprecated proc_meminfo:file r_file_perms;
 r_dir_file(domain_deprecated, proc_net)
 #auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -logd -priv_app -rild -system_server -vold } proc:file r_file_perms;
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -logd -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
+auditallow { domain_deprecated -fsck -fsck_untrusted -init -kernel -logd -priv_app -rild -system_server -vold } proc:file r_file_perms;
+auditallow { domain_deprecated -fsck -fsck_untrusted -init -kernel -logd -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
diff --git a/kernel.te b/kernel.te
index 2c2ca6da3..b134cd0f8 100644
--- a/kernel.te
+++ b/kernel.te
@@ -5,6 +5,7 @@ allow kernel self:capability sys_nice;
 
 # Root fs.
 r_dir_file(kernel, rootfs)
+r_dir_file(kernel, proc)
 
 # Get SELinux enforcing status.
 allow kernel selinuxfs:dir r_dir_perms;
-- 
GitLab