From 618efe8cd368f372f69dd369f99c309b9232cbed Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 5 May 2015 17:40:07 -0700
Subject: [PATCH] kernel: allow rebooting, and writing to /dev/__kmsg__

Addresses the following denials:

  avc:  denied  { write } for  pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0
  avc:  denied  { write } for  pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0
  avc:  denied  { sys_boot } for  pid=1 comm="init" capability=22  scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0

(cherrypicked from commit e550e79c763bbee969ea87d5f236a9f7f67c2a5f)

Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
---
 kernel.te | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/kernel.te b/kernel.te
index 72325c2f3..6747d1c4b 100644
--- a/kernel.te
+++ b/kernel.te
@@ -24,6 +24,18 @@ dontaudit kernel self:security setenforce;
 # Write to /proc/1/oom_adj prior to switching to init domain.
 allow kernel self:capability sys_resource;
 
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:capability sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/__kmsg__ which was created prior to
+# loading policy
+allow kernel tmpfs:chr_file write;
+
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel selinuxfs:file write;
 allow kernel self:security setcheckreqprot;
-- 
GitLab