From 87c114788a1276a5c59fd0cf571840970ad1614f Mon Sep 17 00:00:00 2001
From: Mihai Serban <mihai.serban@intel.com>
Date: Mon, 25 Apr 2016 18:20:26 +0300
Subject: [PATCH] Allow ueventd to relabel block devices

There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. In this case
the device node links used to compute the SELinux context are not known
and the node is created under the generic context: u:object_r:block_device:s0.

Ueventd has been patched to relabel the nodes on subsequent add events but
it needs permissions to be allowed to do it.

BUG=28388946

Signed-off-by: Mihai Serban <mihai.serban@intel.com>

(cherry picked from commit d41ad551189c1b7be26a1807980418858b2a132e)

Change-Id: I26838a3a9bc19b341e7176e5dc614827232014bf
---
 domain.te  | 1 +
 ueventd.te | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 0f5590bc8..bed4e67f6 100644
--- a/domain.te
+++ b/domain.te
@@ -363,6 +363,7 @@ neverallow {
   -update_engine
   -vold
   -recovery
+  -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
 # Only servicemanager should be able to register with binder as the context manager
diff --git a/ueventd.te b/ueventd.te
index fb7266319..3881445ee 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -23,7 +23,7 @@ allow ueventd tmpfs:chr_file rw_file_perms;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { create setattr unlink };
+allow ueventd dev_type:blk_file { relabelfrom relabelto create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;
-- 
GitLab