Merge "ueventd.te: auditallow device:chr_file"

am: 4868f377

Change-Id: I3c57e833dd736ac87718d9e95e0a02e3048de979

public/domain.te

@@ -299,8 +299,9 @@ neverallow { domain -kernel -init -recovery } block_device:blk_file { open read
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.
-# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
+# uevent historically was granted access, but this does not appear used.
+# Tightening candidate?
+neverallow { domain -init -ueventd } device:chr_file no_rw_file_perms;
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need

public/ueventd.te

@@ -7,7 +7,12 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
 
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
+
+# Read/write generically labeled /dev character device files.
+# TODO: this rule appears unnecessary. Delete?
 allow ueventd device:chr_file rw_file_perms;
+auditallow ueventd device:chr_file { read lock write ioctl open append };
+
 r_dir_file(ueventd, sysfs_type)
 r_dir_file(ueventd, rootfs)
 allow ueventd sysfs:file w_file_perms;