From 892d1e40ceb013a89e20bf9f9df2f724926ee1b5 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 3 Apr 2017 16:31:09 -0700
Subject: [PATCH] adbd/shell: grant access to sepolicy for cts

Test: Test: make cts && \
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsSecurityHostTestCases \
      -t android.security.cts.SELinuxHostTest#testNoExemptionsForBinderInVendorBan
      Fails as expected.
Bug: 36002573

Change-Id: I298c526789b25734d5f18666c64497e5d1e181d0
---
 private/adbd.te | 2 ++
 public/shell.te | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/private/adbd.te b/private/adbd.te
index eb6ae3268..b402335a2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -103,6 +103,8 @@ allow adbd kernel:security read_policy;
 allow adbd service_contexts_file:file r_file_perms;
 allow adbd file_contexts_file:file r_file_perms;
 allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
 
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;
diff --git a/public/shell.te b/public/shell.te
index caf93ca63..7c3d8a119 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -147,6 +147,13 @@ allow shell proc:lnk_file getattr;
 #
 allow shell dev_type:blk_file getattr;
 
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab