From 965f2ff1b4804a91b3537a3799814dc54ed478f8 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 14 Jun 2012 12:33:38 -0400
Subject: [PATCH] Allow system_app to set MAC enforcing mode and read MAC
 denials.

---
 system.te | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/system.te b/system.te
index 97a395cdf..1457c79ac 100644
--- a/system.te
+++ b/system.te
@@ -27,17 +27,29 @@ unix_socket_connect(system_app, keystore, keystore)
 # Read SELinux enforcing status.
 selinux_getenforce(system_app)
 
-bool settings_manage_selinux true;
-if (settings_manage_selinux) {
-# Allow settings app to set SELinux to enforcing
+bool manage_selinux true;
+if (manage_selinux) {
+# Set SELinux enforcing status.
 selinux_setenforce(system_app)
 
-# Allow settings app to set SELinux booleans
+# Set SELinux booleans.
 selinux_setbool(system_app)
 
-# Allow settings app to read syslog to display AVC messages
+# Read syslog to display AVC messages.
 allow system_app kernel:system syslog_read;
+}
+
+bool manage_mac true;
+if (manage_mac) {
+# Set properties via the init property service.
+unix_socket_connect(system_app, property, init)
+
+# Set the persist.mac_enforcing_mode property.
+allow system_app system_prop:property_service set;
 
+# Run logcat and read the logs for MAC denials.
+allow system_app system_file:file x_file_perms;
+allow system_app log_device:chr_file read;
 }
 
 #
-- 
GitLab