From a8281adf994623c6e1404d3102915a93eb0b70aa Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 9 Jun 2014 13:19:36 -0700
Subject: [PATCH] dumpstate: allow pstore access

Dumpstate reads from /sys/fs/pstore/console-ramoops when generating
a bug report. Allow it.

Addresses the following denials:
  <12>[ 2187.362750] type=1400 audit(1402346777.139:9): avc: denied { search } for pid=4155 comm="dumpstate" name="/" dev="pstore" ino=9954 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
  <12>[ 2187.363025] type=1400 audit(1402346777.139:10): avc: denied { getattr } for pid=4155 comm="dumpstate" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1
  <12>[ 2187.363185] type=1400 audit(1402346777.139:11): avc: denied { read } for pid=4155 comm="dumpstate" name="console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1
  <12>[ 2187.363321] type=1400 audit(1402346777.139:12): avc: denied { open } for pid=4155 comm="dumpstate" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1

Change-Id: Ia20b7a03ed8e0c61b023eea93415a50af82e1bbf
---
 dumpstate.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/dumpstate.te b/dumpstate.te
index 4eb72382a..e4d6dc9e6 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -35,6 +35,10 @@ allow dumpstate system_data_file:file r_file_perms;
 allow dumpstate self:capability2 syslog;
 allow dumpstate kernel:system syslog_read;
 
+# Read /sys/fs/pstore/console-ramoops
+allow dumpstate pstorefs:dir r_dir_perms;
+allow dumpstate pstorefs:file r_file_perms;
+
 # Get process attributes
 allow dumpstate domain:process getattr;
 
-- 
GitLab