From aef68b779909fe85a0f98bf443851bb30eb8b236 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 19 Nov 2015 14:49:58 -0800
Subject: [PATCH] Move some perms back to domain

libselinux stats selinuxfs, as does every process that links against
libselinux such as toolbox. grant:
   allow domain selinuxfs:filesystem getattr;

domain is already granted:
   allow domain self:dir r_dir_perms;
   allow domain self:lnk_file r_file_perms;
   allow domain self:{ fifo_file file } rw_file_perms;
To make these possible, also grant:
   allow domain proc:dir search;

Change-Id: Ife6cfa2124c9d61bf908ac89a8444676acdb4259
---
 domain.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/domain.te b/domain.te
index 03528a38d..105072556 100644
--- a/domain.te
+++ b/domain.te
@@ -22,6 +22,7 @@ allow domain self:process {
     setrlimit
 };
 allow domain self:fd use;
+allow domain proc:dir search;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;
 allow domain self:{ fifo_file file } rw_file_perms;
@@ -96,6 +97,7 @@ allow domain proc:lnk_file read;
 # toybox loads libselinux which stats /sys/fs/selinux/
 allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
 
 ###
 ### neverallow rules
-- 
GitLab