From b50db946ba1e76086eeb04e64aeb7bcb4d392350 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 3 Jan 2017 08:47:17 -0800
Subject: [PATCH] init.te: allow creating kernel audit entries

Allow init to send userspace generated SELinux denials to the kernel
audit subsystem.

Test: "setprop asdf asdf" from the unprivileged adb shell user
      generated an SELinux denial processed by logd.
Bug: 27878170
Change-Id: I0ecd0601408bbda8227802c13689f98e507282d1
---
 public/init.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/public/init.te b/public/init.te
index 54a975988..528c6b8f0 100644
--- a/public/init.te
+++ b/public/init.te
@@ -277,6 +277,12 @@ allow init property_data_file:file create_file_perms;
 # Set any property.
 allow init property_type:property_service set;
 
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:capability audit_write;
+
 # Run "ifup lo" to bring up the localhost interface
 allow init self:udp_socket { create ioctl };
 # in addition to unpriv ioctls granted to all domains, init also needs:
-- 
GitLab