From d2703d21814c3f869fed97c74596bb4ba661806c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 24 Jun 2013 16:54:49 -0700
Subject: [PATCH] allow system server to control zygote spawned processes

System server needs to be able to tell Zygote to create processes
with differing ids, capabilities, and SELinux security information.
Allow it.

These rules are not in unconfined.te, and as a result, are not
automatically allowed by SELinux in enforcing mode.

Change-Id: I010eaa2b0e0cee5d995e08e6c785cc5e01b2c974
---
 system.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/system.te b/system.te
index fc76cd4fe..e638039a9 100644
--- a/system.te
+++ b/system.te
@@ -9,3 +9,4 @@ unconfined_domain(system);
 
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
+allow system self:zygote { specifyids specifyrlimits specifyseinfo };
-- 
GitLab