From fcd86911d7102b049bd3c2208a133b310827cf66 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 6 Feb 2015 13:29:25 -0800
Subject: [PATCH] allow init fs_type:dir search

We allow chmod/chown of files / directories by init, but don't allow
init to search into subdirectories. Feels wrong.

Addresses the following denial:

  avc:  denied  { search } for  pid=1 comm="init" name="/" dev="pstore" ino=5570 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1

which results from the following init.rc statement:

  # pstore/ramoops previous console log
  mount pstore pstore /sys/fs/pstore
  chown system log /sys/fs/pstore/console-ramoops
  chmod 0440 /sys/fs/pstore/console-ramoops
  chown system log /sys/fs/pstore/pmsg-ramoops-0
  chmod 0440 /sys/fs/pstore/pmsg-ramoops-0

Bug: 19050686
Change-Id: I0528ecb17686891b66262de1f3c229cc68a56830
---
 init.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/init.te b/init.te
index 634272131..1283ec709 100644
--- a/init.te
+++ b/init.te
@@ -91,7 +91,8 @@ allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;
 
 # chown/chmod on pseudo files.
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:{ dir file } { open read setattr };
+allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
+allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 
 # chown/chmod on devices.
 allow init { dev_type -kmem_device }:chr_file { read open setattr };
-- 
GitLab