From 0f7641d83d7044431db44d4dd2377e6f8ef93e85 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 3 May 2013 13:56:30 -0400
Subject: [PATCH] Label all files under /sys/qemu_trace with sysfs_writable.

Otherwise we have different security contexts but the same DAC
permissions:
-rw-rw-rw- root     root              u:object_r:sysfs_writable:s0 process_name
-rw-rw-rw- root     root              u:object_r:sysfs:s0 state
-rw-rw-rw- root     root              u:object_r:sysfs:s0 symbol

This change fixes denials such as:
type=1400 msg=audit(1379096020.770:144): avc:  denied  { write } for  pid=85 comm="SurfaceFlinger" name="symbol" dev="sysfs" ino=47 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: I261c7751da3778ee9241ec6b5476e8d9f96ba5ed
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/file_contexts b/file_contexts
index 81b9da976..a70ab83b6 100644
--- a/file_contexts
+++ b/file_contexts
@@ -208,7 +208,7 @@
 #############################
 # sysfs files
 #
-/sys/qemu_trace/process_name	--	u:object_r:sysfs_writable:s0
+/sys/qemu_trace(/.*)?	--	u:object_r:sysfs_writable:s0
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
 /sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0
 /sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0
-- 
GitLab