From 45517a7547de0a9f0c13b5907c243456ec61bf04 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 25 Jan 2016 10:15:01 -0800
Subject: [PATCH] domain: allow dir search in selinuxfs

Domain is already allowed to stat selinuxfs, it also needs
dir search.

Addresses:
avc: denied { search } for name="/" dev="selinuxfs" ino=1 scontext=u:r:watchdogd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir

Change-Id: I3e5bb96e905db480a2727038f80315d9544e9c07
---
 domain.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/domain.te b/domain.te
index c5296c4f2..60025fd50 100644
--- a/domain.te
+++ b/domain.te
@@ -117,6 +117,7 @@ allow domain proc:lnk_file read;
 allow domain proc_cpuinfo:file r_file_perms;
 
 # toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
 allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;
-- 
GitLab