From 509923116f103c8938efe992ab4b4b42fe4c90aa Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 10 Jul 2017 14:45:15 -0400
Subject: [PATCH] sepolicy: Define validate_trans permission

Kernel commit f9df6458218f4fe ("selinux: export validatetrans
decisions") introduced a /sys/fs/selinux/validatetrans pseudo file
for use by userspace file system servers and defined a new validatetrans
permission to control its use.

Define the new permission in the Android SELinux policy.
This change only defines the new permission; it does not allow it
to any domains by default.

This avoids a kernel message warning about the undefined permission on
the policy load, ala:
SELinux:  Permission validate_trans in class security not defined in policy.

Test: Policy builds

Change-Id: Ib922a83b7d8f94905207663a72f7a1bc3db8d2c2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 private/access_vectors | 1 +
 1 file changed, 1 insertion(+)

diff --git a/private/access_vectors b/private/access_vectors
index e45d0b2af..12ad15f62 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -369,6 +369,7 @@ class security
 	setsecparam
 	setcheckreqprot
 	read_policy
+	validate_trans
 }
 
 
-- 
GitLab