From 6c4c27e626341a3676631ce687d006e85e0710b7 Mon Sep 17 00:00:00 2001
From: William Roberts <w.roberts@sta.samsung.com>
Date: Thu, 4 Apr 2013 13:17:36 -0700
Subject: [PATCH] Give domains read access to security_file domain.

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
---
 debuggerd.te | 2 +-
 installd.te  | 4 ++--
 runas.te     | 3 ++-
 system.te    | 4 ++--
 te_macros    | 4 +---
 ueventd.te   | 2 +-
 vold.te      | 2 +-
 zygote.te    | 4 ++--
 8 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/debuggerd.te b/debuggerd.te
index a0041e6f5..aca499b9b 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:process ptrace;
-allow debuggerd rootfs:file r_file_perms;
+security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;
 allow debuggerd tombstone_data_file:dir relabelto;
diff --git a/installd.te b/installd.te
index 553127c00..428e3790d 100644
--- a/installd.te
+++ b/installd.te
@@ -18,8 +18,8 @@ allow installd cgroup:dir create_dir_perms;
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
-# Read /seapp_contexts, presently on the rootfs.
-allow installd rootfs:file r_file_perms;
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(installd)
 # ASEC
 allow installd platform_app_data_file:lnk_file { create setattr };
 allow installd app_data_file:lnk_file { create setattr };
diff --git a/runas.te b/runas.te
index 60b086d49..8bb2d03f5 100644
--- a/runas.te
+++ b/runas.te
@@ -34,7 +34,8 @@ allow runas app_data_file:dir { getattr search };
 allow runas self:capability { setuid setgid };
 
 # run-as switches to the app security context.
-allow runas rootfs:file r_file_perms; # read /seapp_contexts
+# read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(runas)
 selinux_check_context(runas) # validate context
 allow runas untrusted_app:process dyntransition; # setcon
 
diff --git a/system.te b/system.te
index 650a7472e..17df64a2b 100644
--- a/system.te
+++ b/system.te
@@ -147,8 +147,8 @@ allow system tun_device:chr_file rw_file_perms;
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
 
-# Read /file_contexts.
-allow system rootfs:file r_file_perms;
+# Read /file_contexts and /data/security/file_contexts
+security_access_policy(system)
 
 # Relabel apk files.
 allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
diff --git a/te_macros b/te_macros
index bda87d466..86a3a5be4 100644
--- a/te_macros
+++ b/te_macros
@@ -236,8 +236,6 @@ allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 allow $1 rootfs:dir r_dir_perms;
 allow $1 rootfs:file r_file_perms;
-allow $1 system_file:dir r_dir_perms;
-allow $1 system_file:file r_file_perms;
 ')
 
 #####################################
@@ -285,4 +283,4 @@ allow $1 system_file:file x_file_perms;
 # man 2 klogctl
 define(`access_kmsg', `
 allow $1 kernel:system syslog_read;
-')
\ No newline at end of file
+')
diff --git a/ueventd.te b/ueventd.te
index f765cc565..9023173d8 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -2,7 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 tmpfs_domain(ueventd)
-allow ueventd rootfs:file r_file_perms;
+security_access_policy(ueventd)
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
diff --git a/vold.te b/vold.te
index 8ffc404d4..71067c469 100644
--- a/vold.te
+++ b/vold.te
@@ -60,6 +60,6 @@ allow vold vold_prop:property_service set;
 # ASEC
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
-allow vold rootfs:file r_file_perms;
+security_access_policy(vold)
 allow vold asec_apk_file:dir { rw_dir_perms setattr };
 allow vold asec_apk_file:file { r_file_perms setattr };
diff --git a/zygote.te b/zygote.te
index 33e8fe80a..7cf20b739 100644
--- a/zygote.te
+++ b/zygote.te
@@ -28,8 +28,8 @@ allow zygote self:capability sys_admin;
 selinux_check_context(zygote)
 # Check SELinux permissions.
 selinux_check_access(zygote)
-# Read /seapp_contexts, presently on the rootfs.
-allow zygote rootfs:file r_file_perms;
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(zygote)
 
 # Setting up /storage/emulated.
 allow zygote rootfs:dir mounton;
-- 
GitLab