From 782e084dc249ec96a4659c523ffc6a53ee46abb1 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 14 May 2014 14:26:04 -0400
Subject: [PATCH] Allow system_server to read tombstones.

Address denials such as:
 avc:  denied  { read } for  name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
 avc:  denied  { open } for  name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
 avc:  denied  { getattr } for  path="/data/tombstones/tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
 avc:  denied  { read } for  name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
 avc:  denied  { open } for  name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file

Change-Id: Iae5a10bed9483589660b84a88b6b9f8f8e9a8f5c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 system_server.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/system_server.te b/system_server.te
index 66db7f8b4..e6fe653e0 100644
--- a/system_server.te
+++ b/system_server.te
@@ -211,6 +211,10 @@ allow system_server radio_data_file:file create_file_perms;
 allow system_server systemkeys_data_file:dir create_dir_perms;
 allow system_server systemkeys_data_file:file create_file_perms;
 
+# Access /data/tombstones.
+allow system_server tombstone_data_file:dir r_dir_perms;
+allow system_server tombstone_data_file:file r_file_perms;
+
 # Manage /data/misc/vpn.
 allow system_server vpn_data_file:dir create_dir_perms;
 allow system_server vpn_data_file:file create_file_perms;
-- 
GitLab