From 8bdb1dab56f728f678d479eb9dcf4241c3dfa413 Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Tue, 24 Oct 2017 13:17:46 -0700
Subject: [PATCH] Add label for /proc/sys/vm/page-cluster

Test: boot sailfish with no audit when writing to page-cluster
Change-Id: I2bfebdf9342594d66d95daaec92d71195c93ffc8
---
 private/compat/26.0/26.0.cil | 1 +
 private/genfs_contexts       | 1 +
 public/file.te               | 1 +
 public/init.te               | 3 +++
 4 files changed, 6 insertions(+)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 86282d508..4ebb66ee6 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -455,6 +455,7 @@
     proc_kmsg
     proc_loadavg
     proc_mounts
+    proc_page_cluster
     proc_pagetypeinfo
     proc_random
     proc_swaps
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 124da42a3..a6de59a6d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -40,6 +40,7 @@ genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
 genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
 genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
 genfscon proc /timer_list u:object_r:proc_timer:s0
diff --git a/public/file.te b/public/file.te
index 66ec285f4..cd0a4524f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -26,6 +26,7 @@ type proc_misc, fs_type;
 type proc_modules, fs_type;
 type proc_mounts, fs_type;
 type proc_net, fs_type;
+type proc_page_cluster, fs_type;
 type proc_pagetypeinfo, fs_type;
 type proc_perf, fs_type;
 type proc_random, fs_type;
diff --git a/public/init.te b/public/init.te
index db2ce433d..2d55aba16 100644
--- a/public/init.te
+++ b/public/init.te
@@ -277,6 +277,9 @@ allow init proc_version:file r_file_perms;
 # Read /proc/cmdline
 allow init proc_cmdline:file r_file_perms;
 
+# Write to /proc/sys/vm/page-cluster
+allow init proc_page_cluster:file w_file_perms;
+
 # Reboot.
 allow init self:capability sys_boot;
 
-- 
GitLab