From 98e99fb49fa59b3b9ed9a762082f73b6b0d70bcc Mon Sep 17 00:00:00 2001
From: Jin Qian <jinqian@google.com>
Date: Mon, 30 Oct 2017 11:44:42 -0700
Subject: [PATCH] Allow dumpstate to access netlink_generic_socket

avc: denied { create } for scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0
avc: denied { create } for comm="iotop" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0

Bug: 68040531
Change-Id: I24a8a094d1b5c493cc695e332c927972f99ae49c
---
 public/dumpstate.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/public/dumpstate.te b/public/dumpstate.te
index a814f16ba..f8ef840c8 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -263,6 +263,8 @@ allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_re
 
 # Allow dumpstate to run iotop
 allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4) have a new class for sockets
+allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
 
 ###
 ### neverallow rules
-- 
GitLab