From bc2b76b06bc34d1f02e1a9d1a8a6a22bc3da5f04 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 27 Jan 2016 19:15:41 -0800
Subject: [PATCH] kernel: grant perms from domain_deprecated

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1

Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3
---
 kernel.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kernel.te b/kernel.te
index 05838afd7..67edc10e5 100644
--- a/kernel.te
+++ b/kernel.te
@@ -3,6 +3,15 @@ type kernel, domain, domain_deprecated, mlstrustedsubject;
 
 allow kernel self:capability sys_nice;
 
+# Root fs.
+allow kernel rootfs:dir r_dir_perms;
+allow kernel rootfs:file r_file_perms;
+allow kernel rootfs:lnk_file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
 # Allow init relabel itself.
 allow kernel rootfs:file relabelfrom;
 allow kernel init_exec:file relabelto;
-- 
GitLab