From beb279c7ea23abc77641e891a76e9bceb6f38883 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 20 Oct 2014 11:52:19 -0700
Subject: [PATCH] allow init swapon()

swapon(2) requires write access to the underlying block device.
Allow it.

Addresses the following denial:

   avc:  denied  { write } for  pid=1 comm="init" name="zram0" dev="tmpfs" ino=6267 scontext=u:r:init:s0 tcontext=u:object_r:swap_block_device:s0 tclass=blk_file permissive=0

Change-Id: Id1a4f51038d0b6ce7351294698a0ff146d6e4643
---
 init.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/init.te b/init.te
index a6fadbd57..d12cc230c 100644
--- a/init.te
+++ b/init.te
@@ -102,6 +102,10 @@ allow init self:udp_socket { create ioctl };
 # set scheduling parameters for a kernel domain task.
 allow init kernel:process setsched;
 
+# swapon() needs write access to swap device
+# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
+allow init swap_block_device:blk_file rw_file_perms;
+
 ###
 ### neverallow rules
 ###
-- 
GitLab