From e4682a63ab87f79130b4f914b79be0867e0d669d Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 27 Jun 2012 08:53:39 -0400
Subject: [PATCH] Allow apps to write to /proc/net/xt_qtaguid/ctrl.

---
 app.te    | 3 +++
 file.te   | 1 +
 ocontexts | 1 +
 3 files changed, 5 insertions(+)

diff --git a/app.te b/app.te
index 7e06c102f..ed76ccf82 100644
--- a/app.te
+++ b/app.te
@@ -103,6 +103,9 @@ allow appdomain wallpaper_file:file { read write };
 allow appdomain anr_data_file:dir search;
 allow appdomain anr_data_file:file { open append };
 
+# Write to /proc/net/xt_qtaguid/ctrl file.
+allow appdomain qtaguid:file write;
+
 # Use the Binder.
 binder_use(appdomain)
 # Perform binder IPC to binder services.
diff --git a/file.te b/file.te
index eb4c79211..f18eb23ba 100644
--- a/file.te
+++ b/file.te
@@ -4,6 +4,7 @@ type pipefs, fs_type;
 type sockfs, fs_type;
 type rootfs, fs_type;
 type proc, fs_type;
+type qtaguid, fs_type, mlstrustedobject;
 type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
diff --git a/ocontexts b/ocontexts
index ddd57b63c..7cbb98975 100644
--- a/ocontexts
+++ b/ocontexts
@@ -51,6 +51,7 @@ fs_use_trans mqueue u:object_r:mqueue:s0;
 genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
-- 
GitLab