From f3b5bd64155aee7b13d97d08e77b317b4ebe6328 Mon Sep 17 00:00:00 2001
From: Jerry Zhang <zhangjerry@google.com>
Date: Wed, 12 Apr 2017 16:50:25 -0700
Subject: [PATCH] Add configfs file permissions to init.

These were previously in device specific sepolicies.
They should be in core sepolicy to reflect their
use by a core init file, init.usb.configfs.rc.

Addresses denial:

init    : type=1400 audit(0.0:135): avc: denied { unlink } for name="f1"
dev="configfs" ino=10923 scontext=u:r:init:s0
tcontext=u:object_r:configfs:s0 tclass=lnk_file permissive=0

Test: denial addressed
Change-Id: I869892f9d0c311b727462fb380f4160feb986215
---
 public/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/init.te b/public/init.te
index b36a00201..f81f85e3c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -85,6 +85,7 @@ allow init cpuctl_device:dir { create mounton };
 # /config
 allow init configfs:dir mounton;
 allow init configfs:dir create_dir_perms;
+allow init configfs:{ file lnk_file } create_file_perms;
 
 # Use tmpfs as /data, used for booting when /data is encrypted
 allow init tmpfs:dir relabelfrom;
-- 
GitLab