From f6bf7ef70c08c176189a85292547f49013f9890e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 18 Dec 2013 14:53:27 -0800
Subject: [PATCH] Allow dumpstate to use ping.

Addreseses the following denials:

<5>[  695.383994] type=1400 audit(1387403898.292:55): avc:  denied  { execute } for  pid=5187 comm="dumpstate" name="ping" dev="mmcblk0p25" ino=213 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  695.384727] type=1400 audit(1387403898.292:56): avc:  denied  { read open } for  pid=5187 comm="dumpstate" name="ping" dev="mmcblk0p25" ino=213 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  695.385418] type=1400 audit(1387403898.292:57): avc:  denied  { execute_no_trans } for  pid=5187 comm="dumpstate" path="/system/bin/ping" dev="mmcblk0p25" ino=213 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  695.391978] type=1400 audit(1387403898.302:58): avc:  denied  { create } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.393193] type=1400 audit(1387403898.302:59): avc:  denied  { setopt } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.393753] type=1400 audit(1387403898.302:60): avc:  denied  { getopt } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.394886] type=1400 audit(1387403898.302:61): avc:  denied  { write } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.400693] type=1400 audit(1387403898.312:62): avc:  denied  { read } for  pid=5187 comm="ping" lport=4 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket

Change-Id: If9a790725ec0ba1ca6cb5c9a8ed85288580940e8
---
 ping.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ping.te b/ping.te
index 65612f6d9..a53f05756 100644
--- a/ping.te
+++ b/ping.te
@@ -1,6 +1,7 @@
 type ping, domain;
 type ping_exec, exec_type, file_type;
 domain_auto_trans(shell, ping_exec, ping)
+domain_auto_trans(dumpstate, ping_exec, ping)
 
 allow ping self:capability net_raw;
 allow ping self:rawip_socket create_socket_perms;
@@ -10,3 +11,6 @@ allow ping dnsproxyd_socket:sock_file write;
 allow ping netd:unix_stream_socket connectto;
 allow ping devpts:chr_file rw_file_perms;
 allow ping shell:fd use;
+
+allow ping dumpstate:fd use;
+allow ping dumpstate:unix_stream_socket { read write };
-- 
GitLab