Merge "Fix selinux denials during bugreport" into oc-mr1-dev

commit: 17533144b86a2288a631f798466d820aca78dbd6 [log] [tgz]
author: TreeHugger Robot <treehugger-gerrit@google.com> Fri Jul 28 19:11:07 2017 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Fri Jul 28 19:11:07 2017 +0000
tree: 8ad1b8996619a30484bd72143369979b4bf41198
parent: e1be4a8ca0a4afb172dd0689367a5d369e859ff0 [diff]
parent: 6763d28e86894de3115a682ae39767b4c4c3c887 [diff]
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 6e826a3..f6d6a0a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -220,6 +220,20 @@
 # read default labeled files in /sys
 r_dir_file(dumpstate, sysfs)
 
+# Allow dumpstate to run top
+allow dumpstate proc_stat:file r_file_perms;
+
+# Allow dumpstate to read backlight details
+allow dumpstate sysfs_leds:lnk_file r_file_perms;
+allow dumpstate sysfs_leds:file r_file_perms;
+allow dumpstate sysfs_leds:dir search;
+
+# Allow dumpstate to talk to installd over binder
+binder_call(dumpstate, installd);
+
+# Allow dumpstate to run ip xfrm policy
+allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+
 ###
 ### neverallow rules
 ###
commit	17533144b86a2288a631f798466d820aca78dbd6	[log] [tgz]
author	TreeHugger Robot <treehugger-gerrit@google.com>	Fri Jul 28 19:11:07 2017 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Fri Jul 28 19:11:07 2017 +0000
tree	8ad1b8996619a30484bd72143369979b4bf41198
parent	e1be4a8ca0a4afb172dd0689367a5d369e859ff0 [diff]
parent	6763d28e86894de3115a682ae39767b4c4c3c887 [diff]