Update netlink_audit_socket for nlmsg xperm Translate the netlink_audit_socket rules for the new extended permission. This policy is updated to support kernel with or without the new nlmsg permission. Test: Boot and validate that: - auditd (via logd) is set as the audit daemon. - auditctl is able to set the log rate. - init is able to forward log related to libselinux. Bug: 353255679 Change-Id: Ib7bb1c9e729f4248e333cb32b4d11f8b54ffcc07

commit: 5bc9bb8c84f8b13a245f8ef70cdd2706e74b5ef6 [log] [tgz]
author: Thiébaud Weksteen <tweek@google.com> Fri Sep 20 16:45:52 2024 +1000
committer: Thiébaud Weksteen <tweek@google.com> Wed Nov 27 10:26:34 2024 +1100
tree: e57d65a574eba1c41bfbfe0783622e553f308164
parent: 24dcdf4c2dfb9966590c19d1e566e52ffe9e2542 [diff] [blame]
diff --git a/private/init.te b/private/init.te
index 15f79e3..cdcf0b9 100644
--- a/private/init.te
+++ b/private/init.te

@@ -706,7 +706,14 @@
 # Send an SELinux userspace denial to the kernel audit subsystem,
 # so it can be picked up and processed by logd. These denials are
 # generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:netlink_audit_socket create_socket_perms_no_ioctl;
+
+# For kernel < 6.13
+allow init self:netlink_audit_socket nlmsg_relay;
+# For kernel >= 6.13
+allow init self:netlink_audit_socket nlmsg;
+allowxperm init self:netlink_audit_socket nlmsg AUDIT_USER_AVC;
+
 allow init self:global_capability_class_set audit_write;
 
 # Run "ifup lo" to bring up the localhost interface
commit	5bc9bb8c84f8b13a245f8ef70cdd2706e74b5ef6	[log] [tgz]
author	Thiébaud Weksteen <tweek@google.com>	Fri Sep 20 16:45:52 2024 +1000
committer	Thiébaud Weksteen <tweek@google.com>	Wed Nov 27 10:26:34 2024 +1100
tree	e57d65a574eba1c41bfbfe0783622e553f308164
parent	24dcdf4c2dfb9966590c19d1e566e52ffe9e2542 [diff] [blame]