kernel: allow rebooting, and writing to /dev/__kmsg__
Addresses the following denials:
avc: denied { write } for pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0
avc: denied { sys_boot } for pid=1 comm="init" capability=22 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0
(cherrypicked from commit e550e79c763bbee969ea87d5f236a9f7f67c2a5f)
Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
diff --git a/kernel.te b/kernel.te
index 72325c2..6747d1c 100644
--- a/kernel.te
+++ b/kernel.te
@@ -24,6 +24,18 @@
# Write to /proc/1/oom_adj prior to switching to init domain.
allow kernel self:capability sys_resource;
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:capability sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/__kmsg__ which was created prior to
+# loading policy
+allow kernel tmpfs:chr_file write;
+
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel selinuxfs:file write;
allow kernel self:security setcheckreqprot;