Allow reading of properties area, which is now created before init has switched contexts. Revisit this later - we should explicitly label the properties file.
diff --git a/adbd.te b/adbd.te
index 3a0aa3b..4d1e655 100644
--- a/adbd.te
+++ b/adbd.te
@@ -23,6 +23,10 @@
# Talk to init via the property socket.
unix_socket_connect(adbd, property, init)
+# Read properties.
+allow adbd kernel:fd use;
+allow adbd tmpfs:file read;
+
# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
binder_use(adbd)
diff --git a/shell.te b/shell.te
index e7e3b35..a66eaf4 100644
--- a/shell.te
+++ b/shell.te
@@ -13,6 +13,10 @@
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
+# Read properties.
+allow shell kernel:fd use;
+allow shell tmpfs:file read;
+
r_dir_file(shell, apk_data_file)
allow shell dalvikcache_data_file:file write;
diff --git a/te_macros b/te_macros
index 545ba4e..4afc777 100644
--- a/te_macros
+++ b/te_macros
@@ -97,6 +97,9 @@
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
tmpfs_domain($1)
+# Read properties.
+allow $1 kernel:fd use;
+allow $1 tmpfs:file read;
')
#####################################
diff --git a/ueventd.te b/ueventd.te
index 34e07fd..89dd9ee 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -6,7 +6,6 @@
allow ueventd rootfs:file entrypoint;
allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid };
-allow ueventd kernel:fd use;
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
allow ueventd sysfs:file rw_file_perms;
@@ -17,3 +16,6 @@
allow ueventd dev_type:chr_file { create setattr unlink };
allow ueventd dev_type:blk_file { create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket *;
+# Read properties.
+allow ueventd kernel:fd use;
+allow ueventd tmpfs:file read;