init.te: Allow init to modify the properties of loop devices
The init process configures swapping over zram over a loop device. An
I/O scheduler is associated with the loop device. Tests have shown that
no I/O scheduler works better than the default, mq-deadline. Hence
allow the init process to configure the loop device I/O scheduler.
Without this patch, the following SELinux denials are reported during
boot:
1 1 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0
1 1 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0
Bug: 194450129
Test: Built Android images and installed these on an Android device.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Change-Id: I0af0a92c53bb1f68b57f6814c431a7f03d8ea967
diff --git a/private/init.te b/private/init.te
index 99afd84..b7b3f38 100644
--- a/private/init.te
+++ b/private/init.te
@@ -38,6 +38,10 @@
# that userdata is mounted onto.
allow init sysfs_dm:file read;
+# Allow init to modify the properties of loop devices.
+allow init sysfs_loop:dir r_dir_perms;
+allow init sysfs_loop:file rw_file_perms;
+
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;