Allow dumpstate to access netlink_generic_socket avc: denied { create } for scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0 avc: denied { create } for comm="iotop" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0 Bug: 68040531 Change-Id: I24a8a094d1b5c493cc695e332c927972f99ae49c

commit: 98e99fb49fa59b3b9ed9a762082f73b6b0d70bcc [log] [tgz]
author: Jin Qian <jinqian@google.com> Mon Oct 30 11:44:42 2017 -0700
committer: Nick Kralevich <nnk@google.com> Mon Oct 30 18:59:23 2017 +0000
tree: 840bb8e81329b580b345215dbe0eba0c574ff7a6
parent: 61dc5fb26c1687c24321742d8fa53b2c391729bb [diff]
diff --git a/public/dumpstate.te b/public/dumpstate.te
index a814f16..f8ef840 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -263,6 +263,8 @@
 
 # Allow dumpstate to run iotop
 allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4) have a new class for sockets
+allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
 
 ###
 ### neverallow rules
commit	98e99fb49fa59b3b9ed9a762082f73b6b0d70bcc	[log] [tgz]
author	Jin Qian <jinqian@google.com>	Mon Oct 30 11:44:42 2017 -0700
committer	Nick Kralevich <nnk@google.com>	Mon Oct 30 18:59:23 2017 +0000
tree	840bb8e81329b580b345215dbe0eba0c574ff7a6
parent	61dc5fb26c1687c24321742d8fa53b2c391729bb [diff]