Change the type on /dev/uinput to match /dev/uhid.
/dev/uinput is accessed in the same way as /dev/uhid,
and unlike /dev/input/*. bluetooth requires access to
the former and not to the latter, while shell requires access
to the latter and not the former. This is also consistent
with their DAC group ownerships (net_bt_stack for /dev/uinput
and /dev/uhid vs input for /dev/input/*).
Change-Id: I0059d832a7fe036ed888c91e1fb96f3e6e0bd2d4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/bluetooth.te b/bluetooth.te
index 32ee842..a6e0c4e 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -11,7 +11,7 @@
r_dir_file(bluetooth, bluetooth_efs_file)
# Device accesses.
-allow bluetooth { tun_device uhid_device hci_attach_dev input_device }:chr_file rw_file_perms;
+allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
# Other domains that can create and use bluetooth sockets.
# SELinux does not presently define a specific socket class for
diff --git a/file_contexts b/file_contexts
index 5a9f1e2..89a8cf7 100644
--- a/file_contexts
+++ b/file_contexts
@@ -100,7 +100,7 @@
/dev/ttyS[0-9]* u:object_r:serial_device:s0
/dev/tun u:object_r:tun_device:s0
/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:input_device:s0
+/dev/uinput u:object_r:uhid_device:s0
/dev/urandom u:object_r:urandom_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0