init.te: allow creating kernel audit entries Allow init to send userspace generated SELinux denials to the kernel audit subsystem. Test: "setprop asdf asdf" from the unprivileged adb shell user generated an SELinux denial processed by logd. Bug: 27878170 Change-Id: I0ecd0601408bbda8227802c13689f98e507282d1

commit: b50db946ba1e76086eeb04e64aeb7bcb4d392350 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Tue Jan 03 08:47:17 2017 -0800
committer: Nick Kralevich <nnk@google.com> Tue Jan 03 08:48:15 2017 -0800
tree: 961cf9143b69237be29a78927b9f4cfa5364e1e0
parent: cdbb19f136179102cb1ce36ec3845a30c416a855 [diff]
diff --git a/public/init.te b/public/init.te
index 54a9759..528c6b8 100644
--- a/public/init.te
+++ b/public/init.te

@@ -277,6 +277,12 @@
 # Set any property.
 allow init property_type:property_service set;
 
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:capability audit_write;
+
 # Run "ifup lo" to bring up the localhost interface
 allow init self:udp_socket { create ioctl };
 # in addition to unpriv ioctls granted to all domains, init also needs:
commit	b50db946ba1e76086eeb04e64aeb7bcb4d392350	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Tue Jan 03 08:47:17 2017 -0800
committer	Nick Kralevich <nnk@google.com>	Tue Jan 03 08:48:15 2017 -0800
tree	961cf9143b69237be29a78927b9f4cfa5364e1e0
parent	cdbb19f136179102cb1ce36ec3845a30c416a855 [diff]