From 48054810054e77b9aeaaa34df327d45e71d50571 Mon Sep 17 00:00:00 2001
From: RGIB <gibellini.roberto@gmail.com>
Date: Sat, 14 Mar 2015 20:08:30 +0100
Subject: kona-common: update selinux

Change-Id: I5f2594b77dd8551033812862938fb5fd14a6007d
---
 selinux/device.te        | 5 ++++-
 selinux/file.te          | 2 --
 selinux/file_contexts    | 4 ++++
 selinux/init.te          | 6 +++---
 selinux/netd.te          | 4 +++-
 selinux/rild.te          | 6 ++++++
 selinux/system_server.te | 2 ++
 selinux/untrusted_app.te | 2 ++
 8 files changed, 24 insertions(+), 7 deletions(-)
 create mode 100644 selinux/system_server.te
 create mode 100644 selinux/untrusted_app.te

(limited to 'selinux')

diff --git a/selinux/device.te b/selinux/device.te
index 087a624..d3b63c0 100644
--- a/selinux/device.te
+++ b/selinux/device.te
@@ -5,4 +5,7 @@ type diagnostic_device, dev_type;
 type efs_block_device, dev_type;
 
 #device type for smd device nodes, ie /dev/smd*
-type smd_device, dev_type;
\ No newline at end of file
+type smd_device, dev_type;
+
+# RIL /dev/umts_*
+type ril_device, dev_type;
diff --git a/selinux/file.te b/selinux/file.te
index 185b1c2..4e005df 100644
--- a/selinux/file.te
+++ b/selinux/file.te
@@ -1,8 +1,6 @@
 type radio_efs_file, fs_type;
-
 type firmware_mfc, file_type;
 type firmware_camera, file_type;
-
 type qmuxd_socket, file_type;
 type kickstart_data_file, file_type, data_file_type;
 type sensors_data_file, file_type, data_file_type;
diff --git a/selinux/file_contexts b/selinux/file_contexts
index fe80da5..e733c9e 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -11,6 +11,10 @@
 /dev/ttyUSB0                            u:object_r:radio_device:s0
 /dev/diag                               u:object_r:diagnostic_device:s0
 
+/dev/umts_boot0				u:object_r:ril_device:s0
+/dev/umts_ipc0				u:object_r:ril_device:s0
+/dev/umts_rfs0				u:object_r:ril_device:s0
+
 # GPS
 /dev/ttySAC1                            u:object_r:gps_device:s0
 
diff --git a/selinux/init.te b/selinux/init.te
index 27935d9..37c38ef 100644
--- a/selinux/init.te
+++ b/selinux/init.te
@@ -1,5 +1,5 @@
 allow init wpa_socket:unix_dgram_socket { bind create };
 allow init init:process { execmem };
-allow init init:tcp_socket { create };
-
-
+allow init init:tcp_socket { read write create };
+allow init port:tcp_socket name_connect;
+allow init self:tcp_socket { read write getopt connect };
diff --git a/selinux/netd.te b/selinux/netd.te
index d1c2662..0983293 100644
--- a/selinux/netd.te
+++ b/selinux/netd.te
@@ -1 +1,3 @@
-allow netd init:tcp_socket { read write };
\ No newline at end of file
+allow netd init:tcp_socket { read write getopt setopt };
+allow netd kernel:system module_request;
+allow netd unlabeled:file { read getattr open };
diff --git a/selinux/rild.te b/selinux/rild.te
index 3b0595d..51d3f53 100755
--- a/selinux/rild.te
+++ b/selinux/rild.te
@@ -13,3 +13,9 @@ allow rild diagnostic_device:chr_file rw_file_perms;
 
 # XXX label with own type?
 allow rild sysfs:file { read open write getattr };
+
+allow rild ril_device:chr_file { read write ioctl open };
+allow rild radio_data_file:dir setattr;
+allow rild self:capability dac_override;
+allow rild unlabeled:dir search;
+allow rild unlabeled:file { read getattr open setattr };
diff --git a/selinux/system_server.te b/selinux/system_server.te
new file mode 100644
index 0000000..f017b31
--- /dev/null
+++ b/selinux/system_server.te
@@ -0,0 +1,2 @@
+allow system_server efs_file:dir search;
+allow system_server default_prop:property_service set;
diff --git a/selinux/untrusted_app.te b/selinux/untrusted_app.te
new file mode 100644
index 0000000..c81150b
--- /dev/null
+++ b/selinux/untrusted_app.te
@@ -0,0 +1,2 @@
+allow untrusted_app unlabeled:file getattr;
+allow untrusted_app efs_file:dir getattr;
-- 
cgit v1.1