commit 6d5eba10c8696c6a91df17975ac81f6e541281fe
author Nick Kralevich <nnk@google.com> Tue Apr 01 15:25:06 2014 -0700
committer Nick Kralevich <nnk@google.com> Wed Apr 02 10:42:15 2014 -0700
tree d4ddfe6e732e793949b72e111b447a4447a88163
parent 7acd4107ee50fe3e8f844d4854567440e608b379

Fix rmt related denials.

None of these showed up until we switched into enforcing.

Addresses the following denials:

<5>[    4.048124] type=1400 audit(13849623.620:5): avc:  denied  { sys_admin } for  pid=184 comm="rmt_storage" capability=21  scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=capability
<5>[    4.049224] type=1400 audit(13849623.630:6): avc:  denied  { search } for  pid=184 comm="rmt_storage" name="block" dev="tmpfs" ino=5836 scontext=u:r:rmt:s0 tcontext=u:object_r:block_device:s0 tclass=dir

Change-Id: Id8f7d4207489972576f88989f890b46ca6c5a04f

sepolicy/rmt.te

diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te
index a52b45d..fa94b80 100644
--- a/sepolicy/rmt.te
+++ b/sepolicy/rmt.te
@@ -12,7 +12,10 @@
 
 # opens and reads /dev/block/mmcblk0
 allow rmt root_block_device:blk_file r_file_perms;
-allow rmt root_block_device:dir r_dir_perms;
+allow rmt block_device:dir r_dir_perms;
+
+# Needed for ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_CLASS_RT << IOPRIO_CLASS_SHIFT);
+allow rmt self:capability sys_admin;
 
 # Allow reads/writes to modem related block devices
 allow rmt modem_block_device:blk_file rw_file_perms;