WIP: sepolicy: mostly fixup graphics denials
Still not done, need androidboot.selinux=permissive to get to UI.
~#============= platform_app ==============
~#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
~#Constraint rule:
~# mlsconstrain file { write setattr append unlink link rename } ((t2 == app_data_file_type -Fail-) or (t2 == appdomain_tmpfs -Fail-) or (l1 eq l2 -Fail-) or (t1 == mlstrustedsubject -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
~# Possible cause is the source level (s0:c512,c768) and target level (s0) are different.
allow platform_app hal_graphics_allocator_default_tmpfs:file write;
allow platform_app tmpfs:file { read write };
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 4a85066..6a2112d 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1 +1,3 @@
+allow system_app hal_graphics_allocator_default_tmpfs:file { read write };
+
gpu_access(system_app)