commit ae3613f13e9bc601af8b7cf1b871f99658433801
author Luca Weiss <luca.weiss@fairphone.com> Thu Mar 24 09:17:10 2022 +0100
committer Caleb Connolly <caleb.connolly@protonmail.com> Thu Mar 24 12:29:51 2022 +0000
tree d2cc747576b9b45709b2f78b0ab7b0bab65c60d3
parent b8a60a6f933ccb0a6a349bc0534da0ff08c65430

sepolicy: allow rmtfs to read sysfs_remoteproc

The new rmtfs version tries to read the 'modalias' file in sysfs and
causes this following selinux denial. Allow it.

I auditd  : type=1400 audit(0.0:37): avc: denied { read } for comm=rmtfs name=remoteproc0 dev=sysfs ino=21783 scontext=u:r:rmtfs:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
W rmtfs   : type=1400 audit(0.0:37): avc: denied { read } for name=remoteproc0 dev=sysfs ino=21783 scontext=u:r:rmtfs:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
I auditd  : type=1400 audit(0.0:38): avc: denied { read } for comm=rmtfs name=modalias dev=sysfs ino=3163 scontext=u:r:rmtfs:s0 tcontext=u:object_r:sysfs_remoteproc:s0 tclass=file permissive=0
W rmtfs   : type=1400 audit(0.0:38): avc: denied { read } for name=modalias dev=sysfs ino=3163 scontext=u:r:rmtfs:s0 tcontext=u:object_r:sysfs_remoteproc:s0 tclass=file permissive=0

sepolicy/rmtfs.te

diff --git a/sepolicy/rmtfs.te b/sepolicy/rmtfs.te
index 7cef38f..b35b940 100644
--- a/sepolicy/rmtfs.te
+++ b/sepolicy/rmtfs.te
@@ -10,6 +10,6 @@
 allow rmtfs self:qipcrtr_socket { bind create getattr read setopt write };
 allow rmtfs sysfs_mss:dir { open read search };
 allow rmtfs sysfs_remoteproc:dir { open read search };
-allow rmtfs sysfs_remoteproc:file { open write };
+allow rmtfs sysfs_remoteproc:file { open read write };
 allow rmtfs sysfs_rmtfs:dir search;
 allow rmtfs sysfs_rmtfs:file { open read };