From 829c6fb8637c3eee35d9016a68de41a2229883a3 Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Thu, 9 Jan 2025 18:41:43 +0800 Subject: [PATCH] init-display-sh: Don't audit writing to kmsg modprobe would log errors to /dev/kmsg, need to explicit allow this. ``` avc: denied { write } for comm="modprobe" name="kmsg" dev="tmpfs" ino=5 scontext=u:r:init-display-sh:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 ``` Bug: 388717752 Test: DeviceBootTest#SELinuxUncheckedDenialBootTest Change-Id: I62a43416291d4d79164765004f156f2bdb69b0b5 --- whitechapel/vendor/google/init-display-sh.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/init-display-sh.te b/whitechapel/vendor/google/init-display-sh.te index 54ff7d6e..7f64b782 100644 --- a/whitechapel/vendor/google/init-display-sh.te +++ b/whitechapel/vendor/google/init-display-sh.te @@ -8,3 +8,5 @@ allow init-display-sh vendor_toolbox_exec:file execute_no_trans; dontaudit init-display-sh proc_cmdline:file r_file_perms; +# Allow modprobe to log to kmsg. +allow init-display-sh kmsg_device:chr_file w_file_perms;