From 50f433731d6d31e5b5d3008ba8a81228f10a2bdd Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Thu, 9 Jan 2025 18:41:03 +0800 Subject: [PATCH] init-display-sh: Don't audit writing to kmsg modprobe would log errors to /dev/kmsg, need to explicit allow this. ``` avc: denied { write } for comm="modprobe" name="kmsg" dev="tmpfs" ino=5 scontext=u:r:init-display-sh:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 ``` Bug: 388717752 Test: DeviceBootTest#SELinuxUncheckedDenialBootTest Change-Id: Iaf1157a925e480ec3c8cdd00573f3d0a4ead355b --- whitechapel_pro/init-display-sh.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/init-display-sh.te b/whitechapel_pro/init-display-sh.te index 54ff7d6e..7f64b782 100644 --- a/whitechapel_pro/init-display-sh.te +++ b/whitechapel_pro/init-display-sh.te @@ -8,3 +8,5 @@ allow init-display-sh vendor_toolbox_exec:file execute_no_trans; dontaudit init-display-sh proc_cmdline:file r_file_perms; +# Allow modprobe to log to kmsg. +allow init-display-sh kmsg_device:chr_file w_file_perms;