tomato: Address a bunch of SELinux denials

* See comments in files Change-Id: Ide4c9246861a2bb005dfc233d2fa3482eb0387b7
author: Steve Kondik <steve@cyngn.com> 2015-01-14 04:38:53 -0800
committer: Scott Mertz <scott@cyngn.com> 2015-01-30 11:01:51 -0800
commit: 922010d3a95066405c50dc1c4b2d79ae67501c94 (patch)
tree: 3432c0800e8770dc925ed31a77729c001a818d29 /sepolicy
parent: 0d40d209cba76a228e397001c537a80993bd79be (diff)
2 files changed, 7 insertions, 1 deletions
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
index a5197ef..d867e05 100644
--- a/sepolicy/bluetooth_loader.te
+++ b/sepolicy/bluetooth_loader.te
@@ -19,7 +19,11 @@ allow hci_attach bluetooth_loader:fd use;
 # Read mac address from persist partition
 allow bluetooth_loader persist_file:dir search;
 r_dir_file(bluetooth_loader, bluetooth_data_file)
-allow bluetooth_loader self:capability { dac_override dac_read_search };
+allow bluetooth_loader self:capability { dac_override dac_read_search chown };
+
+# It may write a random mac here
+allow bluetooth_loader persist_file:dir { add_name write };
+allow bluetooth_loader persist_file:file { create_file_perms };
 
 # Talk to init over the property socket
 unix_socket_connect(bluetooth_loader, property, init)
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..abd05d1
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,2 @@
+# secure display
+allow surfaceflinger persist_file:dir r_dir_perms;
author	Steve Kondik <steve@cyngn.com>	2015-01-14 04:38:53 -0800
committer	Scott Mertz <scott@cyngn.com>	2015-01-30 11:01:51 -0800
commit	922010d3a95066405c50dc1c4b2d79ae67501c94 (patch)
tree	3432c0800e8770dc925ed31a77729c001a818d29 /sepolicy
parent	0d40d209cba76a228e397001c537a80993bd79be (diff)