Patch to allow SuperSU to run in SELinux enforcing

a special thanks to @Chainfire for pointing me to the right places and
@imoseyon for helping with the selinux rules

Written By: @BeansTown106
Keep the @ in my name id like to track the use of this..

Change-Id: I10c98e73fb8e025c6dd3ddbb7ca7abf9662dd8cb

1 files changed, 9 insertions, 1 deletions

diff --git a/init.te b/init.te
index a9c567e..06329c8 100644
--- a/init.te
+++ b/init.te
@@ -71,6 +71,10 @@ allow init self:capability sys_time;
 
 allow init self:capability { sys_rawio mknod };
 
+# fix some selinux denials related to supersu
+allow init system_file:file execute_no_trans;
+allow zygote init:unix_stream_socket { read write };
+
 # Mounting filesystems from block devices.
 allow init dev_type:blk_file r_file_perms;
 
@@ -127,6 +131,10 @@ allow init security_file:dir { create setattr };
 # which can be configured on a device-by-device basis if needed.
 r_dir_file(init, security_file)
 
+# allow supolicy to read and load sepolicy
+allow init kernel:security load_policy;
+allow init kernel:security read_policy;
+
 # Any operation that can modify the kernel ring buffer, e.g. clear
 # or a read that consumes the messages that were read.
 allow init kernel:system syslog_mod;
@@ -287,4 +295,4 @@ neverallow init shell_data_file:lnk_file read;
 neverallow init app_data_file:lnk_file read;
 
 # init should never execute a program without changing to another domain.
-neverallow init { file_type fs_type }:file execute_no_trans;
+# neverallow init { file_type fs_type }:file execute_no_trans;