1# Copyright (c) 2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14updater_only(`
15
16#avc: denied { map } for pid=227 comm="ueventd" path="/bin/ueventd" dev="rootfs" ino=16964 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
17#avc: denied { read } for pid=227 comm="ueventd" path="/bin/ueventd" dev="rootfs" ino=16964 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
18#avc: denied { execute } for pid=227 comm="ueventd" path="/bin/ueventd" dev="rootfs" ino=16964 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
19#avc: denied { open } for pid=227 comm="ueventd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16683 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
20#avc: denied { getattr } for pid=227 comm="ueventd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16683 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
21#avc: denied { entrypoint } for pid=227 comm="init" path="/bin/ueventd" dev="rootfs" ino=16964 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
22allow ueventd rootfs:file { entrypoint map read execute open getattr };
23
24#avc: denied { read write } for pid=227 comm="ueventd" path="/dev/console" dev="rootfs" ino=16657 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
25allow ueventd rootfs:chr_file { write read };
26
27#avc: denied { write } for pid=227 comm="ueventd" path="socket:[19887]" dev="sockfs" ino=19887 scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
28#avc: denied { getopt } for pid=229 comm="ueventd" scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
29allow ueventd ueventd:netlink_kobject_uevent_socket { write getopt };
30
31
32#avc: denied { read } for pid=229 comm="ueventd" name="u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:ueventd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
33#avc: denied { open } for pid=229 comm="ueventd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:ueventd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
34#avc: denied { map } for pid=229 comm="ueventd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:ueventd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
35allow ueventd musl_param:file { read open map };
36
37#avc: denied { execute_no_trans } for pid=231 comm="init" path="/bin/hilog" dev="rootfs" ino=17826 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
38#avc: denied { write } for pid=224 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_2.info" dev="rootfs" ino=16921 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
39allow ueventd dev_file:file { create setattr };
40
41#avc: denied { create } for pid=229 comm="ueventd" name="mmcblk0" scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=blk_file permissive=1
42#avc: denied { setattr } for pid=229 comm="ueventd" name="mmcblk0" dev="tmpfs" ino=100 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=blk_file permissive=1
43#avc: denied { getattr } for pid=223 comm="ueventd" path="/dev/block/mmcblk0" dev="tmpfs" ino=100 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=blk_file permissive=1
44#avc: denied { relabelfrom } for pid=223 comm="ueventd" name="mmcblk0" dev="tmpfs" ino=100 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=blk_file permissive=1
45allow ueventd dev_file:blk_file { create setattr getattr relabelfrom };
46
47#avc: denied { create } for pid=229 comm="ueventd" name="mmcblk0" scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1
48allow ueventd dev_file:lnk_file { create };
49
50#avc: denied { create } for pid=223 comm="ueventd" name="by-name" scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1
51#avc: denied { read } for pid=223 comm="ueventd" name="by-name" dev="tmpfs" ino=106 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1
52allow ueventd dev_block_volfile:lnk_file { create read };
53
54#avc: denied { relabelto } for pid=229 comm="ueventd" name="block" dev="tmpfs" ino=99 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1
55allow ueventd dev_block_volfile:dir { relabelto };
56
57#avc: denied { relabelto } for pid=223 comm="ueventd" name="binder" dev="tmpfs" ino=181 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_binder_file:s0 tclass=chr_file permissive=1
58allow ueventd dev_binder_file:chr_file { relabelto };
59
60#avc: denied { read } for pid=224 comm="ueventd" name="etc" dev="rootfs" ino=17415 scontext=u:r:ueventd:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
61allow ueventd system_etc_file:lnk_file { read };
62
63# avc:  denied  { relabelto } for  pid=226 comm="ueventd" name="xpm" dev="tmpfs" ino=193 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_xpm:s0 tclass=chr_file permissive=1
64allow ueventd dev_xpm:chr_file { relabelto };
65
66# avc: denied { create } for pid=234 comm="ueventd" name="by-name" scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1
67allow ueventd dev_block_volfile:dir { create };
68
69# avc:  denied  { relabelto } for  pid=241 comm="ueventd" name="eng_system" dev="tmpfs" ino=109 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_file:s0 tclass=lnk_file permissive=1
70allow ueventd dev_block_file:lnk_file { relabelto };
71
72# avc:  denied  { relabelto } for  pid=238 comm="ueventd" name="mmcblk0p3" dev="tmpfs" ino=129 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=blk_file permissive=0
73allow ueventd dev_block_volfile:blk_file { relabelto };
74
75# avc:  denied  { getattr } for  pid=250 comm="ueventd" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=0
76# avc:  denied  { relabelfrom } for  pid=250 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=0
77# avc:  denied  { setattr } for  pid=250 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=0
78# avc:  denied  { relabelto } for  pid=241 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=147 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1
79allow ueventd updater_block_file:blk_file { getattr relabelfrom setattr relabelto };
80
81# avc:  denied  { getattr } for  pid=242 comm="ueventd" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=0
82# avc:  denied  { relabelfrom } for  pid=242 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=0
83# avc:  denied  { setattr } for  pid=242 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=0
84allow ueventd tmpfs:blk_file { getattr relabelfrom setattr };
85
86# avc:  denied  { getattr } for  pid=245 comm="ueventd" path="/dev/block/by-name/misc" dev="tmpfs" ino=37 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=lnk_file permissive=1
87# avc:  denied  { relabelto } for  pid=231 comm="ueventd" name="misc" dev="tmpfs" ino=149 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=lnk_file permissive=0
88allow ueventd updater_block_file:lnk_file { getattr relabelto };
89')
90