From 9184d67efc09fc08cc4d88c3f8d4e320270dd9ee Mon Sep 17 00:00:00 2001
From: Changbin Du <changbin.du@huawei.com>
Date: Fri, 26 Jan 2024 19:18:14 +0800
Subject: [PATCH] fixed 7dde712 from
 https://gitee.com/changbindu/security_selinux_adapter/pulls/3597 Fix writing
 bootup.trace failure

Need allow 'init' to write /data/log/startup/bootup.trace. We re-labeled it
as 'bootuptrace_file'.

[avc_audit_slow:260] avc: denied { write } for pid=1, comm="/bin/init"  \
path="/data/log/startup/bootup.trace" dev="..." ino=11581 \
scontext=u:r:init:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=0

Signed-off-by: Changbin Du <changbin.du@huawei.com>
---
 sepolicy/ohos_policy/startup/init/public/file.te       | 3 +++
 sepolicy/ohos_policy/startup/init/system/file_contexts | 2 ++
 sepolicy/ohos_policy/startup/init/system/init.te       | 2 ++
 3 files changed, 7 insertions(+)

diff --git a/sepolicy/ohos_policy/startup/init/public/file.te b/sepolicy/ohos_policy/startup/init/public/file.te
index 53f68967d..fed4a1e7b 100644
--- a/sepolicy/ohos_policy/startup/init/public/file.te
+++ b/sepolicy/ohos_policy/startup/init/public/file.te
@@ -13,3 +13,6 @@
 
 # for hyperhold
 type hyperhold_sys, file_attr, data_file_attr;
+
+# for bootup.trace
+type bootuptrace_file, file_attr, data_file_attr;
diff --git a/sepolicy/ohos_policy/startup/init/system/file_contexts b/sepolicy/ohos_policy/startup/init/system/file_contexts
index c9b18c1d4..ef3977392 100644
--- a/sepolicy/ohos_policy/startup/init/system/file_contexts
+++ b/sepolicy/ohos_policy/startup/init/system/file_contexts
@@ -16,3 +16,5 @@
 # for hyperhold
 /data/vendor/hyperhold(/.*)?          u:object_r:hyperhold_sys:s0
 
+# for bootup.trace
+/data/log/startup(/.*)?         u:object_r:bootuptrace_file:s0
diff --git a/sepolicy/ohos_policy/startup/init/system/init.te b/sepolicy/ohos_policy/startup/init/system/init.te
index b7dcf052c..fcf377e1b 100644
--- a/sepolicy/ohos_policy/startup/init/system/init.te
+++ b/sepolicy/ohos_policy/startup/init/system/init.te
@@ -15,6 +15,8 @@ allow init nwebspawn_socket:sock_file { unlink };
 allow init appspawn_socket:sock_file { unlink };
 allow init data_ethernet:dir { getattr };
 allow init data_log:file { getattr };
+allow init bootuptrace_file:dir { add_name getattr open read search write relabelto };
+allow init bootuptrace_file:file { create getattr write open relabelto };
 allow init data_parameters:file { getattr };
 allow init data_udev:dir { relabelfrom };
 allow init privacy_service:process { transition };
-- 
Gitee