From 99940d1af5719f1622fa2a17f8daf6cb21de3ad1 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 14 Jan 2015 14:12:14 -0800
Subject: remove /proc/net read access from domain.te

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
---
 netd.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'netd.te')

diff --git a/netd.te b/netd.te
index ce89421..611ec76 100644
--- a/netd.te
+++ b/netd.te
@@ -23,7 +23,8 @@ allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 
 # For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file write;
+allow netd proc_net:file rw_file_perms;
+allow netd proc_net:dir r_dir_perms;
 
 # For /sys/modules/bcmdhd/parameters/firmware_path
 # XXX Split into its own type.
-- 
cgit v1.2.3