From c60743aef549ac7215eb420844161a063863dadf Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Tue, 7 Feb 2017 14:56:31 -0800
Subject: [PATCH] Adding allows to init.te and kernel.te to address boot logs.

Allows take care of following denials:
denied { create } for pid=6 comm="kworker/u16:0"
scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=socket

denied  { mounton } for  pid=1 comm="init" path="/persist" dev="sda20"
ino=44 scontext=u:r:init:s0 tcontext=u:object_r:persist_file:s0
tclass=dir

Bug: 34784662
Test: The above denials no longer appear in bootup logs
Change-Id: I1a0db919938e4d56d60e07dad65db064a5f38d45
---
 sepolicy/init.te   | 2 ++
 sepolicy/kernel.te | 4 ++++
 2 files changed, 6 insertions(+)
 create mode 100644 sepolicy/kernel.te

diff --git a/sepolicy/init.te b/sepolicy/init.te
index ae5e9f5..5382906 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,2 +1,4 @@
 allow init self:capability sys_module;
 allow init system_file:system module_load;
+
+allow init persist_file:dir mounton;
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644
index 0000000..9491cd3
--- /dev/null
+++ b/sepolicy/kernel.te
@@ -0,0 +1,4 @@
+# for diag over socket
+userdebug_or_eng(`
+  allow kernel self:socket create;
+')