Edison specific SELinux Rules

sensorservice access to sysfs and debugfs.
Label block devices used by update_engine.

Change-Id: I23f5ece685afb742c5028f3f1c38b5f3a7f440f3
Author: Bruce Beare <bruce.j.beare@intel.com>
Author: David Zeuthen <zeuthen@google.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>

2 files changed, 11 insertions, 0 deletions

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..1a73875
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,5 @@
+/dev/block/pci/pci0000:00/0000:00:01.0/by-name/misc          u:object_r:misc_block_device:s0
+/dev/block/pci/pci0000:00/0000:00:01.0/by-name/boot_a        u:object_r:boot_block_device:s0
+/dev/block/pci/pci0000:00/0000:00:01.0/by-name/system_a      u:object_r:system_block_device:s0
+/dev/block/pci/pci0000:00/0000:00:01.0/by-name/boot_b        u:object_r:boot_block_device:s0
+/dev/block/pci/pci0000:00/0000:00:01.0/by-name/system_b      u:object_r:system_block_device:s0
diff --git a/sepolicy/sensorservice.te b/sepolicy/sensorservice.te
new file mode 100644
index 0000000..8469954
--- /dev/null
+++ b/sepolicy/sensorservice.te
@@ -0,0 +1,6 @@
+#
+# Sensorservice uses the sensors HAL... which needs sysfs file and i2c device access.
+#
+
+allow sensorservice i2c_device:chr_file rw_file_perms;
+allow sensorservice sysfs:file w_file_perms;