fix selinux policy violations

[nazgee]

There are plenty of violations. We run in permissive mode, so it works, but I am not sure what will happen in enforcing (passed by uboot to kernel as cmdline parameter)

[nazgee]

wifi:

type=1400 audit(1521930902.900:16): avc: denied { sys_module } for pid=545 comm="WifiStateMachin" capability=16 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability permissive=1
type=1400 audit(1521930904.110:17): avc: denied { module_load } for pid=545 comm="WifiStateMachin" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=system permissive=1
type=1400 audit(1521930904.710:18): avc: denied { sys_module } for pid=545 comm="WifiStateMachin" capability=16 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability permissive=1
type=1400 audit(1521930919.828:21): avc: denied { sys_module } for pid=545 comm="WifiStateMachin" capability=16 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability permissive=1
type=1400 audit(1521930921.778:22): avc: denied { module_load } for pid=545 comm="WifiStateMachin" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=system permissive=1

wpa:

03-24 22:35:04.910   669   669 I wpa_supplicant: type=1400 audit(0.0:19): avc: denied { read } for name="rfkill" dev="tmpfs" ino=10727 scontext=u:r:wpa:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
03-24 22:35:04.910   669   669 I wpa_supplicant: type=1400 audit(0.0:20): avc: denied { open } for path="/dev/rfkill" dev="tmpfs" ino=10727 scontext=u:r:wpa:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
03-24 22:35:22.468  1202  1202 I wpa_supplicant: type=1400 audit(0.0:23): avc: denied { read } for name="rfkill" dev="tmpfs" ino=10727 scontext=u:r:wpa:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
03-24 22:35:22.468  1202  1202 I wpa_supplicant: type=1400 audit(0.0:24): avc: denied { open } for path="/dev/rfkill" dev="tmpfs" ino=10727 scontext=u:r:wpa:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

uim:

03-24 22:34:49.340   220   220 I init    : type=1400 audit(0.0:3): avc: denied { entrypoint } for path="/system/bin/uim-sysfs" dev="mmcblk0p6" ino=486 scontext=u:r:hci_attach:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1

[nazgee]

This is quick and easy way to work with selinux and fixing violations

• get current policy from your device

  $ adb pull /sys/fs/selinux/policy
  [100%] /sys/fs/selinux/policy

• generated policies that will fix cucrent violations

  
  $ adb logcat -b all -d | audit2allow -p policy
  #============= audioserver ==============
  allow audioserver proc_net:file { getattr open read };

============= bootanim ==============

allow bootanim proc_net:file { getattr open read };

============= cameraserver ==============

allow cameraserver proc_net:file { getattr open read };

============= hci_attach ==============

allow hci_attach sysfs:file setattr; allow hci_attach system_file:file entrypoint;

============= shell ==============

allow shell init_exec:file getattr; allow shell rootfs:file getattr;

============= system_app ==============

allow system_app radio_data_file:dir getattr;

============= system_server ==============

allow system_server self:capability sys_module; allow system_server self:system module_load;

============= wpa ==============

allow wpa device:chr_file { open read };

- hack ``system/policy/*.te`` files

[nazgee]

possible fix: https://github.com/bringmeup/android_device_nexwell/commit/97c68ca441fb03e230ddcee5b6c9772204911099

[nazgee]

fixed