Fix clatd, broken by selinux policing /dev/tun

Bug: 10175701
Change-Id: I185df22bdbaafd56725760ec6c71340b67455046

3 files changed, 13 insertions, 0 deletions

diff --git a/clatd.te b/clatd.te
new file mode 100644
index 0000000..ebbb79c
--- /dev/null
+++ b/clatd.te
@@ -0,0 +1,8 @@
+# 464xlat daemon
+type clatd, domain;
+permissive clatd;
+type clatd_exec, exec_type, file_type;
+
+init_daemon_domain(clatd)
+net_domain(clatd)
+unconfined_domain(clatd)
diff --git a/file_contexts b/file_contexts
index 2161e8e..81b9da9 100644
--- a/file_contexts
+++ b/file_contexts
@@ -151,6 +151,7 @@
 /system/bin/ping    u:object_r:ping_exec:s0
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
 /system/bin/hostapd     u:object_r:hostapd_exec:s0
+/system/bin/clatd	u:object_r:clatd_exec:s0
 #############################
 # Vendor files
 #
diff --git a/netd.te b/netd.te
index 8636af1..f98be3d 100644
--- a/netd.te
+++ b/netd.te
@@ -47,6 +47,10 @@ allow netd hostapd:process signal;
 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 allow netd dnsmasq:process signal;
 
+# Allow netd to start clatd in its own domain
+domain_auto_trans(netd, clatd_exec, clatd)
+allow netd clatd:process signal;
+
 # Support netd running mdnsd
 # TODO: prune this back further
 allow netd ctl_default_prop:property_service set;