1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow netsysnative dev_unix_socket:dir { search }; 15allow netsysnative dev_unix_socket:sock_file { write }; 16allow netsysnative netsysnative:capability { net_admin net_raw net_bind_service sys_resource sys_admin }; 17allow netsysnative netsysnative:netlink_route_socket { create listen nlmsg_write write }; 18allow netsysnative netsysnative:unix_dgram_socket { ioctl }; 19allow netsysnative netsysnative:tcp_socket { connect create getattr getopt read setopt write }; 20allow netsysnative sh_exec:file { execute execute_no_trans map open read }; 21allow netsysnative netsysnative:bpf { map_create map_read map_write prog_load prog_run }; 22allow netsysnative sys_file:dir { mounton }; 23allow netsysnative system_bin_file:lnk_file { read }; 24allow netsysnative toybox_exec:lnk_file { read }; 25allow netsysnative netsysnative:netlink_nflog_socket { bind getopt setopt }; 26allow netsysnative netsysnative:rawip_socket { create getopt setopt }; 27allow netsysnative proc_file:file { write open read }; 28allow netsysnative proc_net:file { getattr }; 29allow netsysnative system_bin_file:file { execute execute_no_trans getattr map open read }; 30allow netsysnative toybox_exec:file { execute execute_no_trans getattr map open read }; 31allow netsysnative system_etc_file:file { lock }; 32allow netsysnative tty_device:chr_file { open read write }; 33allow netsysnative netsysnative:udp_socket { bind read getopt setopt connect write ioctl }; 34allow netsysnative port:udp_socket { name_bind }; 35allow netsysnative node:udp_socket { node_bind }; 36allow netsysnative netsysnative:netlink_nflog_socket { read }; 37allow netsysnative dev_file:sock_file { write unlink }; 38allow netsysnative dev_console_file:chr_file { read write }; 39allow netsysnative dev_file:dir { remove_name }; 40allow netsysnative netsysnative:netlink_netfilter_socket { listen }; 41allow netsysnative netsysnative:netlink_kobject_uevent_socket { listen }; 42allow netsysnative system_bin_file:lnk_file { read }; 43allow netsysnative toybox_exec:lnk_file { read }; 44allow netsysnative accessibility_param:file { read open map }; 45allow netsysnative data_service_file:dir { search }; 46allow netsysnative data_service_el1_file:dir { search write add_name }; 47allow netsysnative data_service_el1_file:file { create write open ioctl read }; 48allow netsysnative fwmark_service:sock_file { create unlink setattr write }; 49allow netsysnative dnsproxy_service:sock_file { create unlink setattr }; 50allow netsysnative netsysnative:process { setfscreate }; 51allow netsysnative normal_hap_attr:fd { use }; 52allow netsysnative normal_hap_attr:tcp_socket { read write getopt setopt }; 53allow netsysnative normal_hap_attr:unix_dgram_socket { read write getopt setopt }; 54allow netsysnative normal_hap_attr:udp_socket { read write getopt setopt }; 55allow netsysnative normal_hap_attr:unix_stream_socket { read write getopt setopt }; 56allow init dev_unix_file:sock_file { unlink }; 57allowxperm netsysnative netsysnative:udp_socket ioctl { 0x8933 0x8953 0x8955 0x8915 0x891b 0x8913 0x8927 0x8914 0x8916 0x891c 0x8922 }; 58allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8933 }; 59 60allow netsysnative system_basic_hap_attr:fd { use }; 61allow netsysnative system_basic_hap_attr:tcp_socket { read write getopt setopt }; 62allow netsysnative dev_tun_file:chr_file { open read write ioctl }; 63allow netsysnative netsysnative:tun_socket { create relabelfrom relabelto }; 64allow netsysnative system_basic_hap_attr:udp_socket { read write getopt setopt }; 65 66allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8927 0x8954 }; 67 68allow netsysnative iptables_exec:lnk_file { read }; 69allow netsysnative iptables_exec:file { execute read open execute_no_trans map }; 70allow netsysnative netsysnative:packet_socket { read bind create ioctl setopt }; 71allow netsysnative netsysnative:bpf { map_read prog_load map_create prog_run map_write }; 72allow netsysnative data_file:file { read }; 73allow netsysnative sa_netsys_ext_service:samgr_class { add get }; 74 75allow netsysnative sys_file:filesystem { mount }; 76allow netsysnative netsysnative:process { rlimitinh transition siginh }; 77allow netsysnative netsysnative:capability2 { bpf }; 78allow netsysnative netsysnative:capability { net_raw sys_resource sys_admin net_admin }; 79allow netsysnative netsysnative:rawip_socket { write setopt getopt create }; 80allow netsysnative netsysnative:unix_dgram_socket { ioctl }; 81allow netsysnative debug_param:file { map open read }; 82allow netsysnative dev_console_file:chr_file { write read }; 83allow netsysnative dev_unix_socket:dir { search }; 84allow netsysnative hilog_param:file { map open read }; 85allow netsysnative musl_param:file { map open read }; 86allow netsysnative param_watcher:binder { call transfer }; 87allow netsysnative proc_net:file { getattr }; 88allow netsysnative sa_param_watcher:samgr_class { get }; 89allow netsysnative sh_exec:file { read map execute_no_trans execute open }; 90allow netsysnative sysfs_net:dir { open read }; 91allow netsysnative system_bin_file:dir { search }; 92allow netsysnative system_bin_file:file { read map execute_no_trans execute open }; 93allow netsysnative toybox_exec:file { read map execute_no_trans execute open getattr }; 94allow netsysnative system_etc_file:file { lock }; 95allow netsysnative tracefs:dir { search }; 96allow netsysnative tracefs_trace_marker_file:file { write open }; 97allow netsysnative sys_file:dir { mounton }; 98allow netsysnative fs_bpf:dir { getattr search mounton add_name create write }; 99allow netsysnative fs_bpf:file { create setattr write read }; 100allow netsysnative fs_bpf:filesystem { mount }; 101allow netsysnative netsysnative:netlink_route_socket { setopt bind setattr getattr listen read nlmsg_read nlmsg_readpriv nlmsg_write create write }; 102allow netsysnative netsysnative:netlink_tcpdiag_socket { create connect write nlmsg_read read nlmsg_write }; 103allow netsysnative system_core_hap_attr:fd { use }; 104allow netsysnative system_core_hap_attr:tcp_socket { read write getopt setopt }; 105allow netsysnative system_core_hap_attr:udp_socket { read write getopt setopt }; 106allow netsysnative edm_sa:binder { call }; 107allow netsysnative sysfs_devices_system_cpu:file { read open getattr }; 108allow netsysnative dev_kmsg_file:chr_file { open write }; 109 110allow netsysnative sa_distributed_net_service:samgr_class { add get }; 111 112allow netsysnative cgroup2:dir { read open }; 113 114allow netsysnative sa_netvirt_ext:samgr_class { add }; 115 116allow init fs_bpf:dir { add_name create mounton open read search setattr write }; 117allow init fs_bpf:file { create getattr open }; 118allow init fs_bpf:filesystem { mount }; 119allow init fs_bpf:file { write }; 120allow init fs_bpf:lnk_file { create }; 121allow init cgroup2:dir { add_name create mounton open read search setattr write }; 122allow init cgroup2:file { create getattr open }; 123allow init cgroup2:filesystem { mount }; 124allow init cgroup2:file { write }; 125allow init cgroup2:lnk_file { create }; 126 127allow init dnsproxy_service:sock_file { getattr unlink setattr relabelto }; 128allow netsysnative dnsproxy_service:sock_file { setattr }; 129allow init fwmark_service:sock_file { getattr unlink setattr relabelto }; 130allow netsysnative fwmark_service:sock_file { setattr }; 131 132allow domain fwmark_service:sock_file { write read }; 133allow domain dnsproxy_service:sock_file { write read }; 134allow domain dev_tun_file:chr_file { read write }; 135allow domain netsysnative:fd { use }; 136 137allow netsysnative sa_net_policy_manager:samgr_class { get }; 138 139neverallow { domain -wifi_hal_service -wifi_manager_service -netmanager -telephony_sa -param_watcher -hidumper_service -samgr -edm_sa -netsysnative_violator_binder_call -security_collector } netsysnative:binder *; 140neverallow { domain -netsysnative -rgm_violator_ohos_iptables_exec_file_execute } iptables_exec:file { execute }; 141 142# avc: denied { getattr } for pid=4358 comm="xl2tpd" lport=1701 scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=udp_socket permissive=1 143allow netsysnative netsysnative:udp_socket { getattr }; 144 145# avc: denied { create } for pid=3827 comm="charon" scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=key_socket permissive=1 146# avc: denied { read } for pid=4115 comm="charon" scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=key_socket permissive=1 147# avc: denied { write } for pid=4115 comm="charon" scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=key_socket permissive=1 148allow netsysnative netsysnative:key_socket { create read write }; 149 150# avc: denied { search } for pid=5628 comm="ipsec" name="local" dev="mmcblk0p15" ino=27 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=0 151allow netsysnative data_local:dir { search }; 152 153# avc: denied { read } for pid=499 comm="OS_IPC_2_988" name="hosts" dev="mmcblk0p7" ino=719 scontext=u:r:netsysnative:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 154allow netsysnative system_etc_file:lnk_file { read }; 155 156# avc: denied { open } for pid=10447 comm="starter" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 157allow netsysnative dev_console_file:chr_file { open }; 158 159# avc: denied { open } for pid=2154 comm="charon" path="/data/service/el1/public/vpn" dev="mmcblk0p15" ino=235 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 160# avc: denied { remove_name } for pid=10447 comm="starter" name="starter.charon.pid" dev="mmcblk0p15" ino=2678 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 161# avc: denied { read } for pid=10489 comm="charon" name="vpn" dev="mmcblk0p15" ino=221 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 162allow netsysnative data_service_el1_file:dir { remove_name read open }; 163 164# avc: denied { getattr } for pid=2144 comm="starter" path="/data/service/el1/public/vpn/strongswan.conf" dev="mmcblk0p15" ino=2864 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 165# avc: denied { map } for pid=2154 comm="charon" path="/data/service/el1/public/vpn/swanctl.conf" dev="mmcblk0p15" ino=2863 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 166# avc: denied { unlink } for pid=10447 comm="starter" name="starter.charon.pid" dev="mmcblk0p15" ino=2678 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 167# avc: denied { setattr } for pid=10489 comm="charon" name="charon.log" dev="mmcblk0p15" ino=2837 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 168# avc: denied { append } for pid=3148 comm="pppd" path="/data/service/el1/public/vpn/xl2tpd.log" dev="mmcblk0p15" ino=2652 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 169allow netsysnative data_service_el1_file:file { unlink setattr getattr map append }; 170 171# avc: denied { create } for pid=10489 comm="charon" scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=alg_socket permissive=1 172# avc: denied { bind } for pid=10489 comm="charon" scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=alg_socket permissive=1 173allow netsysnative netsysnative:alg_socket { create bind}; 174 175# avc: denied { getattr } for pid=2154 comm="charon" path="/proc/sys/net/core/xfrm_acq_expires" dev="proc" ino=28723 scontext=u:r:netsysnative:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 176# avc: denied { ioctl } for pid=10489 comm="charon" path="/proc/sys/net/core/xfrm_acq_expires" dev="proc" ino=20020 ioctlcmd=0x5413 scontext=u:r:netsysnative:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 177allow netsysnative proc_file:file { getattr ioctl }; 178allowxperm netsysnative proc_file:file ioctl { 0x5413 }; 179 180# avc: denied { create } for pid=3061 comm="charon" name="charon.ctl" scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=sock_file permissive=1 181# avc: denied { setattr } for pid=3061 comm="charon" name="charon.ctl" dev="mmcblk0p15" ino=2648 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=sock_file permissive=1 182# avc: denied { write } for pid=3188 comm="swanctl" name="charon.vici" dev="mmcblk0p15" ino=2649 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=sock_file permissive=1 183# avc: denied { unlink } for pid=2153 comm="starter" name="charon.ctl" dev="mmcblk0p15" ino=2692 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=sock_file permissive=1 184# avc: denied { getattr } for pid=2154 comm="charon" path="/data/service/el1/public/vpn/charon.vici" dev="mmcblk0p15" ino=2693 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=sock_file permissive=1 185allow netsysnative data_service_el1_file:sock_file { unlink getattr create setattr write }; 186 187# avc: denied { call } for pid=619 comm="OS_FFRT_2_7" scontext=u:r:netsysnative:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=1 188allow netsysnative wifi_manager_service:binder { call }; 189 190# avc: denied { getattr } for pid=3203 comm="charon" path="/data/service/el1/public/vpn/l2tp-control" dev="mmcblk0p15" ino=2668 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=fifo_file permissive=1 191# avc: denied { unlink } for pid=5924 comm="xl2tpd" name="l2tp-control" dev="mmcblk0p15" ino=2996 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=fifo_file permissive=1 192# avc: denied { write } for pid=7000 comm="touch" name="l2tp-control" dev="mmcblk0p15" ino=3038 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=fifo_file permissive=1 193# avc: denied { create } for pid=4364 comm="xl2tpd" name="l2tp-control" scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=fifo_file permissive=1 194# avc: denied { read } for pid=4364 comm="xl2tpd" name="l2tp-control" dev="mmcblk0p15" ino=2896 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=fifo_file permissive=1 195# avc: denied { open } for pid=4364 comm="xl2tpd" path="/data/service/el1/public/vpn/l2tp-control" dev="mmcblk0p15" ino=2896 scontext=u:r:netsysnative:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=fifo_file permissive=1 196allow netsysnative data_service_el1_file:fifo_file { create read open unlink write getattr }; 197 198# avc: denied { ioctl } for pid=4040 comm="xl2tpd" path="/dev/ptmx" dev="tmpfs" ino=301 ioctlcmd=0x5430 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 199# avc: denied { ioctl } for pid=4040 comm="xl2tpd" path="/dev/ptmx" dev="tmpfs" ino=301 ioctlcmd=0x5401 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 200# avc: denied { ioctl } for pid=4040 comm="xl2tpd" path="/dev/ptmx" dev="tmpfs" ino=301 ioctlcmd=0x5402 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 201# avc: denied { read write } for pid=6960 comm="xl2tpd" name="ptmx" dev="tmpfs" ino=300 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 202# avc: denied { open } for pid=6960 comm="xl2tpd" path="/dev/ptmx" dev="tmpfs" ino=300 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 203# avc: denied { ioctl } for pid=3133 comm="xl2tpd" path="/dev/ptmx" dev="tmpfs" ino=301 ioctlcmd=0x5431 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 204allow netsysnative dev_ptmx:chr_file { read write open ioctl }; 205allowxperm netsysnative dev_ptmx:chr_file ioctl { 0x5431 0x5430 0x5401 0x5402 }; 206 207# avc: denied { open } for pid=2719 comm="xl2tpd" path="/dev/pts/1" dev="devpts" ino=4 scontext=u:r:vpnmanager:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 208# avc: denied { getattr } for pid=2359 comm="pppd" path="/dev/pts/1" dev="devpts" ino=4 scontext=u:r:vpnmanager:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 209allow netsysnative devpts:chr_file { open getattr }; 210# avc: denied { get } for service=1155 sid=u:r:netsysnative:s0 scontext=u:r:netsysnative:s0 tcontext=u:object_r:sa_comm_vpn_manager_service:s0 tclass=samgr_class permissive=0 211allow netsysnative sa_comm_vpn_manager_service:samgr_class { get }; 212 213# avc: denied { getattr } for pid=4064 comm="pppd" path="socket:[44876]" dev="sockfs" ino=44876 scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=unix_dgram_socket permissive=1 214allow netsysnative netsysnative:unix_dgram_socket { getattr }; 215 216# avc: denied { ioctl } for pid=4064 comm="pppd" path="/dev/pts/1" dev="devpts" ino=4 ioctlcmd=0x5416 scontext=u:r:netsysnative:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 217# avc: denied { ioctl } for pid=3700 comm="pppd" path="/dev/pts/1" dev="devpts" ino=4 ioctlcmd=0x542a scontext=u:r:netsysnative:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 218# avc: denied { ioctl } for pid=3700 comm="pppd" path="/dev/pts/1" dev="devpts" ino=4 ioctlcmd=0x542d scontext=u:r:netsysnative:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 219# avc: denied { ioctl } for pid=3700 comm="pppd" path="/dev/pts/1" dev="devpts" ino=4 ioctlcmd=0x540c scontext=u:r:netsysnative:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 220# avc: denied { ioctl } for pid=3700 comm="pppd" path="/dev/pts/1" dev="devpts" ino=4 ioctlcmd=0x5423 scontext=u:r:netsysnative:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 221# avc: denied { ioctl } for pid=3700 comm="pppd" path="/dev/pts/1" dev="devpts" ino=4 ioctlcmd=0x7437 scontext=u:r:netsysnative:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 222# avc: denied { ioctl } for pid=2670 comm="pppd" path=2F6465762F7074732F31202864656C6574656429 dev="devpts" ino=4 ioctlcmd=0x5417 scontext=u:r:netsysnative:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 223allow netsysnative devpts:chr_file { ioctl }; 224allowxperm netsysnative devpts:chr_file ioctl { 0x5416 0x542a 0x542d 0x540c 0x5423 0x7437 0x5417}; 225 226# avc: denied { read } for pid=3629 comm="pppd" name="route" dev="proc" ino=4026532126 scontext=u:r:netsysnative:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 227# avc: denied { open } for pid=3629 comm="pppd" path="/proc/3629/net/route" dev="proc" ino=4026532126 scontext=u:r:netsysnative:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 228allow netsysnative proc_net:file { read open}; 229 230# avc: denied { ioctl } for pid=3185 comm="pppd" path="socket:[40480]" dev="sockfs" ino=40480 ioctlcmd=0x890b scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=udp_socket permissive=1 231# avc: denied { ioctl } for pid=4065 comm="pppd" path="socket:[43566]" dev="sockfs" ino=43566 ioctlcmd=0x890c scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=udp_socket permissive=1 232# avc: denied { ioctl } for pid=3700 comm="pppd" path="socket:[44443]" dev="sockfs" ino=44443 ioctlcmd=0x8912 scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=udp_socket permissive=1 233# avc: denied { ioctl } for pid=3629 comm="pppd" path="socket:[43257]" dev="sockfs" ino=43257 ioctlcmd=0x8918 scontext=u:r:netsysnative:s0 tcontext=u:r:netsysnative:s0 tclass=udp_socket permissive=1 234allow netsysnative netsysnative:udp_socket { ioctl }; 235allowxperm netsysnative netsysnative:udp_socket ioctl { 0x8912 0x8918 0x890b 0x890c}; 236 237# avc: denied { search } for pid=3133 comm="xl2tpd" name="/" dev="devpts" ino=1 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_pts_file:s0 tclass=dir permissive=1 238allow netsysnative dev_pts_file:dir { search }; 239 240# avc: denied { read write } for pid=3290 comm="pppd" name="ppp" dev="tmpfs" ino=375 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 241# avc: denied { open } for pid=3290 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 242allow netsysnative dev_ppp_file:chr_file { open read write }; 243 244# avc: denied { ioctl } for pid=3290 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x7438 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 245# avc: denied { ioctl } for pid=3077 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x743e scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 246# avc: denied { ioctl } for pid=3077 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x743a scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 247# avc: denied { ioctl } for pid=3077 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x7440 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 248# avc: denied { ioctl } for pid=3077 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x745a scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 249# avc: denied { ioctl } for pid=3077 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x7459 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 250# avc: denied { ioctl } for pid=3077 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x744f scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 251# avc: denied { ioctl } for pid=3077 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x7457 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 252# avc: denied { ioctl } for pid=3077 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x744b scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 253# avc: denied { ioctl } for pid=2517 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x7452 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 254# avc: denied { ioctl } for pid=2517 comm="pppd" path="/dev/ppp" dev="tmpfs" ino=375 ioctlcmd=0x7454 scontext=u:r:netsysnative:s0 tcontext=u:object_r:dev_ppp_file:s0 tclass=chr_file permissive=1 255allow netsysnative dev_ppp_file:chr_file { ioctl }; 256allowxperm netsysnative dev_ppp_file:chr_file ioctl { 0x7438 0x743e 0x743a 0x7440 0x745a 0x7459 0x744f 0x7457 0x744b 0x7452 0x7454 }; 257 258# avc: denied { name_connect } for pid=2551 comm="openvpn" dest=1194 scontext=u:r:netsysnative:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=0 259allow netsysnative port:tcp_socket { name_connect }; 260 261# avc: denied { get } for service=3512 sid=u:r:netsysnative:s0 scontext=u:r:netsysnative:s0 tcontext=u:object_r:sa_cert_manager_service:s0 tclass=samgr_class permissive=1 262allow netsysnative sa_cert_manager_service:samgr_class { get }; 263# avc: denied { call } for pid=5199 comm="charon" scontext=u:r:netsysnative:s0 tcontext=u:r:cert_manager_service:s0 tclass=binder permissive=1 264allow netsysnative cert_manager_service:binder { call }; 265 266allow netsysnative hap_domain:icmp_socket { setopt getopt }; 267 268# avc: denied { ioctl } for pid=6938, comm="/system/bin/appspawn" ioctlcmd=0x8919 scontext=u:r:debug_hap:s0 tcontext=u:r:debug_hap:s0 tclass=udp_socket permissive=0 269allowxperm hap_domain self:udp_socket ioctl { 0x8919 }; 270 271# avc: denied { ioctl } for pid=6456, comm="/system/bin/appspawn" ioctlcmd=0x5411 scontext=u:r:debug_hap:s0 tcontext=u:r:debug_hap:s0 tclass=tcp_socket permissive=0 272allowxperm hap_domain self:tcp_socket ioctl { 0x5411 }; 273