address some selinux denials

Change-Id: Iff77bcbfc6a496dfb587c3bcce781c3c00e2c292
(cherry picked from commit 5244c9e37f94e000a4ea61efa80ad3318aa39c84)

sepolicy/audioserver.te

@@ -13,3 +13,6 @@ allow audioserver sysfs_devinfo:file { open read write };
 allow audioserver sysfs_ccci:file r_file_perms;
 allow audioserver sysfs_ccci:dir search;
 allow audioserver audiohal_prop:property_service set;
+
+allow audioserver sysfs_boot_mode:file { read open };
+#allow audioserver device:chr_file { read write open };

sepolicy/bluetooth.te

@@ -7,3 +7,5 @@ allow bluetooth nvdata_file:file rw_file_perms;
 allow bluetooth nvdata_file:lnk_file r_file_perms;
 
 allow bluetooth block_device:dir search;
+
+allow bluetooth sysfs_boot_mode:file { read open };

sepolicy/init.te

@@ -7,3 +7,12 @@ allow init protect1_device:blk_file write;
 allow init protect2_device:blk_file write;
 
 allow init socket_device:sock_file { create setattr unlink };
+
+
+allow init tmpfs:lnk_file { create };
+allow init mnt_media_rw_file:dir { mounton };
+allow init asec_apk_file:dir { mounton };
+allow init perf_control_sysfs:file { getattr };
+allow init servicemanager:binder { call transfer };
+allow init sdcardd_exec:file r_file_perms;
+allow init wmtWifi_device:chr_file { write };

sepolicy/kernel.te

@@ -4,3 +4,8 @@ allow kernel self:capability dac_override;
 allow kernel wifi_data_file:dir search;
 allow kernel wifi_data_file:file r_file_perms;
 
+# for /cache/gtp_(clk|ref).bin
+allow kernel cache_file:file { write open };
+
+#allow mediaserver device:chr_file { read open ioctl };
+#allow mediaserver default_prop:property_service { set };

sepolicy/mediaserver.te

@@ -7,3 +7,7 @@ allow mediaserver ccci_device:chr_file rw_file_perms;
 allow mediaserver pq_service:service_manager find;
 
 allow mediaserver sysfs_devinfo:file r_file_perms;
+
+allow mediaserver camera_device:chr_file { read write open ioctl };
+allow mediaserver sysfs_boot_mode:file { read open };
+allow mediaserver sysfs_ddr_type:file { read open };

sepolicy/nvram_daemon.te

@@ -24,3 +24,7 @@ allow nvram_daemon wmt_prop:property_service set;
 allow nvram_daemon block_device:dir search;
 
 unix_socket_connect(nvram_daemon, property, init)
+
+allow nvram_daemon sysfs_boot_mode:file { read open };
+allow nvram_daemon sysfs:file { write };
+allow nvram_daemon system_prop:property_service { set };

sepolicy/priv_app.te

@@ -3,3 +3,5 @@ allow priv_app guiext-server_service:service_manager find;
 
 # PQ
 allow priv_app pq_service:service_manager find;
+
+allow priv_app device:dir { read open };

sepolicy/servicemanager.te

@@ -0,0 +1,3 @@
+allow servicemanager init:dir { search };
+allow servicemanager init:file { read open };
+allow servicemanager init:process { getattr };

sepolicy/system_app.te

@@ -5,4 +5,6 @@ allow system_app fast_charge_sysfs:file rw_file_perms;
 allow system_app smartwake_sysfs:file rw_file_perms;
 allow system_app perf_control_sysfs:file rw_file_perms;
 
-allow system_app em_svr:unix_stream_socket connectto;
+allow system_app em_svr:unix_stream_socket connectto;
+
+allow system_app radio_data_file:dir { getattr };

sepolicy/system_server.te

@@ -30,3 +30,5 @@ allow system_server storage_stub_file:dir { getattr };
 
 # Guiext
 allow system_server guiext-server_service:service_manager find;
+
+allow system_server unlabeled:file { unlink };

sepolicy/untrusted_app.te

@@ -1,2 +1,6 @@
 # PQ
 allow untrusted_app pq_service:service_manager find;
+
+# These are safe for an untrusted_app -- they are the external SD card
+allow untrusted_app fuseblk:dir search;
+allow untrusted_app fuseblk:file { getattr read };

sepolicy/wmt_loader.te

@@ -9,3 +9,5 @@ allow wmt_loader proc_wmt:file setattr;
 allow wmt_loader wmt_prop:property_service set;
 
 unix_socket_connect(wmt_loader, property, init)
+
+allow wmt_loader stpwmt_device:chr_file { read write open ioctl };