From 545be4642337bbbba7f6175391918ae391c68939 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Sat, 6 Jun 2020 13:13:25 +0200
Subject: [PATCH] Allow phh-su to blockdev --setrw dm partitions to mount /
 read-write on logical partition devices

---
 sepolicy/su.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sepolicy/su.te b/sepolicy/su.te
index 785f943..cd78fd1 100644
--- a/sepolicy/su.te
+++ b/sepolicy/su.te
@@ -143,6 +143,8 @@ allow phhsu_daemon domain:process { transition };
 
 
 # 05-09 00:05:30.149 18450 18450 W lprename: type=1400 audit(0.0:40923): avc: denied { ioctl } for path="/dev/block/sda25" dev="tmpfs" ino=19441 ioctlcmd=0x1278 scontext=u:r:phhsu_daemon:s0 tcontext=u:object_r:super_block_device:s0 tclass=blk_file permissive=0
+# 06-06 12:59:53.775 30150 30150 I auditd  : type=1400 audit(0.0:35585): avc: denied { ioctl } for comm="blockdev" path="/dev/block/dm-3" dev="tmpfs" ino=12687 ioctlcmd=0x125d scontext=u:r:phhsu_daemon:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0
 
 allowxperm phhsu_daemon { file_type block_device }:blk_file ioctl { 0-0xffff };
-allowxperm phhsu_daemon super_block_device:blk_file ioctl { 0x1278-0x127a };
+allowxperm phhsu_daemon { super_block_device dm_device }:blk_file ioctl { 0x1278-0x127a 0x125d };
+