Merge "Revert "meta-qti-auto-sepolicy: Fix FDE OTA avc denials on EMMC."" into le-auto-sepolicy.lnx.2.1.c1

This reverts commit c32e0401.

Reason for revert: <compilation failing on PVM>

Change-Id: Ie052aab789cf68d03496390a0f81fcdbe23291d8

Adds rule to allow transition from recovery to fde domain while
running nad-fde-app during OTA.

Change-Id: I9b44c0fe63fdf65dc9577ee8d8ba3b49813425ec

- Added sepolicy files for shell_exec_t
- Added sepolicy files for boot_kpi_values_t
- Added sepolicy files for proc_t

Change-Id: I00c50b2a1fb4de2195c2ebff0f8b535a357bd56b

Merge "le-auto-sepolicy.lnx.2.1 :- Removing sepolicy rules for attestation_manager" into le-auto-sepolicy.lnx.2.1.c1

- allows to read/write Telux log files and read Telsdk configuration.

CRs-Fixed: 4055246

Change-Id: I92bc59d340d1ddef2a3275b9b7b2d0477faf623f

attestation_manager

Attestation_manager is merged with phone_home and now comes as a library
called libphmanager. So, sepolicy is not needed now.

Change-Id: I7878dd52919512148f60a4c03facf7b35597bbc7
Signed-off-by: nnimish <quic_nnimish@quicinc.com>
(cherry picked from commit f87d6f883d0f9c32c1aa3d75eedf7e7ee8e48c53)

Allows cryptsetup i.e. lvm_t domain to access ubiblock devices
to fetch encryption status.
Also, changes mls sensitivity levels for ubiblock devnodes.

Change-Id: Ie0d3021ce21606a3be76b817224c87a42167322b

Adds allow permissions for nad-fde-app and cryptsetup to
access relevant block files on emmc based targets.

Change-Id: I7e5add150f88f8a71d19fc96d65406ce4985068a

1. Creates a unique selinux context type for nad-fde-app
   i.e. fde_app_t.
2. Since nad-fde-app calls crytpsetup, these changes also add
   selinux fixes for cryptsetup which runs in lvm_t domain.

Change-Id: I97b90e9ccedb165b94af4363e770ad135b7b06d6
(cherry picked from commit fa7be0aa1725ad09f453f7028715b5bc92039dcc)

Added sepolicy rules to access phone_home.json file from phservice module

Change-Id: Ic6229619d40b607d22d4def862d580bdd98d0a99

Allow sdcard access for diag ODL feature
to save mask and log file on the sdcard.

CRs-Fixed: 4023254
Change-Id: I16adb441514ab498a0db463c7d126a691b84dac5

*This change will handle the kill & restart of lxc container if done
manully using systemd gracefully

*denials fixed comes during systemctl stop "container"

Change-Id: I2fdc874013b0f895b32a35d047cb3f0a480898e4

Added two dontaudit rules

1. Ignore denial message that synergy_bt process to request dir search
   permission for sysctl_t.

2. Ignore denial message that synergy_bt process to request dir search
   permission for telaf_fw_t.

CRs-Fixed: 4016874
Change-Id: I2a7e8f89bc16ee88a398bb92a9cc33ab18132ff7

Add rules for fifo usage for qvirtmgr.

Change-Id: I57b4a4ea140d06f07ebe02a59e9a206e417434bf
Signed-off-by: Deepak Dimri <quic_ddimri@quicinc.com>

- Allow necessary TCP socket operations for telux_power_refd and
  data_keep_alive_app

CRs-Fixed: 4002695
Change-Id: Ib8228f96c9d3da859cc7c2166ee1685f489b6e2e

Merge "meta-qti-auto-sepolicy: provide permission to IPACM to read the /var/run/data/ipa partition size."

Sepolicy rules to mount the phone_home.json file from edgehub & phone-home module.

Change-Id: I2570373824ba934b88a145fbcf4f15c36a100b77
Signed-off-by: nnimish <quic_nnimish@quicinc.com>

Change-Id: I3533fc3d6e2f2e89e31164c383f8699abe7da6f3
CRs-Fixed: 4008143

size.

This change will provide access to IPACM to read the partition size
required by the changes to retain old IPACM logs in case of crash or restart.

Change-Id: Id3615c1bbdd72769d486cf713c37e11b8ea401c5
Signed-off-by: Umed Singh Rana <quic_urana@quicinc.com>

Add API access control rules for QMI wakeup reason feature
to prevent unprivileged application from getting process
details.

CRs-Fixed: 4014031
Change-Id: I084d8de7bedafaca2ac1472d982d217e3a00968d

Diag ODL feature allows for collecting diag logs
on the device itself. This commit add rules for
telsdk console test application, telsdk interface
for this feature and telsdk api access control.

Change-Id: If2fab71c5fc4cab6c0d16ba4aabf601d3d629432
CRs-Fixed: 4002934

Add rules for dlt to create/read/write socket file in /dev/mqueue

CRs-Fixed: 4005301
Change-Id: I8b28385d5797869e7a1ceabd941c866ad19cc438

 * build cron policies from upstream

Change-Id: I7eb08a84c9ac3fa95a8cee377e74234028665b93
Signed-off-by: Abinaya P <quic_abinayap@quicinc.com>

Remove unconfined domain rule and Give minimal permissions to run lxc
and ecall over lxc without any denials.

CRs-Fixed: 3975192

Change-Id: I34ccfe08af9f83899da62238e0a7f3ca9aec3c09
Signed-off-by: jbhalani <quic_jbhalani@quicinc.com>