From 13fbbb996afd006e770c55d40f92980dc78e9340 Mon Sep 17 00:00:00 2001 From: Alexander Diewald Date: Wed, 22 Nov 2017 23:30:49 +0100 Subject: shinano: sepolicy: Allow mlog_qmi to access its own socket. I mlog_qmi_servic: type=1400 audit(0.0:37): avc: denied { create } for scontext=u:r:mlog_qmi:s0 tcontext=u:r:mlog_qmi:s0 tclass=socket permissive=1 Change-Id: Ic659f526a436afd4509dea0a3780aa38f78b4875 Signed-off-by: Alexander Diewald --- sepolicy/mlog_qmi.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sepolicy/mlog_qmi.te b/sepolicy/mlog_qmi.te index d41a788..e8f84d1 100644 --- a/sepolicy/mlog_qmi.te +++ b/sepolicy/mlog_qmi.te @@ -5,7 +5,9 @@ type mlog_qmi_exec, exec_type, file_type; init_daemon_domain(mlog_qmi) allow mlog_qmi self:capability { net_raw net_bind_service }; -allow mlog_qmi self:socket create_socket_perms_no_ioctl; +allow mlog_qmi self:socket create_socket_perms; +# NOTE: using self:socket for the ioctl results in a denial +allowxperm mlog_qmi mlog_qmi:socket ioctl mlog_qmi_ioctls; # Access to /dev/smem_log allow mlog_qmi smem_log_device:chr_file rw_file_perms; -- cgit v1.2.3