From 9f18aa0362bc43ee7e2dc66d5bce6abc5685c617 Mon Sep 17 00:00:00 2001 From: DerfElot Date: Tue, 4 Apr 2017 00:56:46 +0200 Subject: shinano-common: fix more selinux denials from logcat: 04-03 22:02:59.074 W/Thread-8(4352): type=1400 audit(0.0:7): avc: denied { unlink } for name="log" dev="mmcblk0p24" ino=6403 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 04-03 22:02:59.074 W/Thread-8(4352): type=1400 audit(0.0:8): avc: denied { unlink } for name=".version" dev="mmcblk0p24" ino=6404 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 04-03 22:02:59.074 W/Thread-8(4352): type=1400 audit(0.0:9): avc: denied { unlink } for name="recovery.fstab" dev="mmcblk0p24" ino=6405 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 04-03 22:02:59.074 W/Thread-8(4352): type=1400 audit(0.0:10): avc: denied { unlink } for name="storage.fstab" dev="mmcblk0p24" ino=6406 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 04-03 22:02:59.074 W/Thread-8(4352): type=1400 audit(0.0:11): avc: denied { unlink } for name="intent" dev="mmcblk0p24" ino=6408 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 04-03 21:05:50.971 E/SELinux (317): avc: denied { find } for service=account pid=7644 uid=0 scontext=u:r:sudaemon:s0 tcontext=u:object_r:account_service:s0 tclass=service_manager permissive=1 04-03 21:05:50.973 E/SELinux (317): avc: denied { find } for service=user pid=7644 uid=0 scontext=u:r:sudaemon:s0 tcontext=u:object_r:user_service:s0 tclass=service_manager permissive=1 04-03 21:05:50.973 E/SELinux (317): avc: denied { find } for service=package pid=7644 uid=0 scontext=u:r:sudaemon:s0 tcontext=u:object_r:package_service:s0 tclass=service_manager permissive=1 Change-Id: If600b150dd004a5f7fb5336b1ab6b76e2a6ec5b3 --- sepolicy/sudaemon.te | 3 +++ sepolicy/system_server.te | 2 ++ 2 files changed, 5 insertions(+) create mode 100644 sepolicy/sudaemon.te diff --git a/sepolicy/sudaemon.te b/sepolicy/sudaemon.te new file mode 100644 index 0000000..2d6c82d --- /dev/null +++ b/sepolicy/sudaemon.te @@ -0,0 +1,3 @@ +allow sudaemon account_service:service_manager find; +allow sudaemon package_service:service_manager find; +allow sudaemon user_service:service_manager find; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index d499f98..f3fd273 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,3 +1,5 @@ allow system_server sysfs_vibrator:file rw_file_perms; r_dir_file(system_server, sysfs_addrsetup) + +allow system_server unlabeled:file unlink; -- cgit v1.2.3