Commit 841f6d87 authored Apr 18, 2016 by Nick Kralevich

Address emulator specific SELinux denials

Fix the following denials:

  avc: denied { search } for pid=222 comm="system_server"
  name="qemu_trace" dev="sysfs" ino=45 scontext=u:r:system_server:s0
  tcontext=u:object_r:sysfs_writable:s0 tclass=dir permissive=1

  avc: denied { open } for pid=222 comm="system_server"
  name="u:object_r:opengles_prop:s0" dev="tmpfs" ino=1429
  scontext=u:r:system_server:s0 tcontext=u:object_r:opengles_prop:s0
  tclass=file permissive=1

  avc: denied { read } for pid=222 comm="system_server"
  name="u:object_r:radio_noril_prop:s0" dev="tmpfs" ino=1430
  scontext=u:r:system_server:s0 tcontext=u:object_r:radio_noril_prop:s0
  tclass=file permissive=1

  avc: denied { open } for pid=222 comm="system_server"
  name="u:object_r:radio_noril_prop:s0" dev="tmpfs" ino=1430
  scontext=u:r:system_server:s0 tcontext=u:object_r:radio_noril_prop:s0
  tclass=file permissive=1

  avc: denied { getattr } for pid=222 comm="system_server"
  path="/dev/__properties__/u:object_r:radio_noril_prop:s0" dev="tmpfs"
  ino=1430 scontext=u:r:system_server:s0
  tcontext=u:object_r:radio_noril_prop:s0 tclass=file permissive=1

  avc: denied { search } for pid=424 comm="putmethod.latin"
  name="qemu_trace" dev="sysfs" ino=45
  scontext=u:r:untrusted_app:s0:c512,c768
  tcontext=u:object_r:sysfs_writable:s0 tclass=dir permissive=1

Bug: 28221393
Change-Id: I6fce1127d9d9e8bc0119bace3f142d51382401c0

parent 05ce0a94

target/board/generic/sepolicy/domain.te

+1 −0

Original line number	Diff line number	Diff line
		# For /sys/qemu_trace files in the emulator.
		allow domain sysfs_writable:dir search;
		allow domain sysfs_writable:file rw_file_perms;
		allow domain qemu_device:chr_file rw_file_perms;

target/board/generic/sepolicy/system_server.te

+2 −0

Original line number	Diff line number	Diff line
		unix_socket_connect(system_server, qemud, qemud)
		get_prop(system_server, opengles_prop)
		get_prop(system_server, radio_noril_prop)