Give domains read access to security_file domain.
/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.
Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
diff --git a/debuggerd.te b/debuggerd.te
index a0041e6..aca499b 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -9,7 +9,7 @@
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:process ptrace;
-allow debuggerd rootfs:file r_file_perms;
+security_access_policy(debuggerd)
allow debuggerd system_data_file:dir create_dir_perms;
allow debuggerd system_data_file:dir relabelfrom;
allow debuggerd tombstone_data_file:dir relabelto;
diff --git a/installd.te b/installd.te
index 553127c..428e379 100644
--- a/installd.te
+++ b/installd.te
@@ -18,8 +18,8 @@
dontaudit installd self:capability sys_admin;
# Check validity of SELinux context before use.
selinux_check_context(installd)
-# Read /seapp_contexts, presently on the rootfs.
-allow installd rootfs:file r_file_perms;
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(installd)
# ASEC
allow installd platform_app_data_file:lnk_file { create setattr };
allow installd app_data_file:lnk_file { create setattr };
diff --git a/runas.te b/runas.te
index 60b086d..8bb2d03 100644
--- a/runas.te
+++ b/runas.te
@@ -34,7 +34,8 @@
allow runas self:capability { setuid setgid };
# run-as switches to the app security context.
-allow runas rootfs:file r_file_perms; # read /seapp_contexts
+# read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(runas)
selinux_check_context(runas) # validate context
allow runas untrusted_app:process dyntransition; # setcon
diff --git a/system.te b/system.te
index 650a747..17df64a 100644
--- a/system.te
+++ b/system.te
@@ -147,8 +147,8 @@
allow system data_file_type:dir create_dir_perms;
allow system data_file_type:notdevfile_class_set create_file_perms;
-# Read /file_contexts.
-allow system rootfs:file r_file_perms;
+# Read /file_contexts and /data/security/file_contexts
+security_access_policy(system)
# Relabel apk files.
allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
diff --git a/te_macros b/te_macros
index bda87d4..86a3a5b 100644
--- a/te_macros
+++ b/te_macros
@@ -236,8 +236,6 @@
allow $1 selinuxfs:file r_file_perms;
allow $1 rootfs:dir r_dir_perms;
allow $1 rootfs:file r_file_perms;
-allow $1 system_file:dir r_dir_perms;
-allow $1 system_file:file r_file_perms;
')
#####################################
@@ -285,4 +283,4 @@
# man 2 klogctl
define(`access_kmsg', `
allow $1 kernel:system syslog_read;
-')
\ No newline at end of file
+')
diff --git a/ueventd.te b/ueventd.te
index f765cc5..9023173 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -2,7 +2,7 @@
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
tmpfs_domain(ueventd)
-allow ueventd rootfs:file r_file_perms;
+security_access_policy(ueventd)
allow ueventd rootfs:file entrypoint;
allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
diff --git a/vold.te b/vold.te
index 8ffc404..71067c4 100644
--- a/vold.te
+++ b/vold.te
@@ -60,6 +60,6 @@
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
-allow vold rootfs:file r_file_perms;
+security_access_policy(vold)
allow vold asec_apk_file:dir { rw_dir_perms setattr };
allow vold asec_apk_file:file { r_file_perms setattr };
diff --git a/zygote.te b/zygote.te
index 33e8fe8..7cf20b7 100644
--- a/zygote.te
+++ b/zygote.te
@@ -28,8 +28,8 @@
selinux_check_context(zygote)
# Check SELinux permissions.
selinux_check_access(zygote)
-# Read /seapp_contexts, presently on the rootfs.
-allow zygote rootfs:file r_file_perms;
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(zygote)
# Setting up /storage/emulated.
allow zygote rootfs:dir mounton;