commit 755cb39b33a74d5b802da22e5856587b881ee9a3
author Nick Kralevich <nnk@google.com> Wed Sep 18 20:04:05 2013 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Sep 18 20:04:06 2013 +0000
tree f847590f0d17ff4669807db31479d5e2d24a3c3f
parent 54d92dc5dca795000edf52958d8a26b96b9f5c08
parent a473e29de0a5a1e88e1ac564d91dabb5437ae4fd

Merge changes Ia473e29d,Ic500af7b

* changes:
  write_klog also requires write permission to the directory.
  Allow access to /data/security/current symbolic link.

te_macros

diff --git a/te_macros b/te_macros
index 310612c..9313938 100644
--- a/te_macros
+++ b/te_macros
@@ -239,7 +239,7 @@
 define(`security_access_policy', `
 allow $1 security_file:dir r_dir_perms;
 allow $1 security_file:file r_file_perms;
-allow $1 security_file:lnk_file read;
+allow $1 security_file:lnk_file r_file_perms;
 allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 allow $1 rootfs:dir r_dir_perms;
@@ -259,6 +259,7 @@
 unix_socket_connect($1, property, init)
 allow $1 security_file:dir create_dir_perms;
 allow $1 security_file:file create_file_perms;
+allow $1 security_file:lnk_file { create rename unlink };
 allow $1 security_prop:property_service set;
 ')
 
@@ -271,6 +272,7 @@
 unix_socket_connect($1, property, init)
 allow $1 security_file:dir create_dir_perms;
 allow $1 security_file:file create_file_perms;
+allow $1 security_file:lnk_file { create rename unlink };
 allow $1 security_prop:property_service set;
 ')
 
@@ -301,7 +303,7 @@
 define(`write_klog', `
 type_transition $1 device:chr_file klog_device "__kmsg__";
 allow $1 klog_device:chr_file { create open write unlink };
-allow $1 device:dir { add_name remove_name };
+allow $1 device:dir { write add_name remove_name };
 ')
 
 #####################################