Grant dumpstate append to app_data_file_type
dumpstate may be executed by apps in different domains. Notably, a
system_app needs to be able to save the output in its own directory.
avc: denied { append } for comm="binder:575_1" dev="dm-50"
ino=10712 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_app_data_file:s0 tclass=file
Using the app_data_file_type attribute to capture all the potential app
data types. For info, the current Cuttlefish policy has:
$ seinfo -x -a app_data_file_type cf_policy
attribute app_data_file_type;
app_data_file
bluetooth_data_file
nfc_data_file
privapp_data_file
radio_data_file
sdk_sandbox_data_file
shell_data_file
storage_area_app_dir
storage_area_content_file
storage_area_dir
system_app_data_file
Test: bugreport
Change-Id: I7685c1fcdb3896c44fe44008b1b262c3f1e90a01
diff --git a/private/dumpstate.te b/private/dumpstate.te
index bccbafd..2d7a1c9 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -195,7 +195,7 @@
allow dumpstate system_data_file:file r_file_perms;
# Allow dumpstate to append into apps' private files.
-allow dumpstate { privapp_data_file app_data_file }:file append;
+allow dumpstate app_data_file_type:file append;
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;