Allow system_server to create files on configfs A change in the "open" syscall between kernel 4.4 and 4.9 means that the "create" action is now checked and makes system_server trigger an SELinux denial when PackageSettings is removing a user ID from Settings.java/writeKernelRemoveUserLPr() in PackageManager. Bug: 70150770 Test: Manual - Add a new user on the device, no need to perform setup. - Wait 30s - Remove the added user - While running, check the result of: adb logcat -v time -b events | grep audit | grep system_server Change-Id: I1f490ea95d5bcb2adc76cba041bffbea131b447a

commit: 8e0086a88691d5431e6657bbb85e5ca94df3c061 [log] [tgz]
author: Niklas Brunlid <niklas.brunlid@sony.com> Fri Dec 01 11:18:31 2017 +0100
committer: Jeffrey Vander Stoep <jeffv@google.com> Tue Feb 06 20:30:16 2018 +0000
tree: a01726c3293a802c494b281abd46eb9f11bcbc3d
parent: cfbe2a1f552e1ec9a9d02e55180ffdbad0034768 [diff]
diff --git a/private/system_server.te b/private/system_server.te
index e9942ed..752dee7 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -678,7 +678,7 @@
 
 # For configuring sdcardfs
 allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open unlink write };
+allow system_server configfs:file { getattr open create unlink write };
 
 # Connect to adbd and use a socket transferred from it.
 # Used for e.g. jdwp.
commit	8e0086a88691d5431e6657bbb85e5ca94df3c061	[log] [tgz]
author	Niklas Brunlid <niklas.brunlid@sony.com>	Fri Dec 01 11:18:31 2017 +0100
committer	Jeffrey Vander Stoep <jeffv@google.com>	Tue Feb 06 20:30:16 2018 +0000
tree	a01726c3293a802c494b281abd46eb9f11bcbc3d
parent	cfbe2a1f552e1ec9a9d02e55180ffdbad0034768 [diff]