Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / af47ebb67aa64d699615693bf4603ec173417175^! / .
commitaf47ebb67aa64d699615693bf4603ec173417175[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Mon Nov 04 09:47:29 2013 -0500
committerNick Kralevich <nnk@google.com>Mon Nov 11 11:52:24 2013 -0800
tree9a677ec9b924842dacf4d4d28d688d13525923f3
parent00739e3d14f2f1ea9240037283c3edd836d2aa2f [diff]
Label /dev/fscklogs and allow system_server access to it.

Otherwise you get denials such as:
type=1400 audit(1383590310.430:623): avc:  denied  { getattr } for  pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:624): avc:  denied  { open } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:625): avc:  denied  { write } for  pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc:  denied  { remove_name } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc:  denied  { unlink } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file

Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/device.te b/device.te
index 508c0eb..76302cd 100644
--- a/device.te
+++ b/device.te

@@ -15,6 +15,7 @@
 type ram_device, dev_type;
 type console_device, dev_type;
 type cpuctl_device, dev_type;
+type fscklogs, dev_type;
 type full_device, dev_type;
 type graphics_device, dev_type;
 type hw_random_device, dev_type;

diff --git a/file_contexts b/file_contexts
index d8315a1..41f9b1c 100644
--- a/file_contexts
+++ b/file_contexts

@@ -45,6 +45,7 @@
 /dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
+/dev/fscklogs(/.*)?	u:object_r:fscklogs:s0
 /dev/full		u:object_r:full_device:s0
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0

diff --git a/system_server.te b/system_server.te
index 1ffa34d..4d79c1a 100644
--- a/system_server.te
+++ b/system_server.te

@@ -212,3 +212,8 @@
 
 # Access to wake locks
 allow system_server sysfs_wake_lock:file rw_file_perms;
+
+# Read and delete files under /dev/fscklogs.
+r_dir_file(system_server, fscklogs)
+allow system_server fscklogs:dir { write remove_name };
+allow system_server fscklogs:file unlink;