Define debuggerd class, permissions, and rules. Define a new class, permissions, and rules for the debuggerd SELinux MAC checks. Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd. Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: ba992496f01e40a10d9749bb25b6498138e607fb [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Thu Jul 24 15:25:43 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Thu Jul 24 15:33:44 2014 -0400
tree: b8c00dea54c60d7df0d1f0858f9fac50a4a1131f
parent: b2eaa28d11c6fed7806c08728ef624819171d627 [diff] [blame]
diff --git a/debuggerd.te b/debuggerd.te
index 6bbeac4..22afe63 100644
--- a/debuggerd.te
+++ b/debuggerd.te

@@ -9,7 +9,7 @@
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:lnk_file read;
-allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process ptrace;
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
 security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;
@@ -31,3 +31,6 @@
 
 # logd access
 read_logd(debuggerd)
+
+# Check SELinux permissions.
+selinux_check_access(debuggerd)
commit	ba992496f01e40a10d9749bb25b6498138e607fb	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Thu Jul 24 15:25:43 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Thu Jul 24 15:33:44 2014 -0400
tree	b8c00dea54c60d7df0d1f0858f9fac50a4a1131f
parent	b2eaa28d11c6fed7806c08728ef624819171d627 [diff] [blame]