tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

domain_deprecated.te: Exclude recovery from auditallow for /cache/recovery

Browse source 
Recovery uses /cache/recovery. Exclude it from auditallow coverage.

Addresses the following SELinux log spam:

  avc:  granted  { search } for  pid=323 comm="recovery" name="recovery" dev="mmcblk0p38" ino=12 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
  avc:  granted  { read } for  pid=323 comm="recovery" name="block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file
  avc:  granted  { getattr } for  pid=323 comm="recovery" path="/cache/recovery/block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file

Change-Id: Ib6c7b44ac23fccaf2ea506429fb760ee85e87c76
This commit is contained in:
Nick Kralevich 2016-01-06 09:37:13 -08:00
parent 956ca4c504
commit 829a749351
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
domain_deprecated.te
View file

@ -54,8 +54,8 @@ allow domain_deprecated { cache_file cache_recovery_file }:file { getattr read }
allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms; allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms;
# Likely not needed. auditallow to be sure # Likely not needed. auditallow to be sure
auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:dir r_dir_perms; auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt -recovery } cache_recovery_file:dir r_dir_perms;
auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:file { getattr read }; auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt -recovery } cache_recovery_file:file { getattr read };
auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms; auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms;
# For /acct/uid/*/tasks. # For /acct/uid/*/tasks.