Allow system_server to create files on configfs

A change in the "open" syscall between kernel 4.4 and 4.9 means that the "create" action is now checked and makes system_server trigger an SELinux denial when PackageSettings is removing a user ID from Settings.java/writeKernelRemoveUserLPr() in PackageManager. Bug: 70150770 Test: Manual - Add a new user on the device, no need to perform setup. - Wait 30s - Remove the added user - While running, check the result of: adb logcat -v time -b events | grep audit | grep system_server Change-Id: I1f490ea95d5bcb2adc76cba041bffbea131b447a
2017-12-01 11:18:31 +01:00 · 2017-12-01 11:18:31 +01:00 · 8e0086a886
commit 8e0086a886
parent cfbe2a1f55
1 changed files with 1 additions and 1 deletions
--- a/private/system_server.te
+++ b/private/system_server.te
@ -678,7 +678,7 @@ allow system_server app_fuse_file:file { read write open getattr append };

 # For configuring sdcardfs
 allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open unlink write };
+allow system_server configfs:file { getattr open create unlink write };

 # Connect to adbd and use a socket transferred from it.
 # Used for e.g. jdwp.