From abfd427a3226a8bb696e5e5b9239f5445a680f6c Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Thu, 4 Sep 2014 11:04:23 -0700 Subject: [PATCH] sdcardd: grant unmount If the sdcard daemon is restarted (crash or otherwise), one of the first things it attempts to do is umount the previously mounted /mnt/shell/emulated fuse filesystem, which is denied by SELinux with the following denial: sdcard : type=1400 audit(0.0:6997): avc: denied { unmount } for scontext=u:r:sdcardd:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=0 Allow the operation. Steps to reproduce: 1) adb shell into the device and su to root 2) run "kill -9 [PID OF SDCARD] Expected: sdcard daemon successfully restarts without error message. Actual: SELinux denial above, plus attempts to mount a new filesystem on top of the existing filesystem. Bug: 17383009 Change-Id: I386bfc98e2b5b32b1d11408f7cfbd6e3c1af68f4 --- sdcardd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdcardd.te b/sdcardd.te index ad5c58dfb..5ea77a90e 100644 --- a/sdcardd.te +++ b/sdcardd.te @@ -6,7 +6,7 @@ init_daemon_domain(sdcardd) allow sdcardd cgroup:dir create_dir_perms; allow sdcardd fuse_device:chr_file rw_file_perms; allow sdcardd rootfs:dir mounton; -allow sdcardd sdcard_type:filesystem mount; +allow sdcardd sdcard_type:filesystem { mount unmount }; allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource }; allow sdcardd sdcard_type:dir create_dir_perms;