From d240d2be776496ff683894f1bbc7a16fee1ff5c2 Mon Sep 17 00:00:00 2001 From: Ricky Wai Date: Wed, 3 Mar 2021 10:57:50 +0000 Subject: [PATCH] Dontaudit zygote to read and open media_rw_data_file dir Zygote will trigger sdcardfs to read and open media_rw_data_file:dir. We can safely ignore this message. Bug: 177248242 Test: Able to boot without selinux warning. Change-Id: Ie9723ac79547bf857f55fc0e60b461210a4e4557 --- private/zygote.te | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/private/zygote.te b/private/zygote.te index 83323c9a4..5f24115c9 100644 --- a/private/zygote.te +++ b/private/zygote.te @@ -197,9 +197,11 @@ get_prop(zygote, device_config_window_manager_native_boot_prop) # undesirable, so suppress the denial. dontaudit zygote self:global_capability_class_set { sys_resource fsetid }; -# Ignore spurious denials calling access() on fuse +# Ignore spurious denials calling access() on fuse. +# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that +# doesn't exist. # TODO(b/151316657): avoid the denials -dontaudit zygote media_rw_data_file:dir setattr; +dontaudit zygote media_rw_data_file:dir { read open setattr }; # Allow zygote to use ashmem fds from system_server. allow zygote system_server:fd use;