tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow artd to access files for restorecon.

Browse source 
Otherwise, we will get SELinux denials like:
W binder:5750_1: type=1400 audit(0.0:133): avc: denied { read } for name="plat_file_contexts" dev="dm-1" ino=979 scontext=u:r:artd:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0
W binder:5750_1: type=1400 audit(0.0:134): avc: denied { read } for name="system_ext_file_contexts" dev="dm-3" ino=92 scontext=u:r:artd:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0

Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Iec586c554fa2dc33f0a428321bada484add620ed
This commit is contained in:
Jiakai Zhang 2022-12-12 13:45:13 +00:00
parent 6834597a41
commit d7f811913b
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
private/artd.te
View file

@ -87,6 +87,13 @@ allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
# for GMS because so far we only see GMS using symlinks.
allow artd privapp_data_file:lnk_file { getattr read };
# Read access to SELinux context files, for restorecon.
allow artd file_contexts_file:file r_file_perms;
allow artd seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context, for restorecon.
selinux_check_context(artd)
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.