diff --git a/init.te b/init.te index 89ddac79e..3af01fbee 100644 --- a/init.te +++ b/init.te @@ -96,7 +96,7 @@ allow init rootfs:file relabelfrom; # init..rc files often include device-specific types, so # we just allow all file types except /system files here. allow init self:capability { chown fowner fsetid }; -allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr }; +allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl }; allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom }; allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink }; allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; diff --git a/keystore.te b/keystore.te index 3561fede7..83a0e8539 100644 --- a/keystore.te +++ b/keystore.te @@ -23,7 +23,7 @@ selinux_check_access(keystore) ### Protect ourself from others ### -neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto }; +neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -keystore -init } keystore_data_file:dir *; diff --git a/vold.te b/vold.te index 2cbb306d1..14e8a16bc 100644 --- a/vold.te +++ b/vold.te @@ -155,7 +155,7 @@ allow vold vold_data_file:file create_file_perms; allow vold init:key { write search setattr }; allow vold vold:key { write search setattr }; -neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto }; +neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -vold -init } vold_data_file:dir *; neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;