9cc6d8d581
During removing cache data using Zipper application, I found violation logs.
avc: denied { write } for pid=198 comm="installd" name="cache" dev="mmcblk0p29" ino=81680 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
avc: denied { remove_name } for pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
avc: denied { unlink } for pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=file
Reproduction path is like below
1. Downloading Zipper application from Google Play (I used Zipper 1.9.9.2)
2. Clicking option and clicking "removing cache" button
3. Select "yes"
4. Violation show up
Change-Id: I7993f1d20e3aa4c3e19c4aba9b4bef6760831a87
33 lines
1.5 KiB
Text
33 lines
1.5 KiB
Text
# installer daemon
|
|
type installd, domain;
|
|
type installd_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(installd)
|
|
relabelto_domain(installd)
|
|
typeattribute installd mlstrustedsubject;
|
|
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
|
|
allow installd system_data_file:file create_file_perms;
|
|
allow installd system_data_file:lnk_file create;
|
|
allow installd dalvikcache_data_file:file create_file_perms;
|
|
allow installd data_file_type:dir create_dir_perms;
|
|
allow installd data_file_type:dir { relabelfrom relabelto };
|
|
allow installd data_file_type:{ file_class_set } { getattr unlink };
|
|
allow installd apk_data_file:file r_file_perms;
|
|
allow installd apk_tmp_file:file r_file_perms;
|
|
allow installd system_file:file x_file_perms;
|
|
allow installd cgroup:dir create_dir_perms;
|
|
allow installd download_file:dir { r_dir_perms write remove_name };
|
|
allow installd download_file:file { r_file_perms unlink };
|
|
dontaudit installd self:capability sys_admin;
|
|
# Check validity of SELinux context before use.
|
|
selinux_check_context(installd)
|
|
# Read /seapp_contexts and /data/security/seapp_contexts
|
|
security_access_policy(installd)
|
|
# ASEC
|
|
allow installd platform_app_data_file:lnk_file { create setattr };
|
|
allow installd app_data_file:lnk_file { create setattr };
|
|
allow installd asec_apk_file:file r_file_perms;
|
|
allow installd bluetooth_data_file:lnk_file { create setattr };
|
|
allow installd nfc_data_file:lnk_file { create setattr };
|
|
allow installd radio_data_file:lnk_file { create setattr };
|
|
allow installd shell_data_file:lnk_file { create setattr };
|