platform_system_sepolicy/fingerprintd.te
Nick Kralevich cf7ee8a8e5 Revert "fingerprintd.te: neverallow fingerprint data file access"
Both angler and bullhead violate these SELinux rules.

Bullhead: tee has access to these files
Angler: system_server has read/write access to these files.

Fixes the following compile time error:

  libsepol.report_failure: neverallow on line 32 of external/sepolicy/fingerprintd.te (or line 6704 of policy.conf) violated by allow tee fingerprintd_data_file:file { ioctl read write create setattr lock append rename open };
  libsepol.check_assertions: 1 neverallow failures occurred
  Error while expanding policy
  out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/bullhead/obj/ETC/sepolicy_intermediates/policy.conf

This reverts commit 604a8cae62.

Change-Id: Iabb8f2e9de96f9082cd6a790d1af80cbc6a569b1
2015-12-17 23:56:31 +00:00

23 lines
758 B
Text

type fingerprintd, domain, domain_deprecated;
type fingerprintd_exec, exec_type, file_type;
# fingerprintd
init_daemon_domain(fingerprintd)
binder_use(fingerprintd)
# need to find KeyStore and add self
allow fingerprintd fingerprintd_service:service_manager { add find };
# allow HAL module to read dir contents
allow fingerprintd fingerprintd_data_file:file { create_file_perms };
# allow HAL module to read/write/unlink contents of this dir
allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
allow fingerprintd keystore:keystore_key { add_auth };
# For permissions checking
binder_call(fingerprintd, system_server);
allow fingerprintd permission_service:service_manager find;