diff options
author | Nick Kralevich <nnk@google.com> | 2016-01-07 15:59:28 -0800 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2016-01-07 15:59:28 -0800 |
commit | 0af2aa0be30f8ab32229d966d012ecfce56f1c91 (patch) | |
tree | df180d4cd49bfc53f0ad013a933bdfdf8155076d | |
parent | 1911c27ff002880962fb04429fac950381a795de (diff) | |
download | sepolicy-0af2aa0be30f8ab32229d966d012ecfce56f1c91.tar.gz |
su.te: drop domain_deprecated and app auditallow rules.
su is in permissive all the time. We don't want SELinux log
spam from this domain.
Addresses the following logspam:
avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/graphics/fb0/vsync_event" dev="sysfs" ino=10815 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/thermal/thermal_zone2/temp" dev="sysfs" ino=15368 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read } for comm="sh" name="emmc_therm" dev="sysfs" ino=17583 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: I8e17d3814e41b497b25ce00cd72698f0d22b3ab0
-rw-r--r-- | app.te | 4 | ||||
-rw-r--r-- | su.te | 2 |
2 files changed, 3 insertions, 3 deletions
@@ -219,8 +219,8 @@ selinux_check_access(appdomain) selinux_check_context(appdomain) # appdomain should not be accessing information on /sys -auditallow appdomain sysfs:dir { open getattr read ioctl }; -auditallow appdomain sysfs:file r_file_perms; +auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl }; +auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms; ### ### Neverallow rules @@ -5,7 +5,7 @@ userdebug_or_eng(` # Domain used for su processes, as well as for adbd and adb shell # after performing an adb root command. The domain definition is # wrapped to ensure that it does not exist at all on -user builds. - type su, domain, domain_deprecated, mlstrustedsubject; + type su, domain, mlstrustedsubject; domain_auto_trans(shell, su_exec, su) # Allow dumpstate to call su on userdebug / eng builds to collect |