diff options
author | jaejyn.shin <jaejyn.shin@lge.com> | 2013-12-24 08:59:53 +0900 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2014-03-13 16:21:46 -0700 |
commit | 9702e49307aa738508bb0949bac3000fe9ec5a0d (patch) | |
tree | b859731644e3297bbe6873584f3b62b4f3483ffd | |
parent | 2a2a4936c2223e9b3a70b177a97c270aa1aa2740 (diff) | |
download | sepolicy-kitkat-cts-release.tar.gz |
DO NOT MERGE: Adding permissions needed to remove cacheandroid-cts-4.4_r4android-4.4w_r1android-4.4.4_r2.0.1android-4.4.4_r2android-4.4.4_r1.0.1android-4.4.4_r1android-4.4.3_r1.1.0.1android-4.4.3_r1.1android-4.4.3_r1.0.1android-4.4.3_r1kitkat-wearkitkat-mr2.2-releasekitkat-mr2.1-releasekitkat-mr2-releasekitkat-devkitkat-cts-releasekitkat-cts-dev
During removing cache data using Zipper application, I found violation logs.
avc: denied { write } for pid=198 comm="installd" name="cache" dev="mmcblk0p29" ino=81680 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
avc: denied { remove_name } for pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
avc: denied { unlink } for pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=file
Reproduction path is like below
1. Downloading Zipper application from Google Play (I used Zipper 1.9.9.2)
2. Clicking option and clicking "removing cache" button
3. Select "yes"
4. Violation show up
(cherry picked from commit 9cc6d8d581b6094b36c59a0e95d674cb193916e8)
Bug: 13450421
Change-Id: I487ccd1d8d58bf2c590af39a7b1eb448c113670e
-rw-r--r-- | installd.te | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/installd.te b/installd.te index 85ba69f..7c72158 100644 --- a/installd.te +++ b/installd.te @@ -16,8 +16,8 @@ allow installd apk_data_file:file r_file_perms; allow installd apk_tmp_file:file r_file_perms; allow installd system_file:file x_file_perms; allow installd cgroup:dir create_dir_perms; -allow installd download_file:dir { r_dir_perms }; -allow installd download_file:file { r_file_perms }; +allow installd download_file:dir { r_dir_perms write remove_name }; +allow installd download_file:file { r_file_perms unlink }; dontaudit installd self:capability sys_admin; # Check validity of SELinux context before use. selinux_check_context(installd) |