allow run-as to access /data/local/tmp

Otherwise denials like the following occur: avc: denied { write } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file avc: denied { read } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file Steps to reproduce: $ run-as com.google.android.talk id > /data/local/tmp/id.out $ run-as com.google.android.talk cat < /data/local/tmp/id.out (cherry picked from commit dd8571aa24b40add3ae78063228e61c3d1682020) Change-Id: I80bb26e06d932229c286f0389f28ad6868d79100
author: Nick Kralevich <nnk@google.com> 2014-11-07 16:21:42 -0800
committer: Nick Kralevich <nnk@google.com> 2014-11-10 11:33:45 -0800
commit: b793492288b8272aeda12e1b139c060397e7cd7e (patch)
tree: f582d73a99d67e263d08e13aa1bae98b691cbdfc
parent: 7cd346a70eecf45363e3368ba99b728832b9a902 (diff)
download: sepolicy-b793492288b8272aeda12e1b139c060397e7cd7e.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/runas.te b/runas.te
index 1ce8e64..97f31f7 100644
--- a/runas.te
+++ b/runas.te
@@ -7,6 +7,7 @@ allow runas adbd:process sigchld;
 allow runas shell:fd use;
 allow runas shell:fifo_file { read write };
 allow runas devpts:chr_file { read write ioctl };
+allow runas shell_data_file:file { read write };
 
 # run-as reads package information.
 allow runas system_data_file:file r_file_perms;
author	Nick Kralevich <nnk@google.com>	2014-11-07 16:21:42 -0800
committer	Nick Kralevich <nnk@google.com>	2014-11-10 11:33:45 -0800
commit	b793492288b8272aeda12e1b139c060397e7cd7e (patch)
tree	f582d73a99d67e263d08e13aa1bae98b691cbdfc
parent	7cd346a70eecf45363e3368ba99b728832b9a902 (diff)
download	sepolicy-b793492288b8272aeda12e1b139c060397e7cd7e.tar.gz