On Thu, 2012-09-27 at 16:06 -0400, Stephen Smalley wrote:
> On Thu, Sep 27, 2012 at 3:24 PM, Stephen Smalley
> <stephen.smal...@gmail.com> wrote:
> > On Thu, Sep 27, 2012 at 3:18 PM, Stephen Smalley
> > <stephen.smal...@gmail.com> wrote:
> >> On Thu, Sep 27, 2012 at 3:11 PM, Cesar Maiorino
> >> <cesar.maior...@gmail.com> wrote:
> >>> I've attached the log. Below is the audit2allow output (minus the shell
> >>> stuff):
> >>>
> >>> #============= release_app ==============
> >>> allow release_app device:chr_file { read write ioctl open };
> >>>
> >>> #============= untrusted_app ==============
> >>> allow untrusted_app device:chr_file { read write ioctl open };
> >>> allow untrusted_app device:sock_file write;
> >>> allow untrusted_app init:unix_stream_socket connectto;
> >>> allow untrusted_app ion_device:chr_file { read open };
> >>
> >> The "device" denials indicate that you have a device node that isn't
> >> properly labeled. We need to see the actual avc message to know which
> >> device node it is.
> >
> > Looks like two devices are mislabeled, /dev/kgsl-3d0 and /dev/genlock.
> > Need to identify what kind of devices they are and define
> > file_contexts entries for them.
>
> Looks like /dev/kgsl.* is Qualcomm gpu driver and /dev/genlock is a
> lock API for graphics buffers. Are these world-readable and -writable
> on the device? Define corresponding types in device.te (with
> mlstrustedobject attribute to allow writing from any level/category),
> assign in file_contexts, and add an allow appdomain rule to app.te or
> an allow domain rule to domain.te.
BTW, some of these changes (e.g. /dev/kgsl) likely belong in the
device-specific policy files under the device/<vendor>/<device> or
vendor/<vendor>/<device> directories. Presently you would create a
sepolicy.te file for device-specific allow rules and a sepolicy.fc file
for device-specific file_contexts entries. There is a patch under
discussion on the list that will replace that with a complete sepolicy
subdirectory under the per-device directory and the use of variable
definitions in the makefiles to select files for replacement or union
with the base sepolicy.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
