I can't resolve the denials. Is there any guide with the explanation of all the sepolicy files? I read the seandroid webpage and tried to find some explanation in the mailing list but without success.
Thanks for your help, Alexandra On Fri, Oct 5, 2012 at 5:08 PM, Stephen Smalley <[email protected]> wrote: > On Fri, 2012-10-05 at 10:56 -0400, Stephen Smalley wrote: > > On Fri, 2012-10-05 at 14:38 +0000, Radzykewycz, T (Radzy) wrote: > > > BTW: The media_app denial surprises me for two reasons: > > > > > > 1) What is the media_app doing in /cache and what is it trying to do > with lost+found ? > > > > I assume it is just stat'ing all entries of /cache. > > > > > 2) Why is /cache/lost+found not labelled ? > > > > We aren't explicitly applying restorecon to it in the init.rc, and there > > isn't a cache image that is built or flashed as part of the build > > process. So it just never gets labeled. Which is ok with us, because > > it shouldn't be accessible to anything except init, and init is > > unconfined. > > Also, unlabeled fits logically for lost+found, as it will only contain > files that were recovered from a crash or power failure and they may not > be properly labeled (and thus shouldn't be accessible to anything except > highly trusted processes). > > -- > Stephen Smalley > National Security Agency > >
