On 07/30/2013 09:45 AM, Janosch Maier wrote:
> I have the following rules set:
>
> allow untrusted_app mali_device:chr_file { open read write getattr ioctl };
> allow untrusted_app ump_device:chr_file { open read write getattr ioctl };
>
> Nevertheless I get the following error in the audit logs:
>
> type=1400 msg=audit(1375190659.875:41): avc: denied { write } for
> pid=3478 comm="atik.exynosroot" name="ump" dev=tmpfs ino=582
> scontext=u:r:untrusted_app:s0:c50,c256 tcontext=u:object_r:ump_device:s0
> tclass=chr_file
> type=1400 msg=audit(1375190659.875:42): avc: denied { write } for
> pid=3478 comm="atik.exynosroot" name="mali" dev=tmpfs ino=748
> scontext=u:r:untrusted_app:s0:c50,c256
> tcontext=u:object_r:mali_device:s0 tclass=chr_file
> type=1400 msg=audit(1375190682.065:44): avc: denied { write } for
> pid=3478 comm="atik.exynosroot" path="/dev/ump" dev=tmpfs ino=582
> scontext=u:r:untrusted_app:s0:c50,c256 tcontext=u:object_r:ump_device:s0
> tclass=chr_file
> type=1400 msg=audit(1375190685.980:45): avc: denied { write } for
> pid=3517 comm="atik.exynosroot" name="ump" dev=tmpfs ino=582
> scontext=u:r:untrusted_app:s0:c50,c256 tcontext=u:object_r:ump_device:s0
> tclass=chr_file
>
>
> Is there some additional restriction for the untrusted_app domain, that
> the policies do not work?
These denials are due to the MLS policy rather than the TE policy.
audit2why would tell you that, although it doesn't help much with fixing
the problem.
To resolve, you need to add the mlstrustedobject attribute to the device
types for ump_device and mali_device, either by adding ",
mlstrustedobject" to the type declaration or by adding a separate
"typeattribute <type> mlstrustedobject;" statement to the policy. Our
manta policy already does this for the mali_device, so not sure why you
are getting that denial.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
