Thanks a lot. Works like a charm.
I do not use the manta policies, but writing some for the n8000.
Therefore the mali was not defined here.
Am 30.07.2013 15:52, schrieb Stephen Smalley:
> On 07/30/2013 09:45 AM, Janosch Maier wrote:
>> I have the following rules set:
>>
>> allow untrusted_app mali_device:chr_file { open read write getattr ioctl };
>> allow untrusted_app ump_device:chr_file { open read write getattr ioctl };
>>
>> Nevertheless I get the following error in the audit logs:
>>
>> type=1400 msg=audit(1375190659.875:41): avc: denied { write } for
>> pid=3478 comm="atik.exynosroot" name="ump" dev=tmpfs ino=582
>> scontext=u:r:untrusted_app:s0:c50,c256 tcontext=u:object_r:ump_device:s0
>> tclass=chr_file
>> type=1400 msg=audit(1375190659.875:42): avc: denied { write } for
>> pid=3478 comm="atik.exynosroot" name="mali" dev=tmpfs ino=748
>> scontext=u:r:untrusted_app:s0:c50,c256
>> tcontext=u:object_r:mali_device:s0 tclass=chr_file
>> type=1400 msg=audit(1375190682.065:44): avc: denied { write } for
>> pid=3478 comm="atik.exynosroot" path="/dev/ump" dev=tmpfs ino=582
>> scontext=u:r:untrusted_app:s0:c50,c256 tcontext=u:object_r:ump_device:s0
>> tclass=chr_file
>> type=1400 msg=audit(1375190685.980:45): avc: denied { write } for
>> pid=3517 comm="atik.exynosroot" name="ump" dev=tmpfs ino=582
>> scontext=u:r:untrusted_app:s0:c50,c256 tcontext=u:object_r:ump_device:s0
>> tclass=chr_file
>>
>>
>> Is there some additional restriction for the untrusted_app domain, that
>> the policies do not work?
>
> These denials are due to the MLS policy rather than the TE policy.
> audit2why would tell you that, although it doesn't help much with fixing
> the problem.
>
> To resolve, you need to add the mlstrustedobject attribute to the device
> types for ump_device and mali_device, either by adding ",
> mlstrustedobject" to the type declaration or by adding a separate
> "typeattribute <type> mlstrustedobject;" statement to the policy. Our
> manta policy already does this for the mali_device, so not sure why you
> are getting that denial.
>
>
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
