But why does shell need DAC_override if shell has all permissions on dir and files?
Thanks, Tai From: William Roberts <[email protected]<mailto:[email protected]>> Date: Wednesday, October 2, 2013 2:10 PM To: Tai Nguyen <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Question on shell policy DAC permissions.... You would need MAC permission DAC_override. You should invoke the command as su... So you transition to the su domain. Bill On Oct 2, 2013 2:08 PM, "Tai Nguyen (tainguye)" <[email protected]<mailto:[email protected]>> wrote: All, We have the following rules allow shell shell_data_file:dir create_dir_perms; allow shell shell_data_file:file create_file_perms; But we still got permission denied root@android:/data/local # ls -Z drwxrwx--x shell shell u:object_r:shell_data_file:s0 tmp drwxr-xr-x root net_admin u:object_r:system_data_file:s0 udev root@android:/data/local # id uid=0(root) gid=0(root) context=u:r:shell:s0 root@android:/data/local # ls -Z tmp opendir failed, Permission denied The audit.log file shows audit(1380736858.382:29): avc: denied { dac_override } for pid=11062 comm="ls" capability=1 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability audit(1380736858.390:30): avc: denied { dac_read_search } for pid=11062 comm="ls" capability=2 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability root@android:/data/misc/audit # What are we missing? Thanks
