On 11/19/2015 04:39 AM, Inamdar Sharif wrote:
Hi Stephen/William,I am getting the below avc denied: type=1400 audit(0.0:7): avc: denied { search } for name="com.android.providers.downloads" dev="mmcblk0p23" ino=81932 scontext=u:r:system_app:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0 System.err: java.io.FileNotFoundException: /*data/user/0/com.android.providers.downloads/cache/**xxxxxxxx**: open failed: EACCES (Permission denied)*** I saw that the permission to allow this is already present allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; I am still confused why this is happening even when the allow rule is present.
That allows it for the domain and type, but you still have to satisfy the MLS constraint on the levels as well, and in this case, they have different levels (s0 vs s0:c512,c768).
Also I have not changed the user. Various solutions I can think are: 1)Remove search permission from mlsconstrain. 2)Make app_data_file as mlstrusted. 3)Make change what Stephen did in https://android.googlesource.com/platform/external/sepolicy/+/27042f6da110b8bef9ff291f724351464958da86 Can you guys help me to solve such issues??
You didn't provide any information about the app in question, or why it is directly opening such files (versus receiving them over Binder).
The options are to either run the app with the same level as the files it wants to access (i.e. enable levelFrom=user for the app) or make the app a mlstrustedsubject so that it can access files for any user.
You don't necessarily have to do this for all system apps; you could split this particular app out into its own domain via seapp_contexts and then only alter how it is handled, while leaving other system apps unchanged.
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
