Thank you Jeffrey. From: Jeffrey Vander Stoep [mailto:[email protected]] Sent: Wednesday, April 26, 2017 11:57 PM To: Mahaveer, Vishal; [email protected] Subject: Re: /vendor getattr denials
Backport: https://android-review.googlesource.com/#/c/302277/ On Wed, Apr 26, 2017 at 7:46 PM Mahaveer, Vishal <[email protected]<mailto:[email protected]>> wrote: Hi, When bringing up Nougat MR2 with Kernel 4.4, I see bunch of getattr denials for many core services and new services that I define. /vendor is symbolic link to /system/vendor on file system. [ 8.874966] type=1400 audit(8.849:11): avc: denied { getattr } for pid=195 comm="audioserver" path="/vendor" dev="rootfs" ino=5881 scontext=u:r:audioserver:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1 [ 8.875310] type=1400 audit(8.849:10): avc: denied { getattr } for pid=196 comm="cameraserver" path="/vendor" dev="rootfs" ino=5881 scontext=u:r:cameraserver:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1 [ 8.875614] type=1400 audit(8.849:12): avc: denied { getattr } for pid=200 comm="mediacodec" path="/vendor" dev="rootfs" ino=5881 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1 [ 8.876029] type=1400 audit(8.849:13): avc: denied { getattr } for pid=201 comm="mediadrmserver" path="/vendor" dev="rootfs" ino=5881 scontext=u:r:mediadrmserver:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1 [ 9.458085] type=1400 audit(9.439:17): avc: denied { getattr } for pid=219 comm="bootanimation" path="/vendor" dev="rootfs" ino=5881 scontext=u:r:bootanim:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1 [ 20.093269] type=1400 audit(20.019:21): avc: denied { getattr } for pid=765 comm="bootstat" path="/vendor" dev="rootfs" ino=5881 scontext=u:r:bootstat:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1 How do I resolve them without writing rules for each domain. Regards, Vishal
