On Wed, Aug 2, 2017 at 11:43 AM, Stephen Smalley <[email protected]> wrote: > On Wed, 2017-08-02 at 09:14 -0700, John Locke wrote: >> My understanding was that since domain is an attribute if I create a >> new domain of type "domain" I should get the same permissions as >> defined in domain.te. One of the allow rules in domain.te is to allow >> writing to logd but I find that unless I duplicate the same rule in >> my >> own te file I get an violation reported about this. Am I missing >> something here? > > If you mean that you defined a new type and assigned it the domain > attribute, ala: > type my_type, domain; > then yes, it should inherit the allow rules defined on the domain > attribute automatically. > > You'd need to provide more specifics to diagnose if you aren't seeing > that behavior, e.g. your actual .te file or relevant snippets, and the > rule you think ought to be inherited from domain.te. > > Are you using AOSP master or a particular release/branch? >
I'm using the nougat-mr2.3-release branch. The rule I'm expecting to be inherited from domain.te is the one here that I've also pasted below: https://android.googlesource.com/platform/system/sepolicy/+/nougat-mr2.3-release/domain.te#96 : # logd access write_logd(domain) Here's the snippet from my_domain.te: type my_domain, domain; type my_domain_exec, exec_type, file_type; init_daemon_domain(my_domain) I have an application started by init and it writes to logd and I get a violation reported saying it doesn't have permission to write to logd. If I duplicate that line from domain.te in my_domain.te as below then the violation goes away: write_logd(my_domain) I didn't expect to have to have this redundant rule. Thanks.
