On Sat, 2017-08-05 at 14:29 -0700, John Locke wrote: > On Wed, Aug 2, 2017 at 11:43 AM, Stephen Smalley <s...@tycho.nsa.gov> > wrote: > > On Wed, 2017-08-02 at 09:14 -0700, John Locke wrote: > > > My understanding was that since domain is an attribute if I > > > create a > > > new domain of type "domain" I should get the same permissions as > > > defined in domain.te. One of the allow rules in domain.te is to > > > allow > > > writing to logd but I find that unless I duplicate the same rule > > > in > > > my > > > own te file I get an violation reported about this. Am I missing > > > something here? > > > > If you mean that you defined a new type and assigned it the domain > > attribute, ala: > > type my_type, domain; > > then yes, it should inherit the allow rules defined on the domain > > attribute automatically. > > > > You'd need to provide more specifics to diagnose if you aren't > > seeing > > that behavior, e.g. your actual .te file or relevant snippets, and > > the > > rule you think ought to be inherited from domain.te. > > > > Are you using AOSP master or a particular release/branch? > > > > I'm using the nougat-mr2.3-release branch. The rule I'm expecting to > be inherited from domain.te is the one here that I've also pasted > below: https://android.googlesource.com/platform/system/sepolicy/+/no > ugat-mr2.3-release/domain.te#96 > : > > # logd access > write_logd(domain) > > Here's the snippet from my_domain.te: > > type my_domain, domain; > type my_domain_exec, exec_type, file_type; > > init_daemon_domain(my_domain) > > I have an application started by init and it writes to logd and I get > a violation reported saying it doesn't have permission to write to > logd. If I duplicate that line from domain.te in my_domain.te as > below > then the violation goes away: > > write_logd(my_domain) > > I didn't expect to have to have this redundant rule.
Your expectation is correct; the redundant rule should not be necessary, so this either implies user error or a bug in the build process or policy compiler toolchain. Can you provide more details, e.g.: - The actual avc: denied message from logcat or dmesg output, - If you run sesearch on the policy you built, does it show this permission as missing, e.g. sesearch -A -s my_domain -t logd - Is the policy you built identical to the policy installed on the device, e.g. adb pull /sepolicy cmp sepolicy out/target/product/<board>/root/sepolicy - How are you adding your domain to the policy, e.g. are you dropping it in a device/<vendor>/<board>/sepolicy subdirectory and defining a BOARD_SEPOLICY_DIRS variable in your BoardConfig.mk or similar?